Do Wider Neural Networks Really Help Adversarial Robustness?
- URL: http://arxiv.org/abs/2010.01279v3
- Date: Sat, 14 Aug 2021 06:30:32 GMT
- Title: Do Wider Neural Networks Really Help Adversarial Robustness?
- Authors: Boxi Wu and Jinghui Chen and Deng Cai and Xiaofei He and Quanquan Gu
- Abstract summary: We show that the model robustness is closely related to the tradeoff between natural accuracy and perturbation stability.
We propose a new Width Adjusted Regularization (WAR) method that adaptively enlarges $lambda$ on wide models.
- Score: 92.8311752980399
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Adversarial training is a powerful type of defense against adversarial
examples. Previous empirical results suggest that adversarial training requires
wider networks for better performances. However, it remains elusive how neural
network width affects model robustness. In this paper, we carefully examine the
relationship between network width and model robustness. Specifically, we show
that the model robustness is closely related to the tradeoff between natural
accuracy and perturbation stability, which is controlled by the robust
regularization parameter $\lambda$. With the same $\lambda$, wider networks can
achieve better natural accuracy but worse perturbation stability, leading to a
potentially worse overall model robustness. To understand the origin of this
phenomenon, we further relate the perturbation stability with the network's
local Lipschitzness. By leveraging recent results on neural tangent kernels, we
theoretically show that wider networks tend to have worse perturbation
stability. Our analyses suggest that: 1) the common strategy of first
fine-tuning $\lambda$ on small networks and then directly use it for wide model
training could lead to deteriorated model robustness; 2) one needs to properly
enlarge $\lambda$ to unleash the robustness potential of wider models fully.
Finally, we propose a new Width Adjusted Regularization (WAR) method that
adaptively enlarges $\lambda$ on wide models and significantly saves the tuning
time.
Related papers
- Revisiting the Trade-off between Accuracy and Robustness via Weight Distribution of Filters [17.316537476091867]
Adversarial attacks have been proven to be potential threats to Deep Neural Networks (DNNs)
We propose a sample-wise dynamic network architecture named Adversarial Weight-Varied Network (AW-Net)
AW-Net adaptively adjusts the network's weights based on regulation signals generated by an adversarial router.
arXiv Detail & Related papers (2023-06-06T06:09:11Z) - Chaos Theory and Adversarial Robustness [0.0]
This paper uses ideas from Chaos Theory to explain, analyze, and quantify the degree to which neural networks are susceptible to or robust against adversarial attacks.
We present a new metric, the "susceptibility ratio," given by $hat Psi(h, theta)$, which captures how greatly a model's output will be changed by perturbations to a given input.
arXiv Detail & Related papers (2022-10-20T03:39:44Z) - Explicit Tradeoffs between Adversarial and Natural Distributional
Robustness [48.44639585732391]
In practice, models need to enjoy both types of robustness to ensure reliability.
In this work, we show that in fact, explicit tradeoffs exist between adversarial and natural distributional robustness.
arXiv Detail & Related papers (2022-09-15T19:58:01Z) - Robustness Certificates for Implicit Neural Networks: A Mixed Monotone
Contractive Approach [60.67748036747221]
Implicit neural networks offer competitive performance and reduced memory consumption.
They can remain brittle with respect to input adversarial perturbations.
This paper proposes a theoretical and computational framework for robustness verification of implicit neural networks.
arXiv Detail & Related papers (2021-12-10T03:08:55Z) - Pruning in the Face of Adversaries [0.0]
We evaluate the impact of neural network pruning on the adversarial robustness against L-0, L-2 and L-infinity attacks.
Our results confirm that neural network pruning and adversarial robustness are not mutually exclusive.
We extend our analysis to situations that incorporate additional assumptions on the adversarial scenario and show that depending on the situation, different strategies are optimal.
arXiv Detail & Related papers (2021-08-19T09:06:16Z) - Non-Singular Adversarial Robustness of Neural Networks [58.731070632586594]
Adrial robustness has become an emerging challenge for neural network owing to its over-sensitivity to small input perturbations.
We formalize the notion of non-singular adversarial robustness for neural networks through the lens of joint perturbations to data inputs as well as model weights.
arXiv Detail & Related papers (2021-02-23T20:59:30Z) - Bridging the Gap Between Adversarial Robustness and Optimization Bias [28.56135898767349]
Adrial robustness is an open challenge in deep learning, most often tackled using adversarial training.
We show that it is possible to achieve both perfect standard accuracy and a certain degree of robustness without a trade-off.
In particular, we characterize the robustness of linear convolutional models, showing that they resist attacks subject to a constraint on the Fourier-$ell_infty$ norm.
arXiv Detail & Related papers (2021-02-17T16:58:04Z) - Monotone operator equilibrium networks [97.86610752856987]
We develop a new class of implicit-depth model based on the theory of monotone operators, the Monotone Operator Equilibrium Network (monDEQ)
We show the close connection between finding the equilibrium point of an implicit network and solving a form of monotone operator splitting problem.
We then develop a parameterization of the network which ensures that all operators remain monotone, which guarantees the existence of a unique equilibrium point.
arXiv Detail & Related papers (2020-06-15T17:57:31Z) - Triple Wins: Boosting Accuracy, Robustness and Efficiency Together by
Enabling Input-Adaptive Inference [119.19779637025444]
Deep networks were recently suggested to face the odds between accuracy (on clean natural images) and robustness (on adversarially perturbed images)
This paper studies multi-exit networks associated with input-adaptive inference, showing their strong promise in achieving a "sweet point" in cooptimizing model accuracy, robustness and efficiency.
arXiv Detail & Related papers (2020-02-24T00:40:22Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.