Large Norms of CNN Layers Do Not Hurt Adversarial Robustness
- URL: http://arxiv.org/abs/2009.08435v6
- Date: Sun, 15 Aug 2021 10:31:17 GMT
- Title: Large Norms of CNN Layers Do Not Hurt Adversarial Robustness
- Authors: Youwei Liang, Dong Huang
- Abstract summary: Lipschitz properties of convolutional neural networks (CNNs) are widely considered to be related to adversarial robustness.
We propose a novel regularization method termed norm decay, which can effectively reduce the norms of convolutional layers and fully-connected layers.
Experiments show that norm-regularization methods, including norm decay, weight decay, and singular value clipping, can improve generalization of CNNs.
- Score: 11.930096161524407
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Since the Lipschitz properties of convolutional neural networks (CNNs) are
widely considered to be related to adversarial robustness, we theoretically
characterize the $\ell_1$ norm and $\ell_\infty$ norm of 2D multi-channel
convolutional layers and provide efficient methods to compute the exact
$\ell_1$ norm and $\ell_\infty$ norm. Based on our theorem, we propose a novel
regularization method termed norm decay, which can effectively reduce the norms
of convolutional layers and fully-connected layers. Experiments show that
norm-regularization methods, including norm decay, weight decay, and singular
value clipping, can improve generalization of CNNs. However, they can slightly
hurt adversarial robustness. Observing this unexpected phenomenon, we compute
the norms of layers in the CNNs trained with three different adversarial
training frameworks and surprisingly find that adversarially robust CNNs have
comparable or even larger layer norms than their non-adversarially robust
counterparts. Furthermore, we prove that under a mild assumption, adversarially
robust classifiers can be achieved using neural networks, and an adversarially
robust neural network can have an arbitrarily large Lipschitz constant. For
this reason, enforcing small norms on CNN layers may be neither necessary nor
effective in achieving adversarial robustness. The code is available at
https://github.com/youweiliang/norm_robustness.
Related papers
- Decoupled Weight Decay for Any $p$ Norm [1.1510009152620668]
We consider a simple yet effective approach to sparsification, based on the Bridge, $L_p$ regularization during training.
We introduce a novel weight decay scheme, which generalizes the standard $L$ weight decay to any $p$ norm.
We empirically demonstrate that it leads to highly sparse networks, while maintaining performance comparable to standard $L$ regularization.
arXiv Detail & Related papers (2024-04-16T18:02:15Z) - Improved techniques for deterministic l2 robustness [63.34032156196848]
Training convolutional neural networks (CNNs) with a strict 1-Lipschitz constraint under the $l_2$ norm is useful for adversarial robustness, interpretable gradients and stable training.
We introduce a procedure to certify robustness of 1-Lipschitz CNNs by replacing the last linear layer with a 1-hidden layer.
We significantly advance the state-of-the-art for standard and provable robust accuracies on CIFAR-10 and CIFAR-100.
arXiv Detail & Related papers (2022-11-15T19:10:12Z) - Robust Training and Verification of Implicit Neural Networks: A
Non-Euclidean Contractive Approach [64.23331120621118]
This paper proposes a theoretical and computational framework for training and robustness verification of implicit neural networks.
We introduce a related embedded network and show that the embedded network can be used to provide an $ell_infty$-norm box over-approximation of the reachable sets of the original network.
We apply our algorithms to train implicit neural networks on the MNIST dataset and compare the robustness of our models with the models trained via existing approaches in the literature.
arXiv Detail & Related papers (2022-08-08T03:13:24Z) - Robustness Certificates for Implicit Neural Networks: A Mixed Monotone
Contractive Approach [60.67748036747221]
Implicit neural networks offer competitive performance and reduced memory consumption.
They can remain brittle with respect to input adversarial perturbations.
This paper proposes a theoretical and computational framework for robustness verification of implicit neural networks.
arXiv Detail & Related papers (2021-12-10T03:08:55Z) - Scalable Lipschitz Residual Networks with Convex Potential Flows [120.27516256281359]
We show that using convex potentials in a residual network gradient flow provides a built-in $1$-Lipschitz transformation.
A comprehensive set of experiments on CIFAR-10 demonstrates the scalability of our architecture and the benefit of our approach for $ell$ provable defenses.
arXiv Detail & Related papers (2021-10-25T07:12:53Z) - Improving Network Slimming with Nonconvex Regularization [8.017631543721684]
Convolutional neural networks (CNNs) have developed to become powerful models for various computer vision tasks.
Most of the state-of-the-art CNNs cannot be deployed directly.
straightforward approach to compressing CNN is proposed.
arXiv Detail & Related papers (2020-10-03T01:04:02Z) - On Lipschitz Regularization of Convolutional Layers using Toeplitz
Matrix Theory [77.18089185140767]
Lipschitz regularity is established as a key property of modern deep learning.
computing the exact value of the Lipschitz constant of a neural network is known to be NP-hard.
We introduce a new upper bound for convolutional layers that is both tight and easy to compute.
arXiv Detail & Related papers (2020-06-15T13:23:34Z) - Approximation and Non-parametric Estimation of ResNet-type Convolutional
Neural Networks [52.972605601174955]
We show a ResNet-type CNN can attain the minimax optimal error rates in important function classes.
We derive approximation and estimation error rates of the aformentioned type of CNNs for the Barron and H"older classes.
arXiv Detail & Related papers (2019-03-24T19:42:39Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.