A3GT: An Adaptive Asynchronous Generalized Adversarial Training Method

Abstract

Adversarial attack methods can significantly improve the classification accuracy of deep learning models, but research has found that although most deep learning models with defense methods still show good classification accuracy in the face of various adversarial attack attacks, the improved robust models have a significantly lower classification accuracy when facing clean samples compared to themselves without using defense methods. This means that while improving the model’s adversarial robustness, it is necessary to find a defense method to balance the accuracy of clean samples (clean accuracy) and the accuracy of adversarial samples (robust accuracy). Therefore, in this work, we propose an Adaptive Asynchronous Generalized Adversarial Training (A3GT) method, which is an improvement over the existing Generalist method. It employs an adaptive update strategy without the need for extensive experiments to determine the optimal starting iteration for global updates. The experimental results show that compared with other advanced methods, A3GT can achieve a balance between clean sample classification accuracy and robust classification accuracy while improving the model’s adversarial robustness.

1. Introduction

Deep learning technology has achieved remarkable success in numerous fields, changing the traditional production and lifestyle of humans in various fields. These applications span computer vision [1,2], speech recognition [3,4], natural language processing [5,6], and autonomous driving [7,8,9]. However, with the discovery of adversarial examples [10], it has become evident that these imperceptible perturbations can cause catastrophic effects on the performance of deep learning models. In recent years, researchers have developed numerous methods for generating adversarial examples [11,12,13,14]. In practical applications of deep learning models, adversarial attacks can cause models to make high-confidence erroneous predictions, raising significant concerns about the security and reliability of deep learning systems.

Adversarial robustness refers to the ability of machine learning and deep learning models when subjected to adversarial attacks. These attacks involve applying small but meaningful perturbations to input data to mislead the model into making incorrect predictions. The goal of adversarial robustness is to ensure that models can maintain accurate outputs, even when the inputs are perturbed. Current methods to enhance adversarial robustness can be broadly categorized into model-based and data-based approaches. One of the most effective and straightforward defense methods during model training is adversarial training. This technique incorporates adversarial examples into the training process, making the model more robust against perturbations by learning from these perturbed samples. Adversarial training is widely regarded as one of the most effective and simple methods for improving model robustness [15].

Many works have already confirmed the effectiveness of adversarial training, and many deep learning models with defense mechanisms exhibit good classification accuracy when faced with various adversarial attacks. However, these models show a significant drop in accuracy when handling clean samples. This highlights the need for a method that not only enhances the overall robustness of the model, but also balances clean sample accuracy (clean accuracy) and adversarial sample accuracy (robust accuracy). To address this issue, Wang et al. proposed Generalist [16], which divides model training into two independent parts, training on natural/adversarial datasets separately, and periodically collecting parameters from both parts to form a global learner. However, this method requires extensive experimentation to determine the optimal starting iteration for global updates. To balance clean accuracy and robust accuracy while reducing the model’s reliance on fixed hyperparameters, we propose an Adaptive Asynchronous Generalized Adversarial Training (A3GT) method in this study. Experimental results show that, compared to several advanced methods, A3GT achieves a better balance between clean sample classification accuracy and robust classification accuracy, while eliminating the need for preset hyperparameters, significantly improving the model’s adversarial robustness.

2. Background

2.1. Adversarial Training

Adversarial training was first proposed in the literature by Madry et al. [17], who formulated the problem as a minimax optimization. The goal is to maximize the adversarial perturbation error while minimizing the distributional error with the original data distribution. The problem can be described by the following equation:

$$\underset{\theta }{min}{\mathbb{E}}_{(x,y)\sim \mathcal{D}}\left[\underset{\Delta x\in \Omega }{max}L(x+\Delta x,y;\mathit{\theta })\right],$$

(1)

Here, the outer minimization ${min}_{\theta }\mathbb{E}$ ensures that the model’s predictions with adversarial samples follow the original data distribution, while the inner maximization ${max}_{\Delta x\in \Omega }L(x+\Delta x,y;\mathit{\theta })$ maximizes the adversarial perturbation error within the perturbation set $\Omega$. Adversarial training updates model parameters using adversarial examples during the iterative training process. The process can be summarized as follows:

$$\left\{\begin{array}{c}{x}^{\prime (t+1)}={\Pi }_{\mathbb{B}(x,ϵ)}\left(x^{\prime \left(t\right)}+\alpha sign\left({\nabla }_{x^{\prime }}{\mathit{\ell }}_2\left(x^{\prime \left(t\right)},y;{\mathit{\theta }}^t\right)\right)\right),\hfill \\ {\mathit{\theta }}^{(t+1)}={\mathit{\theta }}^{\left(t\right)}-\tau {\nabla }_{\mathit{\theta }}\mathbb{E}[{\mathit{\ell }}_1(x,y;{\mathit{\theta }}^t)+\beta \mathcal{R}(x^{\prime },x,y;{\mathit{\theta }}^t)],\hfill \end{array}\right.$$

(2)

where $\alpha$ represents the step size, $\tau$ represents the learning rate, and $\mathcal{R}$ represents the loss function. ${\mathit{\ell }}_1$ and ${\mathit{\ell }}_2$ denote the objective functions for clean and adversarial samples, respectively. The hyperparameter $\beta$ balances clean accuracy and robust accuracy. Many defense methods are different in the value of $\beta$. For instance, when $\beta =1$, it represents Projection Gradient Descent (PGD) adversarial training [17]. When $\beta =0$, it represents normal training. When $\mathcal{R}$ is the KL divergence, it corresponds to the TRADES defense method [18].

Adversarial training aims to improve model robustness against adversarial attacks, but conventional adversarial training often comes at the cost of performance on clean, unperturbed samples. In practical applications, it is crucial to ensure that models not only maintain high classification accuracy under adversarial attacks, but also perform well under normal conditions. Achieving a balance between clean accuracy and robust accuracy involves careful tuning of the model’s structure, training strategies, and adversarial training parameters. Designing robust deep learning models requires considering performance across multiple tasks and environments, adapting to potential threats while maintaining effectiveness on clean data. This is a complex and significant research direction that involves a comprehensive understanding and optimization of model adversarial robustness.

Currently, mainstream approaches to this problem fall into two categories:

• Data-centric approaches: Methods like those used by Carmon et al. [19] and Najafi et al. [20] involve adding extra labeled and unlabeled data. Lee et al. [21] and Zhang et al. [22] focus on adjusting perturbation sizes to generate suitable adversarial samples for better model optimization.
• Model-centric approaches: Wang et al. [16] propose simultaneously updating model parameters through normal adversarial training and clean sample training to achieve a balance between robust accuracy and clean accuracy. However, experiments have shown that different data distributions require different synchronized parameters for model training, making fixed parameter methods less flexible.

Ensuring secure and reliable AI applications demands robust deep learning models capable of withstanding adversarial attacks. However, existing methods face limitations in adapting to different data distributions and model architectures with multi-task parameters. Multi-task learning in deep learning is crucial for handling various tasks and data distributions, allowing models to flexibly adapt to different environments and application scenarios. Yet, current robustness defense methods that balance natural and robust accuracy are constrained by static task weights, limiting their performance across different data distributions or model architectures.

In practical applications, the relationship between data distributions and tasks may evolve over time and environment. Therefore, enhancing a model’s adaptive capabilities to flexibly adjust its parameters according to new contexts and requirements is a pressing challenge that needs to be addressed.

2.2. Multi-Task Learning

Multi-task learning refers to training a model to learn multiple tasks simultaneously to improve its overall performance. In multi-task learning, the model is designed to handle and learn from multiple tasks at the same time, rather than training separate models for each task independently. The advantage of multi-task learning lies in its ability to enable the model to share knowledge across related tasks, thereby enhancing overall generalization performance. By training on multiple tasks, the model can learn more general and abstract feature representations, which helps improve its adaptability to new tasks.

Assume we have a set of data distributions $\mathcal{D}$ and loss functions ℓ, defined as $\mathcal{A}{=}^{\{\mathcal{D},\mathit{\ell }\}}$. The trained models are denoted as ${\left\{{\mathcal{M}}_a\right\}}_{a=1}^{\left|\mathcal{A}\right|}$, with parameters ${\mathit{\theta }}_{{\mathcal{M}}_a}$ learned through training. In multi-task learning, the optimal parameters for each task are obtained through the following formula:

$$\bigcup _{a=1}^{\left|\mathcal{A}\right|}{\mathit{\theta }}_{{\mathcal{M}}_a}^{★}=\underset{{\cup }_{a=1}^{\left|\mathcal{A}\right|}{\mathit{\theta }}_{{\mathcal{M}}_a}}{argmin}{\mathbb{E}}_{\mathcal{A}}{\mathbb{E}}_{\mathcal{D}}{\mathit{\ell }}_a\left({\mathcal{D}}_a;{\mathit{\theta }}_{{\mathcal{M}}_a}\right),$$

(3)

where ${\mathit{\ell }}_a\left({\mathcal{D}}_a;{\mathit{\theta }}_{{\mathcal{M}}_a}\right)$ represents the loss function of the model on the dataset ${\mathcal{D}}_a$. To enhance model robustness while maintaining classification accuracy on clean original samples, this study adopts a training approach similar to multi-task learning. Although A3GT may intuitively appear similar to multi-task learning, each task in multi-task learning is interconnected and influences one another, whereas in our approach, the two tasks are independent of each other.

3. Methods

This section provides a detailed introduction to the Adaptive Asynchronous Generalized Adversarial Training (A3GT), including its specific details and implementation process. The implementation process involves two basic learners and a global learner. Unlike Generalist [16], which determines the optimal starting iteration for global updates through experimentation, A3GT aims to find an adaptive update strategy. This adaptive strategy ensures that different model architectures and sample distributions can have their own tailored training approach. Moreover, the A3GT method maintains or even slightly improves the balance between adversarial robustness and classification accuracy on clean samples compared to existing methods.

3.1. A3GT Overview

Most deep learning models improve adversarial robustness through adversarial training, but their accuracy on clean samples significantly declines compared to before. To address this issue, existing methods include adding known labeled and unknown data from a data perspective. The A3GT method follows the overall training framework of Generalist, preserving the model’s ability to learn from clean samples. At the same time, we introduce an adaptive update strategy for the global learner to eliminate the method’s dependency on preset hyperparameters. The overall framework of the adaptive asynchronous generalized adversarial training designed in this paper is shown in Figure 1. The conventional adversarial training is modified into two parts. One part learns from the original clean sample images to update model parameters as the clean learner, while the other part learns from adversarial sample images to update parameters of the robust learner. Meanwhile, the second part of the learner also generates adversarial samples to be used in subsequent model training. These two learners will merge under certain conditions to form the initial global learner, which is the final deep learning model.

In this way, the model can maintain adversarial robustness while preserving its ability to learn from clean samples. However, a remaining challenge is determining the optimal timing for merging the two basic learners. Existing methods use fixed interaction iterations determined through experiments, which lack flexibility. The moment when the loss function stabilizes varies depending on different data distributions and model architectures. By assessing whether the two loss functions have stabilized, interactions and parameter transfers occur after both loss functions reach stability to obtain the global learner. It is important to note that after beginning to update the global learner, it is not updated through interactive learning in every iteration. Updating the global learner in every iteration would result in the basic learners not having enough experience, consuming a lot of time. On the other hand, if the update frequency is too slow, critical learning experiences might be missed. Therefore, determining a reasonable update frequency is crucial.

The formulas for generating the global learner from the clean learner, trained on original clean sample images, and the robust learner, trained on adversarial sample images, are as follows:

$${\mathit{\theta }}_g\leftarrow {\alpha }^{\prime }{\mathit{\theta }}_g+\left(1-{\alpha }^{\prime }\right)\left(\gamma {\mathit{\theta }}_r+(1-\gamma ){\mathit{\theta }}_n\right),$$

(4)

where ${\mathit{\theta }}_g$ represents the model parameters of the global learner. The parameter update mechanism in the global learner considers two main factors: the global model parameters from the previous stage and the parameters of the two independent basic learners. These two sets of parameters are combined through weighted synthesis for the update, with the constraint that their weights sum to 1. The coefficients ${\alpha }^{\prime }$ and $\gamma$ are the weighting factors.

3.2. Basic Learners

The A3GT method involves collaborative learning and updating by two basic task learners, referred to in this study as the clean learner and the robust learner. We will now formalize these two basic tasks.

Given a global dataset $\mathcal{D}$, the original clean sample dataset is ${\mathcal{D}}_1$, and the dataset after adversarial attack is ${\mathcal{D}}_2$, where ${\mathcal{D}}_1\cup {\mathcal{D}}_2\subseteq \mathcal{D}$. A clean sample image with label y is $x\in {\mathbb{R}}^{\mathfrak{m}}$, $(x,y)\sim {\mathcal{D}}_1$. The DNNs classification model trained on clean samples is denoted as $f_n\left(x\right):{\mathbb{R}}^m\to \{1,\dots ,k\}$. The objective is to achieve correct classification for clean samples using the loss function ${\mathit{\ell }}_n$, with the target function $f_n\left(x\right)=y$, indicating that the sample x is correctly classified as label y by the classification model $f_n\left(x\right)$. Therefore, the objective of sub-task one, the normal training of the clean learner, to find the optimal parameters of the classification model $f_n\left(x\right)$ is expressed as:

$${\mathit{\theta }}_n^{★}=\mathrm{argmin}{\mathbb{E}}_{{\mathcal{D}}_1}{\mathit{\ell }}_n({\mathcal{D}}_1;{\mathit{\theta }}_n),$$

(5)

where ${\mathit{\ell }}_n$ is the loss function used to measure the difference between predictions and true labels, and $\mathbb{E}$ represents the expectation operator.

Similarly, sub-task two involves training the model using the adversarial sample dataset ${\mathcal{D}}_2$. When clean samples are subjected to adversarial attacks, adversarial sample images $x^{\prime }$ are generated, represented as $(x^{\prime },y)\sim {\mathcal{D}}_2$. The goal of adversarial attacks is to find a suitable $x^{\prime }$ through the loss function ${\mathit{\ell }}_r$, achieving $f_r\left(x^{\prime }\right)!=y$ (non-targeted attack) or $f_r\left(x^{\prime }\right)=y_{adv}$ (targeted attack). Additionally, the perturbation size of $x^{\prime }$ is usually constrained by the $l_p$-norm ball, i.e., $\begin{array}{c}\hfill \left|\right|x^{\prime }-x{\left|\right|}_p\le ϵ\end{array}$. The optimal parameters of the robust learner’s classification model $f_r$, trained using adversarial samples, are expressed as:

$${\mathit{\theta }}_r^{★}=\mathrm{argmin}{\mathbb{E}}_{{\mathcal{D}}_2}{\mathit{\ell }}_r({\mathcal{D}}_2;{\mathit{\theta }}_r).$$

(6)

As previously mentioned, the two sub-tasks are independent of each other. They operate on their respective datasets, update their own basic learner parameters without interference. The global learner, by learning from the two basic learners, achieves the goal of adversarial training while maintaining the classification accuracy of the model when faced with clean original samples, balancing robust accuracy with clean accuracy.

3.3. Adaptive Global Learner

The two basic learners operate independently during their respective training phases. To combine their advantages, they must be integrated. Therefore, a global learner exists to synthesize the two basic learners under specific conditions. The following describes when the global learner integrates the two basic learners and how this integration is achieved.

In the initial stages of training a deep learning model, the two basic learners have limited learning experience. Since model parameters are randomly initialized, parameter updates can be quite volatile. Sharing parameters at this stage could lead to biased training parameters, because the basic learners do not yet have sufficient learning experience to support reasonable parameter initialization. To address this, we introduce a round size $t^{\prime }$, which indicates the synchronization of the global learner’s parameters starting from the $t^{\prime }$-th round after training begins. Initially, the two basic learners train independently until their respective loss functions, ${\mathit{\ell }}_n$ and ${\mathit{\ell }}_r$, stabilize at round $t^{\prime }$, determined as follows:

$$\left\{\begin{array}{c}{\mathit{t}}_n=\mathrm{argmin}g({\mathit{\ell }}_n\left({\mathcal{D}}_1\right),t_{num},l_h;{\mathit{\theta }}_n),\hfill \\ {\mathit{t}}_r=\mathrm{argmin}g({\mathit{\ell }}_r\left({\mathcal{D}}_2\right),t_{num},l_h;{\mathit{\theta }}_r),\hfill \\ {\mathit{t}}^{\prime }=max({\mathit{t}}_n,{\mathit{t}}_r),\hfill \end{array}\right.$$

(7)

where $g\{·\}$ is a function that determines whether the current loss function remains below the threshold $l_h$ for $t_{num}$ consecutive rounds, obtaining the round value when the loss function stabilizes. Once the loss functions of the two basic learners stabilize and meet the above conditions, the global learner’s parameters start to synchronize. This ensures that both basic learners have enough learning experience before parameter sharing, avoiding bias during parameter initialization. The largest round among the two sub-tasks is chosen to determine the starting round for updating the global learner, ensuring both basic learners have stabilized.

The specific update strategy for the global learner is shown in Equation (8). When the learning rounds of the basic learners $t<t^{\prime }$, the clean learner and the robust learner learn independently without interference. When the learning round $t=t^{\prime }$, the parameters of the two basic learners are mixed in proportion to $\gamma$ to update the learning parameters for the current round. The previous round’s learning experience is iteratively updated with a learning rate ${\alpha }^{\prime }$, as follows: ${\mathit{\theta }}_g\leftarrow {\alpha }^{\prime }{\mathit{\theta }}_g+(1-{\alpha }^{\prime })(\gamma {\mathit{\theta }}_r+(1-\gamma ){\mathit{\theta }}_n)$. The value of ${\alpha }^{\prime }$ determines the importance of the basic learners to the global learner. Adjusting $\gamma$ can control the model’s emphasis on handling clean samples versus adversarial samples. Throughout the process of updating the global learner, the basic learners pass parameters every c rounds. The function $\mathcal{B}\left(t,t^{\prime },c\right)$ is a boolean function that returns 1 if and only if $t>t^{\prime }$ and $t \mathit{mod} c==0$, otherwise it returns 0. In simple terms, after round $t^{\prime }$, the global learner’s parameters ${\theta }_g$ are updated every c rounds. When $tmodc\ne 0$, the clean learner and the robust learner continue their independent training.

$$\left\{\begin{array}{c}{\mathit{\theta }}_n^t=\mathrm{argmin}{\mathbb{E}}_{{\mathcal{D}}_1}{\mathit{\ell }}_n\left({\mathit{D}}_1);{\mathit{\theta }}_n^{t-1}\right),\hfill \\ {\mathit{\theta }}_r^t=\mathrm{argmin}{\mathbb{E}}_{{\mathcal{D}}_2}{\mathit{\ell }}_r\left({\mathit{D}}_2);{\mathit{\theta }}_n^{t-1}\right),\hfill \\ {\mathit{\theta }}_g^{t+1}={\alpha }^{\prime }{\mathit{\theta }}_g^{t-1}+(1-{\alpha }^{\prime })\left[\gamma {\mathit{\theta }}_r^t+(1-\gamma ){\mathit{\theta }}_n^t\right],\hfill \\ {\mathit{\theta }}_n^t=\mathcal{B}\left(t,t^{\prime },c\right){\mathit{\theta }}_g^{t+1}+\left(1-\mathcal{B}\left(t,t^{\prime },c\right)\right){\mathit{\theta }}_n^t,\hfill \\ {\mathit{\theta }}_r^t=\mathcal{B}\left(t,t^{\prime },c\right){\mathit{\theta }}_g^{t+1}+\left(1-\mathcal{B}\left(t,t^{\prime },c\right)\right){\mathit{\theta }}_r^t.\hfill \end{array}\right.$$

(8)

4. Experimental Evaluation

4.1. Experimental Setup

4.1.1. Experimental Environment Configuration

Due to the intensive computational power required for training and testing the models, we conducted the experiments using a GPU server. The basic information of the server is shown in

Table 1. Server environment and configuration.

Environment	Configuration
Operating system	Ubuntu Server 22.04 (Canonical Ltd., London, UK)
CPU	Intel(R) Xeon(R) Gold 5118 CPU @ 2.30 GHz (Intel Corporation, Santa Clara, CA, USA)
GPU	NVIDIA GeForce RTX 3090 24 GB (NVIDIA Corporation, Santa Clara, CA, USA)
Memory	314 GB
Development language	Python 3.9 (Python Software Foundation, Wilmington, DE, USA)
Deep learning framework	Pytorch 2.0.1 (Meta Platforms, Inc., Menlo Park, CA, USA)

.

4.1.2. Dataset Selection

The datasets selected for this study include CIFAR-10 [23], MNIST, and SVHN. CIFAR-10 is widely used in computer vision tasks, consisting of 10 different classes with approximately 6000 images per class at a resolution of 32 × 32 pixels. MNIST, used for handwritten digit recognition tasks, comprises 60,000 training images and 10,000 test images, each grayscale and sized at 28 × 28 pixels across 10 classes representing digits from 0 to 9. SVHN dataset, collected from real-world street scenes, consists of larger, typically color images sized at 32 × 32 pixels.

4.1.3. Baseline Adversarial Defense Methods

This study compares the A3GT method with several baseline methods, including standard adversarial training using PGD [17], Generalist [16], FAT [22], IAT [24], TRADES [18], and YOPO [24]. For clean models, ResNet-18 serves as the base model. For standard adversarial training models, ResNet-18 is also used with the AT [25] attack method, where parameter $\beta =1$. Generalist method uses PGD as the attack method with parameters $\gamma =[1,1,1,0.4]$. FAT and IAT methods follow the parameter settings as specified in their respective papers.

4.1.4. Adversarial Attack Methods

This study employs Projection Gradient Descent (PGD) [17], Momentum Iterative Attack (MIA) [26], and AutoAttack [25], which includes variations such as ${\mathrm{APGD}}_{\mathrm{ce}}$, ${\mathrm{APGD}}_{\mathrm{dlr}}$, ${\mathrm{APGD}}_{\mathrm{t}}$, ${\mathrm{FAB}}_{\mathrm{t}}$, and Square for attacking models.

4.1.5. Evaluation Metrics

• Clean accuracy: classification accuracy of the model on clean samples.
• Robust accuracy: classification accuracy of the model on adversarial samples generated by corresponding attack methods.
• CMMR score [27]: Comprehensive Multi-dimensional Model Robustness (CMMR) score derived from metrics including Acc, ASS, MSE, ${\mathrm{ALD}}_2$, and PSNR.

4.2. Performance Comparison under Different Adversarial Attack Methods

To comprehensively demonstrate the performance of A3GT, the experimental results of A3GT based on the ResNet18 model on the CIFAR-10 dataset are shown in

Table 2. Comparison of clean accuracy (%) and robust accuracy (%) between A3GT method and other defense methods.

Model	Clean Accuracy	PGD20	PGD100	MIM	${\mathbf{APGD}}_{\mathbf{ce}}$	${\mathbf{APGD}}_{\mathbf{dlr}}$	${\mathbf{APGD}}_{\mathbf{t}}$	${\mathbf{FAB}}_{\mathbf{t}}$	Square
Clean	$91.52$	0.00	0.00	0.00	0.00	0.00	0.00	0.00	0.00
Generalist	89.09	50.01	50.00	52.19	46.53	48.70	46.11	$47.32$	56.68
FAT	87.72	46.69	46.81	47.03	46.20	47.51	44.88	45.76	52.98
IAT	84.60	40.83	40.87	43.07	37.56	37.95	35.13	36.06	49.30
A3GT	$89.11$	$51.22$	$51.23$	$53.23$	$47.87$	$50.13$	$46.69$	47.20	$57.10$

.

The clean model achieves the highest classification accuracy on clean sample images, reaching 91.52%. However, it lacks the ability to defend against adversarial sample images, resulting in complete failure when facing various adversarial attacks. Its robust accuracy is 0% against any type of adversarial attack. This underscores the need for enhancing the adversarial robustness of models, which is why numerous defense methods have emerged to significantly improve robustness under adversarial attacks. Nevertheless, it is evident that conventional methods for enhancing robustness do not consider the impact on the clean accuracy (classification accuracy on clean samples). For example, the FAT and IAT methods show a substantial improvement in adversarial robustness compared to the clean model. In the case of PGD20, the clean model has a robust accuracy of 0%, whereas the FAT and IAT methods increase the robust accuracy to 46.69% and 40.83%, respectively, demonstrating significant effectiveness in improving adversarial robustness. However, these models perform poorly on original clean sample images. For instance, the IAT method reduces clean accuracy by 6.92% (from 91.52% to 84.6%) compared to the clean model. Thus, there is a need for a defense method that can enhance robust accuracy without a significant drop in clean accuracy when dealing with original clean sample images. Generalist is one such method that achieves a balance between clean accuracy and robust accuracy, improving robust accuracy while minimizing the reduction in clean accuracy. However, it has a drawback: it uses a synchronous approach for normal and adversarial training. This can lead to suboptimal results as the optimal training times for normal and adversarial training can differ depending on data distribution and model architecture. The A3GT method addresses this issue by allowing interaction between the two basic learners when both reach their optimal states, as analyzed in Section 3.3. Experimental results show that the A3GT method achieves the highest robust accuracy under seven types of adversarial attacks compared to the other three defense methods. However, its performance under ${\mathrm{FAB}}_{\mathrm{t}}$ adversarial attack is not as good as Generalist. The A3GT method strikes a balance between clean accuracy and robust accuracy, performing second only to the clean model on original clean sample images while significantly improving robust accuracy.

4.3. Performance Comparison on Different Datasets

In addition to the CIFAR-10 dataset, we tested the performance of the ResNet-18 model architecture on the MNIST and SVHN datasets. The maximum perturbation strength for adversarial attack methods was set to $ϵ=8/255$. The experimental results comparing the A3GT method with other baseline methods are shown in

Table 3. Comparison of clean accuracy (%) and robust accuracy (%) between A3GT method and other defense methods.

		MNIST			SVHN
	Clean Samples	PGD	MIA	Clean Samples	PGD	MIA
FAT	98.97	92.26	93.54	93.41	53.26	54.54
TRADES	99.13	94.61	95.13	93.13	54.61	55.13
YOPO	99.19	93.13	93.54	92.19	52.13	55.54
A3GT	99.2	96.13	96.3	94.31	54.13	56.3

.

The results demonstrate that the A3GT method achieves the best performance on clean samples across both datasets, with accuracies of 99.2% on MNIST and 94.31% on SVHN. Additionally, the A3GT method significantly outperforms other baseline methods under the MIA attack, achieving 96.3% on MNIST and 56.3% on SVHN. The A3GT method also shows the best defense against the PGD attack on the MNIST dataset (96.13%) and ranks second only to the TRADES method in classification accuracy on the SVHN dataset.

To comprehensively explore the trade-off between clean accuracy and robust accuracy of different defense methods, this study further analyzes the performance of clean accuracy under various levels of robust accuracy during training. As shown in Figure 2, we conducted a detailed comparison of the A3GT method with existing methods such as Generalist, FAT, and Madry. Overall, the experimental results indicate that most methods exhibit a decline in clean accuracy as robust accuracy increases. Specifically, the FAT and Madry methods show a significant drop in clean accuracy when the robust accuracy approaches 40%. In contrast, the Generalist method achieves a more balanced result between robust accuracy and clean accuracy. Additionally, the A3GT method achieves a better balance between robust accuracy and clean accuracy compared to the Generalist method. The experiments reveal that the A3GT method can maintain robustness while minimizing the decline in clean accuracy, resulting in a more resilient model against adversarial attacks.

4.4. Robustness Score of A3GT under the CMMR Framework

In real-world scenarios, the conditions faced by models can vary significantly. To comprehensively and accurately assess the adversarial robustness of models, this paper proposes a Comprehensive Multi-dimensional Model Robustness (CMMR) evaluation framework. In this section, the proposed A3GT method is comprehensively evaluated using the CMMR framework against five other adversarial defense methods: TRADES, YOPO, Self Adaptive, FAT_TRADES_032, and FAT_MART_032. These defense techniques primarily aim to enhance model robustness by altering model parameters during training.

As shown in Figure 3, the CMMR score of the A3GT method generally surpasses that of the other five defense methods. Specifically, when $ϵ<0.03$, the A3GT method is slightly inferior to TRADES and Self Adaptive, but the difference is minimal. As the adversarial perturbation strength increases, when $ϵ<0.08$, A3GT ranks second only to the FAT_TRADES_032 method, and thereafter, its CMMR score exceeds that of any other defense method. When $ϵ>0.13$, the A3GT method is second only to YOPO and Self Adaptive. From these results, it is evident that while the A3GT method does not consistently outperform all other defense methods across the entire range of perturbation strengths, it demonstrates stable and superior performance overall. Additionally, radar charts depicting the CMMR scores of A3GT and the other five defense methods at perturbation strengths of $ϵ=0.04$, $ϵ=0.08$, $ϵ=0.12$, and $ϵ=0.16$ are presented in Figure 4. As shown, the A3GT consistently leads in CMMR scores across all four conditions compared to the other five defense methods.

4.5. Ablation Study

In this subsection, a series of ablation studies are conducted on the proposed A3GT method, focusing on the mixing ratio $\gamma$ of the two basic learners and the learning frequency c of the global learner. These studies aim to explore and analyze how these two parameters affect the performance of the A3GT method.

4.5.1. Mixing Ratio $\gamma$ of the Two Basic Learners

It is important to note that the mixing ratio $\gamma$ of the two basic learners is not a vector, but a scalar. The model training is divided into different stages, with each stage training the model according to different mixing ratios. The mixing ratio decreases according to a dynamic function as the training iterations increase. As shown in Equation (4), when $\gamma =1$, the global learner is fully updated by the robust learner. As the mixing ratio gradually decreases, the global learner’s learning shifts from the robust basic learner to the normal basic learner, ensuring that the model retains learning experience from the original clean images.

As illustrated in Figure 5, the effect of different mixing ratios $\gamma$ on the results is significantly different, and the performance is also influenced by the learning frequency c of the global learner. In the absence of attacks, the best setting is a mixing ratio $\gamma =(1,1,1,0.4)$ and a learning frequency $c=5$. Under PGD attacks, the best performance is achieved with a mixing ratio $\gamma =(1,1,1,0.4)$ and a learning frequency $c=1$. For AutoAttack, the method performs optimally with a mixing ratio $\gamma =(1,1,1,0.4)$, similar to the performance under C&W attacks. Additionally, the experimental results indicate that when the mixing ratio is fixed, the method performs well only with a learning frequency $c=5$, while the performance significantly degrades under other conditions. Therefore, to enhance the clean accuracy on original clean samples, the A3GT method sets the mixing ratio $\gamma$ of the two basic learners to $(1,1,1,0.4)$.

4.5.2. Learning Frequency c of the Global Learner

As shown in Equation (8), the learning frequency c of the global learner controls the frequency of interaction between the global learner and the two basic learners. A larger learning frequency c means lower interaction frequency, while a smaller c means more frequent interactions. It is worth noting that the learning frequency c remains fixed throughout the entire model training phase. The experimental results in Figure 5 indicate that the method is not optimal when $c=1$. The performance reaches its peak when the learning frequency increases to $c=5$. As the learning frequency continues to increase, the performance gradually decreases. This suggests that the interaction frequency between the global learner and the basic learners should neither be too high nor too low. Therefore, the A3GT method sets the learning frequency c of the global learner to 5.

5. Conclusions

This paper proposes an Asynchronous Adaptive Adversarial Training (A3GT) method to enhance model adversarial robustness. Following the training framework of Generalist, A3GT divides model training into two parts: normal training and adversarial training. The learner for normal training is called the clean learner, and the learner for adversarial training is called the robust learner. The two basic learners operate independently and do not interfere with each other in the initial stages. To eliminate reliance on preset hyperparameters, A3GT uses an adaptive global learner update strategy, where the two learners interact to generate the global learner once both reach a stable state. By determining whether the two basic learners have stabilized, A3GT creates an adaptive interaction strategy based on different model architectures and datasets without being constrained by fixed static parameters.

The performance of A3GT is compared with other defense methods under different adversarial attacks and on different datasets. Experimental results show that A3GT not only exhibits good adversarial robustness under various attacks but also maintains classification accuracy on clean samples. In addition to using classification accuracy to evaluate performance, this paper also embeds A3GT into the Comprehensive Multi-dimensional Model Robustness (CMMR) evaluation framework. Evaluations with other advanced defense methods show that A3GT demonstrates good and stable performance across the entire range of adversarial perturbation strengths.

Although A3GT effectively balances adversarial robustness and classification accuracy, and demonstrates superior robustness under various adversarial attacks, it increases the training overhead to some extent due to the need to train two independent learners. However, since the two basic learners are trained independently, the learning speed can be accelerated by enhancing parallelism when sufficient computational resources are available. Additionally, this paper focuses on adversarial attacks in the image domain, and we believe that extending A3GT to other domains (such as natural language processing or speech recognition) is an interesting direction for future research.