Related papers: Robustness, Privacy, and Generalization of Adversarial Training

Robustness, Privacy, and Generalization of Adversarial Training

URL: http://arxiv.org/abs/2012.13573v1
Date: Fri, 25 Dec 2020 13:35:02 GMT
Title: Robustness, Privacy, and Generalization of Adversarial Training
Authors: Fengxiang He, Shaopeng Fu, Bohan Wang, Dacheng Tao
Abstract summary: This paper establishes and quantifies the privacy-robustness trade-off and generalization-robustness trade-off in adversarial training. We show that adversarial training is $(varepsilon, delta)$-differentially private, where the magnitude of the differential privacy has a positive correlation with the robustified intensity. Our generalization bounds do not explicitly rely on the parameter size which would be large in deep learning.
Score: 84.38148845727446
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: Adversarial training can considerably robustify deep neural networks to resist adversarial attacks. However, some works suggested that adversarial training might comprise the privacy-preserving and generalization abilities. This paper establishes and quantifies the privacy-robustness trade-off and generalization-robustness trade-off in adversarial training from both theoretical and empirical aspects. We first define a notion, {\it robustified intensity} to measure the robustness of an adversarial training algorithm. This measure can be approximate empirically by an asymptotically consistent empirical estimator, {\it empirical robustified intensity}. Based on the robustified intensity, we prove that (1) adversarial training is $(\varepsilon, \delta)$-differentially private, where the magnitude of the differential privacy has a positive correlation with the robustified intensity; and (2) the generalization error of adversarial training can be upper bounded by an $\mathcal O(\sqrt{\log N}/N)$ on-average bound and an $\mathcal O(1/\sqrt{N})$ high-probability bound, both of which have positive correlations with the robustified intensity. Additionally, our generalization bounds do not explicitly rely on the parameter size which would be prohibitively large in deep learning. Systematic experiments on standard datasets, CIFAR-10 and CIFAR-100, are in full agreement with our theories. The source code package is available at \url{https://github.com/fshp971/RPG}.

Related papers

Doubly Robust Instance-Reweighted Adversarial Training [107.40683655362285]
We propose a novel doubly-robust instance reweighted adversarial framework. Our importance weights are obtained by optimizing the KL-divergence regularized loss function. Our proposed approach outperforms related state-of-the-art baseline methods in terms of average robust performance.
arXiv Detail & Related papers (2023-08-01T06:16:18Z)
Certified Robust Neural Networks: Generalization and Corruption Resistance [0.0]
Adversarial training aims to reduce the problematic susceptibility of modern neural networks to small data perturbations. Overfitting is a major concern in adversarial training despite being mostly absent in standard training. We show that our resulting holistic robust (HR) training procedure yields SOTA performance.
arXiv Detail & Related papers (2023-03-03T22:43:57Z)
Generalization Bounds for Adversarial Contrastive Learning [10.893632710192016]
We use Rademacher complexity to analyze the generalization performance of ACL. Our theory shows that the average adversarial risk of the downstream tasks can be upper bounded by the adversarial unsupervised risk of the upstream task.
arXiv Detail & Related papers (2023-02-21T12:44:59Z)
Explicit Tradeoffs between Adversarial and Natural Distributional Robustness [48.44639585732391]
In practice, models need to enjoy both types of robustness to ensure reliability. In this work, we show that in fact, explicit tradeoffs exist between adversarial and natural distributional robustness.
arXiv Detail & Related papers (2022-09-15T19:58:01Z)
Distributed Adversarial Training to Robustify Deep Neural Networks at Scale [100.19539096465101]
Current deep neural networks (DNNs) are vulnerable to adversarial attacks, where adversarial perturbations to the inputs can change or manipulate classification. To defend against such attacks, an effective approach, known as adversarial training (AT), has been shown to mitigate robust training. We propose a large-batch adversarial training framework implemented over multiple machines.
arXiv Detail & Related papers (2022-06-13T15:39:43Z)
Enhancing Adversarial Training with Second-Order Statistics of Weights [23.90998469971413]
We show that treating model weights as random variables allows for enhancing adversarial training through textbfSecond-Order textbfStatistics textbfOptimization. We conduct an extensive set of experiments, which show that S$2$O not only improves the robustness and generalization of the trained neural networks when used in isolation, but also integrates easily in state-of-the-art adversarial training techniques.
arXiv Detail & Related papers (2022-03-11T15:40:57Z)
Adversarial Robustness with Semi-Infinite Constrained Learning [177.42714838799924]
Deep learning to inputs perturbations has raised serious questions about its use in safety-critical domains. We propose a hybrid Langevin Monte Carlo training approach to mitigate this issue. We show that our approach can mitigate the trade-off between state-of-the-art performance and robust robustness.
arXiv Detail & Related papers (2021-10-29T13:30:42Z)
Attacks Which Do Not Kill Training Make Adversarial Learning Stronger [85.96849265039619]
Adversarial training based on the minimax formulation is necessary for obtaining adversarial robustness of trained models. We argue that adversarial training is to employ confident adversarial data for updating the current model.
arXiv Detail & Related papers (2020-02-26T01:04:38Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.