Robust Deep Active Learning via Distance-Measured Data Mixing and Adversarial Training

1. Introduction

Deep neural networks typically require extensive labeled datasets for effective training, making data annotation a slow, expensive, and complex process [1]. Active learning addresses this challenge by strategically selecting the most informative samples from an unlabeled pool for annotation, thereby reducing the overall labeling burden [2]. A prevalent approach prioritizes samples with low-confidence predictions, as these high-uncertainty instances are empirically proven to provide valuable information for model improvement [3]. However, strategies that rely exclusively on uncertainty estimation often concentrate sample selection within narrow regions of the feature space, resulting in inadequate coverage of the overall data distribution and potential amplification of label noise [4]. Incorporating diversity considerations into the selection process can mitigate these issues by ensuring broader distributional coverage and capturing richer information content across the data manifold.

Recent active learning research has therefore pursued two complementary objectives: uncertainty estimation and diversity promotion. Uncertainty-based methods such as Least Confidence [3,5,6] prioritize samples exhibiting minimal predictive confidence. Deep Bayesian techniques further enhance uncertainty estimation by utilizing posterior predictive distributions to refine entropy-based and mutual-information-based selection criteria [7,8,9,10,11]. Alternative approaches employ auxiliary models to improve uncertainty estimation or guide the selection process [12,13,14,15,16,17]. Complementing these uncertainty-focused strategies, diversity-oriented methods such as VAAL [18] explore varied regions within the latent space, while BADGE [19] integrates gradient-based uncertainty estimation with clustering techniques to enhance distributional coverage [20]. Despite these advances, a fundamental trade-off remains: uncertainty-centric querying tends to over-sample points near decision boundaries that are often noisy or ambiguous, whereas diversity-only selection may overlook the most decision-relevant instances, particularly in complex, imbalanced, or noisy data environments.

From a decision-boundary perspective, samples with high uncertainty typically reside near class separators, where noise and label ambiguity are most prevalent. Excessive emphasis on such points can propagate labeling errors and compromise training quality. To investigate this phenomenon, we conducted a preliminary study using Least Confidence on CIFAR-10 [21] with MobileNet [22] as the backbone architecture. Following an initial training phase, we selected 1,000 samples per iteration based on lowest confidence scores and visualized the selections using t-SNE, comparing direct top-k selection (offset 0) with an offset strategy that skips the top 300 lowest-confidence samples. As illustrated in Figure 1, the offset strategy distributes selections more broadly across the feature space, enhancing both coverage and diversity. This approach achieved 84.11% accuracy compared to 83.5% without offset, demonstrating that strategically shifting away from the most uncertain samples can capture richer information content and improve overall performance.

Motivated by these observations and drawing inspiration from Alpha-Mix [1], which employs tuned mixing strategies to introduce variability while preserving salient features, we propose a data-mixing framework for deep active learning that simultaneously addresses uncertainty estimation, diversity promotion, and robustness enhancement. Our central premise involves inferring sample uncertainty through weighted mixtures that encode inter-sample relationships and underlying data distribution structure, with particular emphasis on near-boundary regions that are critical for class discrimination yet susceptible to noise contamination. Building upon this foundation, we further introduce a boundary-aware feature fusion mechanism via adversarial training: we generate adversarial counterparts for selected near-boundary samples using fast gradient methods and train them jointly with the original instances. This approach enhances generalization capabilities and robustness in complex, noisy environments by stabilizing the learning process around decision boundaries.

Our contributions are summarized as follows:

• We introduce Distance-Measured Data Mixing (DM2) Active Learning, a novel deep active learning framework that estimates sample uncertainty through distance-weighted mixing of data samples. By exploiting inter-sample relationships and distributional structure, this method selects informative instances across the data manifold, including near-boundary regions, thereby enhancing the diversity of queried samples.
• To address noise susceptibility in challenging scenarios, we augment Distance-Measured Data Mixing with adversarial training (DM2-AT). We generate fast-gradient adversarial samples for selected near-boundary instances and train them jointly with the original data, improving model robustness and generalization performance under complex data distributions.
• Comprehensive experiments across diverse tasks, model architectures, and data modalities demonstrate that our method achieves superior performance while significantly reducing labeling requirements compared to existing approaches.

2. Related Work

2.1. Uncertainty Estimation

The uncertainty-based approach selects the most ambiguous unlabeled samples from the current model. Since the model is initially trained with a limited dataset, these ambiguous samples provide valuable information for subsequent rounds of training: (1) Prominent uncertainty selection, which includes the Least Confidence method [5] and Entropy Sampling [23]. The Margin Sampling method [6] evaluates the difference between the confidence levels of the highest and second-highest prediction classes. BatchBALD [24] selects samples by maximizing the joint information gain of a batch. (2) Bayesian framework, information gain methods focus on model parameters [4,25], often integrating Bayesian belief networks with Monte Carlo sampling [26]. Deep Bayesian approximation methods like MC-Dropout [7] are employed to address the challenge of probabilistic prediction. Query by Committee (QBC) methods facilitate multi-model training [27], while adversarial training methods [10,11,18] provide additional robustness. Furthermore, the variance between predicted probabilities within a set [28] has been proposed as a measure of uncertainty. (3) Model-based active learning trains a separate model for active instance selection. Variational Autoencoders (VAE) [18] utilize a V-shaped autoencoder to model data distribution. CoreGCN [13] employs Graph Convolutional Networks (GCNs) to represent relationships between examples. LL4AL [14] integrates a lightweight module to learn the prediction error of unlabeled examples, capturing the learning loss in active learning. ProbCover [29] is a novel active learning algorithm designed for low-budget scenarios, aiming to maximize probability coverage. Methods like ISAL and ent-gn [15,16] propose using influence functions [17] to estimate potential model changes, thereby informing training strategies. These techniques often prioritize points near the decision boundary. However, they may overlook valuable data near the decision boundary by relying solely on predicted class likelihood.

2.2. Diversity Improvement

In active learning, diversity refers to selecting representative and varied samples for labeling. Methods often assign confidence scores based on classifier uncertainty and sample diversity [30]. One strategy uses entropy and mutual information within a CRF graphical model for query selection [31]. The state-of-the-art method, Coreset [12], focuses on selecting data with diverse representations. BADGE [19] explores the relationship between data diversity and uncertainty using Bayesian methods and clustering. CoreGCN [13] employs graph embeddings for diverse data selection. Hierarchical agglomerative clustering (HAC) [32] distributes uncertain examples. BatchBALD [24] also considers sample diversity by selecting complementary samples to avoid redundancy. Recent advances utilize parameters from the final neural layer, while Alpha-Mix [1] employs feature mixing with alpha values. Noise Stability [20] introduces a greedy algorithm that adds noise to highlight differences. These methods propose complex paradigms for modeling diversity, enhancing effectiveness but increasing complexity and coupling.

3. Distance-Measured Data Mixing

This section presents our theoretical framework for Distance-Measured Data Mixing (DM2), as illustrated in Figure 2. Our approach focuses on selecting samples that effectively balance diversity and uncertainty considerations. The process begins by feeding unlabeled data through the model to extract feature-layer embeddings. We then compute similarity distances between samples within these embedding spaces and select multiple similar instances for linear mixing according to predetermined proportions. The model evaluates these mixed samples to determine their confidence levels. Finally, we rank samples by confidence scores and select data indices with the lowest confidence values, adding the corresponding original samples to the labeled candidate set to complete each selection round.

3.1. Formal Definition

Given an unlabeled data pool U and an initially empty labeled data pool L, the objective of active learning is to select a subset of samples $X_i$ from U based on a predefined annotation budget (e.g., selecting 1,000 samples at a time from a pool of 50,000 samples). These selected samples are annotated by human experts and added to L, such that $L\leftarrow L\cup X_i,Y_i$, where $Y_i$ represent the newly acquired annotations. The selected samples are subsequently removed from the unlabeled pool: $U\leftarrow U\setminus X_i$.

A neural network model is defined as a function $f_{\theta }$, where $\theta$ denotes the model parameters. For input data $U=X_1,X_2,\dots ,X_n$, the model generates predictions $\widehat{Y}i=f\theta \left(X_i\right)$. The model is trained by minimizing the cross-entropy loss function:

$$\ell \left(Y,\widehat{Y}\right)=-{\displaystyle \frac{1}{N}}\sum _{i=1}^N\sum _{c=1}^C{y}_{i,c}log\left({\widehat{y}}_{i,c}\right),$$

where N represents the number of samples, C denotes the number of classes, and ${\widehat{y}}_{i,c}$ is the predicted probability that the i-th sample belongs to class c. The optimization objective is to minimize this loss function:

$${\theta }^{*}=arg\underset{\theta }{min}\ell (Y,f_{\theta }\left(x\right)).$$

In subsequent data selection phases, the trained model evaluates samples from the unlabeled pool U to obtain confidence scores for each instance. Based on these confidence estimates, the method selects samples to be added to the labeled pool L, initiating the next cycle of training and data selection.

3.2. Feature Extraction

The feature representation from the final layer of a convolutional neural network (CNN) captures the highest-level, most abstract features from input images. These features effectively encapsulate global information and complex patterns, making them particularly valuable for tasks such as classification and recognition.

For each sample in the unlabeled data pool $U=X_1,X_2,\dots ,X_n$, we extract features from the last convolutional layer of the CNN. The output features are denoted as $F_{\mathrm{Conv}}\left(X_i\right)\in {\mathbb{R}}^d$, where d represents the feature dimension. Here, $U_i$ denotes the feature representation of the i-th sample extracted through this layer. The feature extraction process is formalized as:

$$U_i=F_{\mathrm{Conv}}\left(X_i\right).$$

3.3. Distance Measured

Euclidean distance effectively captures geometric relationships in continuous feature spaces, making it well-suited for detecting subtle differences between samples and demonstrating high sensitivity to small variations in data. In contrast, Manhattan distance is particularly effective for measuring differences in discrete or sparse feature spaces.

By combining Euclidean and Manhattan distances, we can more comprehensively assess the relationships between samples. Let $U_i$ and $U_j$ represent the feature vectors of samples i and j, respectively. The Euclidean distance between two sample vectors is defined as:

$$d_{\mathrm{E}}(U_i,U_j)=\sqrt{\sum _{k=1}^n{(U_{ik}-U_{jk})}^2},$$

where $U_{ik}$ and $U_{jk}$ represent the k-th components of feature vectors $U_i$ and $U_j$, respectively, and d is the feature dimension. The Manhattan distance metric is expressed as:

$$d_{\mathrm{M}}(U_i,U_j)=\sum _{k=1}^n\left|U_{ik}-U_{jk}\right|.$$

The combined distance metric, obtained by averaging Equations and , is expressed as:

$$d_c(U_i,U_j)={\displaystyle \frac{d_{\mathrm{E}}(U_i,U_j)+d_{\mathrm{M}}(U_i,U_j)}{2}}.$$

3.4. Linear Data Mixing

The distance function $d_c(U_i,U_j)$ calculates the similarity between feature samples $U_i$ and $U_j$. In this step, we select n samples $X_1,X_2,\dots ,X_n$ that are most similar to sample $X_i$ for linear mixing. We denote the set of nearest neighbors of $U_i$ based on $d_c(U_i,U_j)$ as $N_i$, and employ the parameter $\lambda$ to control the degree of mixing. This process operates directly at the data level rather than on feature representations. The mixing formula is expressed as:

$$\widehat{X_i}=\lambda ·X_i+(1-\lambda )·\sum _{j\in N_i}{X}_j,$$

where ${\widehat{X}}_i$ represents the mixed data sample derived from $X_i$, $N_i$ denotes the index set of the n nearest neighbors of sample $X_i$, and $\lambda$ controls the mixing weight of the original sample $X_i$. The linearly mixed sample ${\widehat{X}}_i$ is then fed into the pre-trained model for prediction:

$$P_i=f_{\theta }\left({\widehat{X}}_i\right).$$

The output of the classification model, $P_i$, is typically a vector representing the predicted logits for each class. This output is converted into a probability distribution using the softmax function:

$$\mathrm{Softmax}\left(P_i\right)=\left[{\displaystyle \frac{exp\left(P_{i1}\right)}{{\sum }_{c}exp\left(P_{ic}\right)}},\dots ,{\displaystyle \frac{exp\left(P_{iC}\right)}{{\sum }_{c}exp\left(P_{ic}\right)}}\right],$$

where C represents the number of classes and $P_{ic}$ denotes the model’s logit score for sample ${\widehat{X}}_i$ belonging to class c.

The probability distribution from the classification model’s output is utilized to determine the confidence level for each sample. The highest predicted probability typically serves as a confidence indicator:

$$C_i=max\left(\mathrm{softmax}\left(P_i\right)\right).$$

This represents the model’s maximum predicted probability for sample ${\widehat{X}}_i$, indicating its confidence level. Samples are ranked by their confidence scores, and those with the lowest confidence are selected for the next active learning batch. When confidence levels are sorted in ascending order, $\mathrm{sort}\left[0\right]$ corresponds to the index of the sample with the lowest confidence, while $\mathrm{sort}[N-1]$ represents the highest confidence sample. From this sorted arrangement, we select the n samples with the lowest confidence scores for annotation. The indices of these selected samples constitute the active learning dataset $D_a$:

$$D_a=\{X_{\mathrm{sort}\left[0\right]},X_{\mathrm{sort}\left[1\right]},\dots ,X_{\mathrm{sort}[N-1]}\}.$$

We return the selected n sample indices for active learning annotation. The corresponding samples are retrieved from the original unlabeled dataset $U=X_1,X_2,\dots ,X_m$ using these indices and added to the labeled pool L. This process is repeated iteratively throughout the entire active learning cycle.

Algorithm 1 Distance-Measured Data Mixing Active Learning

1: Input: f: randomly initialized neural network, U: unlabeled data pool, 2:       L: labeled data pool 3: Output: L: updated labeled pool 4: Begin: 5:       Train the model f using the unlabeled pool U to obtain $F_{\mathrm{conv}}\left(X_i\right)$ 6:       for $k\leftarrow 1$ to K do 7:            for $i\leftarrow 1$ to S do 8:                 $\delta (U_k,U_i)=\sqrt{{(F_{\mathrm{conv}}\left(U_k\right)-F_{\mathrm{conv}}\left(U_i\right))}^2}+|F_{\mathrm{conv}}\left(U_k\right)-F_{\mathrm{conv}}\left(U_i\right)|$ 9:                 $\mathrm{get}{N}_k=\delta (U_k,U_i)/2$ 10:            end for 11:       end for 12:       Number of mixed samples is N 13:       for $h\leftarrow 1$ to H do 14:            ${\widehat{X}}_h=\lambda *X_h+(1-\lambda )*{\sum }_{j\in N_h}{X}_j$ 15:            $\xi \left(h\right)={\widehat{X}}_h$ 16:       end for 17:       Train the model $f\left(\xi \right(h\left)\right)$ to obtain $M=\mathrm{sort}\left(\mathrm{softmax}\right(P\left)\right)$ 18:       Select samples with indexes ${\left\{M_{jc}\right\}}_{c=1}^N$ in U as $\left\{X_i\right\}$, and obtain their labels $\left\{Y_i\right\}$ 19:       Update L with $L=L\cup \{X_i,Y_i\}$ 20: ReturnL

4. Adversarial Training for Boundary Data Feature Fusion

This section presents an active learning algorithm that integrates adversarial training with feature fusion for boundary data samples. This method employs adversarial training to enhance model efficiency, thereby strengthening performance when processing noisy and complex environmental data. Simultaneously, the active learning strategy reduces the required number of training samples, lowering overall training costs. Specifically, in our boundary data feature fusion approach for active learning, samples selected in each round are initially augmented through adversarial training to generate adversarial counterparts. These adversarial samples are subsequently merged with the existing labeled pool, enabling the model to fully exploit the augmented data during updates.

The advantage of this approach lies in its incorporation of active learning properties to reduce labeled data requirements while leveraging adversarial training to enhance the model’s classification capabilities, particularly when confronting noise and interference in real-world scenarios. Through this combination, the model’s information recognition performance is significantly improved, achieving more accurate classification in complex environments and demonstrating adaptability across diverse application scenarios. This algorithm not only improves model stability and classification accuracy but also reduces training sample requirements while adapting to large-scale dataset challenges, offering substantial practical value, especially in applications requiring rapid deployment and efficient training. The complete methodological process is illustrated in Figure 3.

4.1. FGSM Confrontation Training

Adversarial training serves as a method to improve model generalization by incorporating adversarial samples into the training dataset during the training process. This approach compels the model to learn from these challenging examples, thereby enhancing its ability to defend against adversarial perturbations. The Fast Gradient Sign Method (FGSM) represents one of the most widely used techniques for generating adversarial samples, and FGSM adversarial training constitutes a training methodology that employs FGSM to generate adversarial samples and incorporate them into the training set [33].

FGSM is an algorithm that efficiently generates adversarial perturbations by computing the gradient of the loss function with respect to the input. The fundamental principle involves applying a small perturbation along the direction of the loss function’s gradient to input samples, thereby causing the model to produce erroneous predictions. This perturbation is computed individually for each input sample, making it inherently "sample-specific" [34]. The FGSM generation process follows these specific steps:

Calculate the gradient: For each input sample and its corresponding label, we first compute the gradient of the loss function with respect to the input:

$${\nabla }_{\mathrm{x}}\mathcal{L}(\theta ,x,y),$$

where $\mathcal{L}(\theta ,x,y)$ represents the loss function with model parameters $\theta$, input sample x, and true label y. This gradient indicates the direction in which small changes to the input would most significantly increase the loss.

Using the computed gradient to generate adversarial perturbations, the key principle of FGSM involves computing the sign of the gradient (representing the gradient’s direction) and adding perturbations along that direction. The perturbation magnitude is controlled by a small constant parameter:

$${\mathrm{adv}}_{sample}=x+{\omega }^{*}sign\left({\nabla }_x\mathcal{L}(\theta ,x,y)\right),$$

where $\mathrm{sign}(·)$ is the sign function that extracts the sign of each element in the gradient vector, and $ϵ$ is the hyperparameter that controls the perturbation magnitude. This formula represents the process of applying a small perturbation to input samples along the direction of the loss function’s gradient. The sign function ensures that the perturbation moves in the direction that would maximally increase the loss, while the $ϵ$ parameter bounds the perturbation size to maintain the adversarial sample’s similarity to the original input.

The generated adversarial samples are incorporated alongside the original samples during the training process, enabling the model to learn correct predictions when confronted with adversarially perturbed inputs. This approach enhances the model’s robustness by exposing it to challenging examples that lie near the decision boundary.

In adversarial training, the training process comprises two complementary components. First, positive sample training follows the traditional approach by utilizing original data for model training. Second, adversarial sample training incorporates adversarial samples generated using FGSM into the training data. During each training step, a batch of data is selected from the training set, where each sample consists of an input x and its corresponding label y. FGSM is then applied to generate adversarial perturbations for each sample, producing the corresponding adversarial examples.

The training procedure calculates losses for both the original samples and their adversarial counterparts, combining these losses for backpropagation to update model parameters:

$${\mathcal{L}}_{\mathrm{total}}={\displaystyle \frac{1}{2}}\left(\mathcal{L}(\theta ,x,y)\right)+\mathcal{L}(\theta ,ad{v}_{sample},y)),$$

where $\mathcal{L}(\theta ,x,y)$ represents the loss computed on the original sample and $\mathcal{L}(\theta ,ad{v}_{sample},y)$ denotes the loss computed on the adversarial sample. This combined loss function ensures that the model simultaneously learns to make correct predictions on both normal and adversarially perturbed inputs.

FGSM adversarial training constitutes an effective method for improving model robustness. By generating adversarial samples and incorporating them into the training data, this approach enhances the model’s ability to adapt to input perturbations, enabling the model to maintain performance when confronted with adversarial examples during inference.

4.2. Adversarial Training for Sample Selection

This method combines the principles of active learning and adversarial training to enhance model stability and performance. The specific process unfolds as follows:

Initially, the trained model performs forward propagation to obtain feature representations from the final layer for each sample, as expressed in Equation . This process effectively represents the information contained within samples as high-dimensional feature vectors. Subsequently, the most representative samples are selected through similarity calculations between samples. We employ a combination of Manhattan and Euclidean distances to produce a more reliable and efficient distance measure, as demonstrated in Equation . This combination leverages the strengths of both distance metrics to achieve more stable similarity calculations, particularly when handling features with varying scales.

Through inter-sample similarity calculations, we identify the most similar batch of samples for subsequent fusion and training. The n most similar samples are then merged using the MixUp fusion method, where samples are linearly combined to generate new training instances that enhance model generalization capability, as shown in Equation . Classification confidence is obtained by evaluating the model, and the corresponding index list is returned for active learning selection.

Following sample selection by the boundary data feature fusion algorithm, the original images undergo forward propagation through the neural network. Prediction results are obtained via the fully connected layer, yielding probability distributions as outputs. FGSM then calculates the gradient of the loss function with respect to the input image through backpropagation. This gradient indicates each pixel’s contribution to the loss function, revealing how individual pixels should be modified during the perturbation process to maximize the loss. Larger gradient magnitudes indicate greater pixel impact on the loss function.

Finally, the perturbation is computed and adversarial samples are generated according to:

$$\delta ={\omega }^{*}sign\left({\nabla }_x\mathcal{L}(\theta ,x,y)\right).$$

In this formulation, $ϵ$ represents the perturbation step size, ${\nabla }_x\mathcal{L}(\theta ,x,y)$ denotes the gradient of the loss function with respect to input sample x, $\mathcal{L}(\theta ,x,y)$ is the model’s loss function, and $\mathrm{sign}(·)$ is the sign function. The parameter $ϵ$ determines the magnitude of the adversarial perturbation, with larger values producing more pronounced perturbations. For simpler tasks such as MNIST or SVHN, a smaller value of $ϵ=0.03$ is typically chosen. For more complex tasks like CIFAR-10, a larger value of $ϵ=0.1$ is selected to enable the model to handle more substantial perturbations. The greater the difference between generated adversarial samples and their original counterparts, the more challenging it becomes to train the model for robust performance.

The calculated perturbations are added to the original samples to generate adversarial samples:

$$H=\mathbf{x}+\delta ,$$

where H represents the adversarial sample resulting from adding the perturbation $\delta$ to the original input x.

Algorithm 2 Distance-Measured Data Mixing with Adersarial Training

1: Inputs: unlabeled pool U, labeled pool L, model $f_{\theta }$, loss $\mathcal{L}$, batch B, group size n, Beta($\alpha$), step $ϵ$, epochs E 2: while not converged do 3:    Extract final-layer features $z\left(x\right)\leftarrow f_{\theta }.\mathtt{features}\left(x\right)$ for all $x\in U$ 4:    For each $x\in U$, compute mixed distances s(x,x’) using L1+L2; get top-n neighbors $N\left(x\right)$ 5:    Build fused set S via MixUp on pairs from $x\cup N\left(x\right)$ with $\lambda \sim \mathrm{Beta}(\alpha ,\alpha )$ 6:    Score S by model confidence; select B lowest-confidence indices Q 7:    for each $({\tilde{x}}_i,{\tilde{y}}_i)\in Q$ do 8:      compute $g={\nabla }_x\mathcal{L}(\theta ,{\tilde{x}}_i,{\tilde{y}}_i)$ 9:      compute $\delta =ϵ,\mathrm{sign}\left(g\right)$, $H_i=\tilde{x}i+\delta$ 10:    end for 11:    Acquire labels for $\tilde{x}ii\in Q$; update $L\leftarrow L\cup (\tilde{x}i,y_i),(H_i,y_i)i\in Q$ 12:    for epoch = 1 to E do 13:      for mini-batch $(x,y)$ from L with paired $(x^{adv},y)$ if present do 14:         $\ell =\frac{1}{2}\left(\mathcal{L}(\theta ,x,y)+\mathcal{L}(\theta ,x^{adv},y)\right)$; update $\theta \leftarrow \theta -\eta \nabla \theta \ell$ 15:      end for 16:    end for 17:    Remove labeled items from U; refresh features as needed 18: end while 19: Return $\theta$

The proposed method integrates active learning with adversarial training to improve robustness and efficiency in boundary-focused sample selection. In each iteration, the model first extracts final-layer features for all unlabeled samples and computes pairwise similarities using a hybrid of L1 and L2 distances to identify top-n neighbors per seed sample. Candidate training instances are then synthesized via MixUp over seed–neighbor pairs, and the model’s confidence on these fused samples is evaluated to select a batch of the most uncertain (near-boundary) examples. For each selected instance, FGSM is applied to generate an adversarial counterpart by taking the sign of the input gradient, scaling by a perturbation step, and adding it to the input. The original fused samples and their adversarial variants are labeled and added to the labeled pool.

Model updates combine natural and adversarial losses with equal weight in mini-batch training over several epochs, promoting accurate predictions on both clean and perturbed inputs. By repeatedly selecting uncertain, feature-near-boundary samples constructed via MixUp and augmenting them with FGSM adversaries, the algorithm reduces labeling requirements while enhancing robustness against noise and perturbations.

5. Theoretical Analysis

5.1. Notation and Setup

Let $U=\{X_1,\dots ,X_m\}$ denote the unlabeled pool and L the labeled pool. A model $f_{\theta }$ with parameters $\theta$ produces class probabilities ${\widehat{Y}}_i=f_{\theta }\left(X_i\right)$ and is trained by minimizing the cross-entropy loss in (1), with optimal parameters ${\theta }^{*}$ given by (2). Feature embeddings are extracted by $U_i=F_{\mathrm{Conv}}\left(X_i\right)\in {\mathbb{R}}^d$ as in (3). Distances are measured by $d_{\mathrm{E}}$ and $d_{\mathrm{M}}$ in (4)–(5) and combined as $d_c$ in (6). For each anchor $X_i$, a neighbor set $N_i$ is defined as the indices of the n nearest neighbors under $d_c$. Mixed inputs are formed at the data level by

$${\widehat{X}}_i=\lambda X_i+(1-\lambda )\sum _{j\in N_i}{X}_j\mathrm{with}\lambda \in [0,1],$$

as in (7). The model outputs logits $P_i=f_{\theta }\left({\widehat{X}}_i\right)$, which are mapped to probabilities via softmax (9), and the confidence is $C_i=max\left(\mathrm{softmax}\left(P_i\right)\right)$ in (10). The acquisition set comprises the indices of the n lowest-confidence samples, cf. (11).

5.2. Geometric Rationale for Distance-Weighted Mixing

We analyze the effect of DM2 on two axes crucial for active learning: (i) uncertainty exposure at decision boundaries; and (ii) diversity preservation through local neighborhood mixing.

We work under standard conditions often met in deep representation spaces: (A1) The embedding $F_{\mathrm{Conv}}$ is locally Lipschitz: $\parallel F_{\mathrm{Conv}}\left(X\right)-F_{\mathrm{Conv}}\left(X^{\prime }\right)\parallel \le L\parallel X-X^{\prime }\parallel$ for some $L>0$. (A2) The classifier head of $f_{\theta }$ is $L_f$-Lipschitz in input space on compact domains. (A3) Nearby points under $d_c$ have high label-correlation: there exists $\eta \in [0,1)$ such that for $j\in N_i$, $\mathbb{P}[Y_j\ne Y_i]\le \eta$; equivalently, neighborhoods are label-homogeneous with bounded noise. (A4) Calibration around the decision boundary: near regions where class posteriors are close (small margin), confidence ${max}_c{\widehat{y}}_{ic}$ decreases monotonically with the distance to the margin hyper-surface.

Assumption (A1)–(A3) capture that $d_c$ is a surrogate for semantic proximity, while (A4) links geometric proximity to predictive uncertainty.

Consider a first-order expansion of $f_{\theta }$ w.r.t. the input:

$$f_{\theta }\left({\widehat{X}}_i\right)\approx f_{\theta }\left(\lambda X_i+(1-\lambda )\sum _{j\in N_i}{X}_j\right)\approx \lambda f_{\theta }\left(X_i\right)+(1-\lambda )\sum _{j\in N_i}{f}_{\theta }\left(X_j\right)+{\epsilon }_i,$$

with a remainder term $\parallel {\epsilon }_i\parallel \le \frac{1}{2}{L}_f{∥\lambda X_i+(1-\lambda ){\sum }_{j\in N_i}{X}_j-X_i∥}^2$ by (A2). Thus, to first order, the logits on the mixed input approximate an average of neighbor logits. When $N_i$ is label-homogeneous, the average logit sharpens the predicted class; when $N_i$ straddles a class boundary, the average logit becomes ambiguous, lowering confidence.

5.3. Uncertainty Amplification Near Class Boundaries

Define the pointwise margin for logits $P\left(x\right)$ as

$$\gamma \left(x\right)\triangleq P_{\left(1\right)}\left(x\right)-P_{\left(2\right)}\left(x\right),$$

the gap between the top two logits. By softmax monotonicity, smaller $\gamma \left(x\right)$ implies lower confidence $C\left(x\right)$.

Lemma 1: Margin reduction under heterogeneous neighborhoods. Let $X_i$ have neighbors $N_i$ with class proportions ${\pi }_c$ (${\sum }_c{\pi }_c=1$), and suppose $f_{\theta }$ is locally linear around $\left\{X_i\right\}\cup \{X_j:j\in N_i\}$. Then, for the mixed input ${\widehat{X}}_i$ with weight $\lambda \in (0,1)$,

$$\gamma \left({\widehat{X}}_i\right)\approx \lambda \gamma \left(X_i\right)+(1-\lambda ){\mathrm{\Delta }}_i,$$

where ${\mathrm{\Delta }}_i$ is the top-two logit gap of the neighbor-averaged prediction ${\overline{P}}_i={\sum }_{j\in N_i}P\left(X_j\right)$. If $N_i$ spans multiple classes so that ${\overline{P}}_i$ is class-ambiguous, then ${\mathrm{\Delta }}_i$ is small, and hence $\gamma \left({\widehat{X}}_i\right)\le \lambda \gamma \left(X_i\right)$, yielding $C_i$ reduced relative to $C\left(X_i\right)$.

Proof. 

Local linearity yields $P\left({\widehat{X}}_i\right)\approx \lambda P\left(X_i\right)+(1-\lambda ){\overline{P}}_i$. Let $a(·)$ denote the top-two logit gap (an affine functional restricted to the two dominant coordinates). Then $a(\lambda p+(1-\lambda )\overline{p})=\lambda a\left(p\right)+(1-\lambda )a\left(\overline{p}\right)$ for any logits $p,\overline{p}$ sharing the same top-two ordering; otherwise the gap cannot increase beyond the convex combination by triangle inequality. Hence $\gamma \left({\widehat{X}}_i\right)\le \lambda \gamma \left(X_i\right)+(1-\lambda ){\mathrm{\Delta }}_i$. If neighbors are heterogeneous, ${\mathrm{\Delta }}_i$ is small due to averaging conflicting logits, which lowers $\gamma \left({\widehat{X}}_i\right)$ and therefore $C_i$ by softmax monotonicity in the gap. □

Samples whose neighbor sets $N_i$ cross decision boundaries are systematically assigned lower confidence after mixing and are thus prioritized by DM2. This aligns selection with true boundary regions where labels are most informative for reducing model uncertainty.

5.4. Diversity Preservation via Distance Coupling

Let $\mathcal{G}$ be the k-NN graph on $\left\{U_i\right\}$ under $d_c$. DM2 forms mixes anchored at many distinct nodes with their local neighborhoods. If the acquisition selects the n lowest-confidence anchors after mixing, these anchors tend to be located on edges or cuts of $\mathcal{G}$ that cross clusters. Under mild clusterability:

(A5) The embedding decomposes into r well-separated clusters $\{{\mathcal{C}}_1,\dots ,{\mathcal{C}}_r\}$ with inter-cluster distances larger than intra-cluster distances under $d_c$.

Then boundary regions appear around each cut $({\mathcal{C}}_a,{\mathcal{C}}_b)$; mixed inputs that pool neighbors from both ${\mathcal{C}}_a$ and ${\mathcal{C}}_b$ reduce confidence within each cut. Consequently, the n lowest-confidence anchors are spread across multiple cuts, promoting diversity without explicit diversity regularizers.

5.5. Stability of Mixed Confidence Under Neighbor Noise

Consider neighbor noise: a fraction $\rho$ of $N_i$ are erroneous neighbors (e.g., misembedded or outliers). Let $P_i^{\mathrm{true}}$ be the average logits over true semantic neighbors and $P_i^{\mathrm{noise}}$ over noisy neighbors. Then

$$P\left({\widehat{X}}_i\right)\approx \lambda P\left(X_i\right)+(1-\lambda )\left((1-\rho )P_i^{\mathrm{true}}+\rho P_i^{\mathrm{noise}}\right).$$

If $\parallel P_i^{\mathrm{noise}}-P_i^{\mathrm{true}}\parallel \le \delta$ (bounded contamination), then the perturbation to logits is at most $(1-\lambda )\rho \delta$, so the induced confidence change satisfies

$$|C\left({\widehat{X}}_i\right)-\tilde{C}\left({\widehat{X}}_i\right)|\le L_{\mathrm{sm}}(1-\lambda )\rho \delta ,$$

where $L_{\mathrm{sm}}$ is the Lipschitz constant of the softmax-max operator. Thus DM2 confidence is robust to small neighbor noise for moderate $\lambda$.

5.6. Choice of the Combined Distance $d_c$

The combined metric $d_c=\frac{1}{2}(d_{\mathrm{E}}+d_{\mathrm{M}})$ inherits the following:

(i) Metric property: since $d_{\mathrm{E}}$ and $d_{\mathrm{M}}$ are metrics on ${\mathbb{R}}^d$, any positive weighted sum is a metric. Hence $d_c$ satisfies non-negativity, symmetry, and the triangle inequality.

(ii) Sensitivity balance: $d_{\mathrm{E}}$ is sensitive to dense directions, while $d_{\mathrm{M}}$ is robust to sparse, axis-aligned deviations. Averaging thus mitigates anisotropy and promotes stable neighbor sets in heterogeneous embeddings.

$d_c$ defined by (6) is a metric on ${\mathbb{R}}^d$.

Proof. 

For all $x,y,z\in {\mathbb{R}}^d$: non-negativity and identity of indiscernibles follow from those of $d_{\mathrm{E}}$ and $d_{\mathrm{M}}$. Symmetry is immediate. For the triangle inequality,

$$\begin{array}{cc}\hfill d_c(x,z)& =\frac{1}{2}\left(d_{\mathrm{E}}(x,z)+d_{\mathrm{M}}(x,z)\right)\hfill \\ & \le \frac{1}{2}\left(d_{\mathrm{E}}(x,y)+d_{\mathrm{E}}(y,z)+d_{\mathrm{M}}(x,y)+d_{\mathrm{M}}(y,z)\right)\hfill \\ & =d_c(x,y)+d_c(y,z).\hfill \end{array}$$

□

5.7. Acquisition Optimality Under a Localized Fisher Criterion

Let $\Sigma \left(x\right)$ denote the conditional Fisher information of $f_{\theta }$ at input x with respect to parameters $\theta$ (under the model distribution). For classification with softmax outputs, points near the decision boundary tend to have larger Fisher trace $\mathrm{tr}\Sigma \left(x\right)$, which correlates with higher expected gradient magnitude.

Define the mixed-point Fisher score

$${\Phi }_i\left(\lambda \right)\triangleq \mathbb{E}\left[\parallel {\nabla }_{\theta }\ell (Y,f_{\theta }\left({\widehat{X}}_i\right)){\parallel }^2|X_i,N_i\right]\propto \mathrm{tr}\Sigma \left({\widehat{X}}_i\right).$$

Under (A1)–(A4) and local linearization, if $N_i$ is heterogeneous, ${\widehat{X}}_i$ approaches the boundary and $\mathrm{tr}\Sigma \left({\widehat{X}}_i\right)$ increases. Therefore selecting minimum-confidence ${\widehat{X}}_i$ approximately maximizes ${\Phi }_i\left(\lambda \right)$ among anchors, aligning DM2 with a proxy of information gain.

Theorem1: Informative selection under DM2. Suppose (A1)–(A5) hold and that $f_{\theta }$ is locally linear in a neighborhood containing $\left\{X_i\right\}\cup \{X_j:j\in N_i\}$. Then, for any fixed $\lambda \in (0,1)$, ranking anchors $X_i$ by ascending confidence $C_i$ on mixed inputs ${\widehat{X}}_i$ is equivalent to ranking by a non-increasing function of the margin $\gamma \left({\widehat{X}}_i\right)$ and thus, up to a monotone transform, by $\mathrm{tr}\Sigma \left({\widehat{X}}_i\right)$. Consequently, the DM2 acquisition set approximates a maximizer of the localized Fisher score among anchors, favoring boundary-spanning, diverse regions of the data manifold.

Proof 

(Proof sketch).

Softmax confidence is a monotone function of the logit gap $\gamma \left({\widehat{X}}_i\right)$; hence ordering by $C_i$ equals ordering by $\gamma \left({\widehat{X}}_i\right)$. Under local linearization and (A4), smaller $\gamma \left({\widehat{X}}_i\right)$ implies proximity to the decision boundary, where the Fisher information increases for multinomial logistic models. Thus ranking by $C_i$ approximates ranking by $\mathrm{tr}\Sigma \left({\widehat{X}}_i\right)$. Cluster separation (A5) ensures that anchors selected across different cuts yield coverage of multiple boundary regions (diversity). □

5.8. On the Mixing Coefficient $\lambda$

The coefficient $\lambda$ trades off anchor faithfulness and boundary probing.

- If $\lambda \to 1$, ${\widehat{X}}_i\to X_i$, recovering standard uncertainty sampling. - If $\lambda \to 0$, ${\widehat{X}}_i$ collapses to neighbor averages, which may over-smooth and obscure fine boundaries. - Under (A3), there exists an interval $\Lambda \subset (0,1)$ such that for $\lambda \in \Lambda$, heterogeneous neighborhoods strictly reduce $\gamma \left({\widehat{X}}_i\right)$ relative to $\gamma \left(X_i\right)$ while homogeneous neighborhoods preserve or increase it. Therefore, DM2 self-selects anchors with heterogeneous $N_i$.

Existence of a beneficial mixing range. Assume there exist anchors with $\gamma \left(X_i\right)>0$ and heterogeneous $N_i$ such that ${\mathrm{\Delta }}_i<\gamma \left(X_i\right)$ in Lemma 1. Then for any $\lambda \in (0,1)$,

$$\gamma \left({\widehat{X}}_i\right)\le \lambda \gamma \left(X_i\right)+(1-\lambda ){\mathrm{\Delta }}_i<\gamma \left(X_i\right).$$

Thus confidence strictly decreases for such anchors; conversely, if $N_i$ is homogeneous with large margin, confidence is non-decreasing for $\lambda$ near 1.

Proof. 

Immediate from Lemma 1 and the strict inequality ${\mathrm{\Delta }}_i<\gamma \left(X_i\right)$. □

5.9. Considerations and Summary

Let $m=\left|U\right|$ and d the feature dimension. Computing pairwise $d_c$ naively is $O\left(m^{2}d\right)$; approximate k-NN reduces this to near-linear time in m. Mixing and forward passes scale as $O(mn·C_f)$ where $n=|N_i|$ and $C_f$ is model inference cost. Hence, with approximate neighbors and mini-batched evaluation, DM2 scales to large pools.

Mixing within $d_c$-based neighborhoods yields mixed inputs whose logits approximate convex combinations of neighbor logits. Heterogeneous neighborhoods reduce the logit margin and thus confidence, preferentially surfacing boundary samples for labeling. The acquisition is robust to moderate neighbor noise and approximates selection by localized Fisher information. The combined distance $d_c$ is a proper metric that balances Euclidean and Manhattan sensitivities, stabilizing neighbor selection.

6. Experimental Results

We evaluate our method against state-of-the-art and baseline active learning approaches, including random selection, least confidence selection, and entropy sampling. Our approach is validated on both balanced and unbalanced image classification tasks using MobileNet [22] architectures. We conduct experiments on MNIST [35], CIFAR-10 [21], SVHN [36], and CIFAR-10 mixed with CIFAR-100 noise. Experiments employ 7 to 10 active learning cycles with labeling budgets ranging from 20 to over 2500 samples per cycle. Data selections follow standard active learning practices without replacement, and all results are averaged over 3 runs. All experiments are implemented using PyTorch [37].

For MNIST, we employ a CNN classification model with the Adam optimizer [38] at learning rate ${10}^{-3}$ and batch size 96, training for 50 epochs per cycle. For CIFAR-10, CIFAR-10s, and SVHN, we use MobileNet [22] with SGD optimizer [39], initial learning rate 0.1, batch size 128, momentum 0.9, and weight decay $5\times {10}^{-4}$. Training proceeds for 200 epochs with learning rate decay to 0.01 at epoch 160.

We compare against established baselines including Random Selection[3], Entropy[23], Least Confidence[5], Margin[6], BALD[4], CoreSet[12], EntropyBayesian[7], UncertainGCN[40], BADGE[19], ProbCover[29], Alpha-Mix[1], and NoiseStability[20], using identical parameters for fair comparison.

6.1. Efficiency for Distance-Measure Data Mixing

Table 1 demonstrates that our method outperforms all other active learning approaches across most datasets. The BfFus method achieves superior performance compared to all baseline active learning methods on all datasets except MNIST. For the MNIST dataset, the simplicity and limited data volume result in the boundary-based selection model failing to learn useful information more rapidly than simpler selection strategies.

The excellent performance on the SVHN dataset demonstrates that the BfFus method exhibits strong stability when handling unbalanced datasets. This robustness likely stems from the method’s concise design, which avoids data imbalance issues that can negatively impact auxiliary model training and subsequently degrade task model performance. In experiments with CIFAR-10s containing noisy data, the BfFus method successfully identifies samples conducive to model learning and demonstrates superior noise stability compared to competing approaches.

To further validate our method’s robustness, we conducted additional experiments using CIFAR-10 and SVHN datasets with ResNet18 [41] and VGG16 [42] architectures. Standard data augmentation techniques were applied during training, including random horizontal flipping and cropping. As shown in Table 2, our method consistently outperforms all other active learning approaches across these more complex architectures.

6.2. Robustness for Adversarial Training

The comparative experimental results for different active learning strategies are presented in Table 3. The results demonstrate that our method incorporating adversarial training achieves higher model accuracy compared to other active learning approaches. This indicates that the boundary data feature fusion algorithm with adversarial training proposed in this work effectively improves model performance.

The experiments also reveal that conventional active learning methods often struggle to enhance performance on test sets in complex environments. Traditional active learning approaches can only learn from complete datasets and exhibit reduced effectiveness when recognizing data in challenging conditions. By integrating adversarial training with the method from Chapter Section 4, our approach generates adversarial samples based on selected data, enhancing the model’s ability to learn from difficult-to-classify samples. This enables more effective integration and learning from data in complex environments, thereby improving overall performance.

The experimental results in Table 3 show that the LlBfFus method proposed in this work significantly outperforms competing methods across different models and datasets, confirming the effectiveness of our approach. The method increases learning challenges by generating adversarial samples through adversarial training on selected samples. When facing real-world scenarios with complex environments, this approach demonstrates stronger capability in identifying samples under noise interference, efficiently reducing the data requirements for building machine learning models while achieving superior performance results.

6.3. Convergence Analysis

To gain deeper insight into the performance trends of our method across different data selection cycles, we plotted convergence graphs based on the results from Table 1 and Table 2. Figure 4 presents trend plots for six different datasets and model combinations. To ensure fair comparison, all experimental values are averaged over three runs using consistent learning rates and parameters across all methods.

Figure 4 is organized into two groups: the upper panels show results for DM2, while the lower panels display results for DM2-AT. The method demonstrates gradual improvement in subsequent epochs, particularly evident in CIFAR-10 experiments using MobileNet and VGG16 architectures, where our approach surpasses competing methods. For CIFAR-10s, the model quickly learns to select more relevant data, with our method ultimately outperforming all alternatives. On SVHN, our method demonstrates clear superiority by the 6th round, consistently outperforming other approaches throughout the remaining cycles.

Our method exhibits significant advantages across multiple datasets and model architectures, demonstrating broad applicability. In contrast, competing methods show less adaptability and inconsistent performance across different datasets. Panel (e) reveals that the CIFAR-10-C dataset presents certain challenges, with the trend chart showing some fluctuations in data selection performance. In panel (f), experiments using the CIFAR-10-C dataset with ResNet34 show smoother progression and higher performance compared to the earlier MobileNet results.

The ResNet18 model trained on SVHN-C in panel (h) exhibits favorable convergence trends. Except for the 3000th iteration where LlBfFus did not surpass several competing methods, it achieved excellent results across all other iterations. In panel (g), SVHN-C initially presents challenges during early training phases. However, after processing 5,000 data points, the model rapidly identifies samples with stronger feature information, leading to sharp performance improvements in later stages and ultimately achieving superior results. These findings demonstrate the effectiveness of our active learning approach that fuses features from adversarial training boundary data.

6.4. Time Efficiency

The computational efficiency of active learning methods depends on the cost of sample distance calculations and subset selection procedures, as presented in Table 4. We evaluated the time efficiency of several effective methods using identical hyperparameters from our experiments. Our methods demonstrate computational efficiency comparable to state-of-the-art algorithms and exhibit favorable scalability as the annotation budget or number of categories increases.

6.5. Ablation Experiment

The active learning method based on boundary data feature fusion with adversarial training proposed in this work incorporates two key components: boundary data feature fusion and adversarial training. Since removing adversarial training yields a method similar to that in Chapter 3, we conduct ablation experiments focusing on sample distances, fusion ratios, and perturbation values, where the perturbation value determines adversarial sample effectiveness.

To further assess method validity, we replace components in the ablation study: using Euclidean distance instead of the combined Euclidean and Manhattan distance approach, employing equal-weight fusion instead of adaptive fusion ratios, and using a fixed perturbation value of 0.05 instead of computed adaptive values. For fair comparison, identical models are used across all ablation variants. Table 5 presents the ablation results, demonstrating that adversarial training constitutes an integral component of the overall method, significantly enhancing fault tolerance and robustness.

According to the experimental results in Table 5, replacing the combined Euclidean and Manhattan distances with single Euclidean distance in the adversarial training boundary data feature fusion algorithm demonstrates that this simplified approach struggles to accurately capture data distributions across different datasets. This frequently leads to model confusion and prevents optimal performance achievement. Ablation experiments using equal-weight fusion as the control variable show that uniform fusion causes merged features to lose distinctiveness, resulting in deteriorated model recognition performance.

The ablation study confirms that the adversarial training-based boundary data feature fusion algorithm enhances sample efficiency in active learning while improving the model’s generalization capability across diverse datasets and challenging conditions.

7. Conclusion

Active learning represents a prominent research direction for deep neural networks, enabling efficient model training with reduced sample requirements. We propose a simple yet stable method that exploits inter-sample relationships and data distribution characteristics. Through uncertainty prediction based on similarity measures and weighted mixing strategies, our approach demonstrates superior performance in both theoretical analysis and experimental evaluation across multiple tasks. The integration of adversarial training with boundary data feature fusion further enhances model robustness and generalization capability in complex environments.

Future work will focus on addressing more challenging scenarios where the computational efficiency and cost reduction benefits of active learning become increasingly significant. We aim to extend our approach to handle larger-scale datasets and more complex domain adaptation problems, where traditional supervised learning approaches face substantial annotation costs and computational constraints.