Certified Defenses: Why Tighter Relaxations May Hurt Training?
- URL: http://arxiv.org/abs/2102.06700v1
- Date: Fri, 12 Feb 2021 18:57:24 GMT
- Title: Certified Defenses: Why Tighter Relaxations May Hurt Training?
- Authors: Nikola Jovanovi\'c, Mislav Balunovi\'c, Maximilian Baader, Martin
Vechev
- Abstract summary: Training with tighter relaxations can worsen certified robustness.
We identify two key features of relaxations that impact training dynamics: continuity and sensitivity.
For the first time, it is possible to successfully train with tighter relaxations.
- Score: 12.483260526189447
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Certified defenses based on convex relaxations are an established technique
for training provably robust models. The key component is the choice of
relaxation, varying from simple intervals to tight polyhedra. Paradoxically,
however, it was empirically observed that training with tighter relaxations can
worsen certified robustness. While several methods were designed to partially
mitigate this issue, the underlying causes are poorly understood. In this work
we investigate the above phenomenon and show that tightness may not be the
determining factor for reduced certified robustness. Concretely, we identify
two key features of relaxations that impact training dynamics: continuity and
sensitivity. We then experimentally demonstrate that these two factors explain
the drop in certified robustness when using popular relaxations. Further, we
show, for the first time, that it is possible to successfully train with
tighter relaxations (i.e., triangle), a result supported by our two properties.
Overall, we believe the insights of this work can help drive the systematic
discovery of new effective certified defenses.
Related papers
- Gaussian Loss Smoothing Enables Certified Training with Tight Convex Relaxations [14.061189994638667]
Training neural networks with high certified accuracy against adversarial examples remains an open challenge.
certification methods can effectively leverage tight convex relaxations for bound computation.
In training, these methods can perform worse than looser relaxations.
We show that Gaussian Loss Smoothing can alleviate these issues.
arXiv Detail & Related papers (2024-03-11T18:44:36Z) - Balance, Imbalance, and Rebalance: Understanding Robust Overfitting from
a Minimax Game Perspective [80.51463286812314]
Adversarial Training (AT) has become arguably the state-of-the-art algorithm for extracting robust features.
AT suffers from severe robust overfitting problems, particularly after learning rate (LR) decay.
We show how LR decay breaks the balance between the minimax game by empowering the trainer with a stronger memorization ability.
arXiv Detail & Related papers (2023-10-30T09:00:11Z) - Enhancing Adversarial Robustness for Deep Metric Learning [77.75152218980605]
adversarial robustness of deep metric learning models has to be improved.
In order to avoid model collapse due to excessively hard examples, the existing defenses dismiss the min-max adversarial training.
We propose Hardness Manipulation to efficiently perturb the training triplet till a specified level of hardness for adversarial training.
arXiv Detail & Related papers (2022-03-02T22:27:44Z) - Bridged Adversarial Training [6.925055322530057]
We show that adversarially trained models might have significantly different characteristics in terms of margin and smoothness, even they show similar robustness.
Inspired by the observation, we investigate the effect of different regularizers and discover the negative effect of the smoothness regularizer on maximizing the margin.
We propose a new method called bridged adversarial training that mitigates the negative effect by bridging the gap between clean and adversarial examples.
arXiv Detail & Related papers (2021-08-25T09:11:59Z) - A Primer on Multi-Neuron Relaxation-based Adversarial Robustness
Certification [6.71471794387473]
adversarial examples pose a real danger when deep neural networks are deployed in the real world.
We develop a unified mathematical framework to describe relaxation-based robustness certification methods.
arXiv Detail & Related papers (2021-06-06T11:59:27Z) - Adversarial Robustness under Long-Tailed Distribution [93.50792075460336]
Adversarial robustness has attracted extensive studies recently by revealing the vulnerability and intrinsic characteristics of deep networks.
In this work we investigate the adversarial vulnerability as well as defense under long-tailed distributions.
We propose a clean yet effective framework, RoBal, which consists of two dedicated modules, a scale-invariant and data re-balancing.
arXiv Detail & Related papers (2021-04-06T17:53:08Z) - Overfitting or Underfitting? Understand Robustness Drop in Adversarial
Training [34.83228408320053]
We propose APART, an adaptive adversarial training framework, which parameterizes perturbation generation and progressively strengthens them.
APART provides comparable or even better robustness than PGD-10, with only about 1/4 of its computational cost.
arXiv Detail & Related papers (2020-10-15T21:43:07Z) - Towards Understanding Fast Adversarial Training [91.8060431517248]
We conduct experiments to understand the behavior of fast adversarial training.
We show the key to its success is the ability to recover from overfitting to weak attacks.
arXiv Detail & Related papers (2020-06-04T18:19:43Z) - Feature Purification: How Adversarial Training Performs Robust Deep
Learning [66.05472746340142]
We show a principle that we call Feature Purification, where we show one of the causes of the existence of adversarial examples is the accumulation of certain small dense mixtures in the hidden weights during the training process of a neural network.
We present both experiments on the CIFAR-10 dataset to illustrate this principle, and a theoretical result proving that for certain natural classification tasks, training a two-layer neural network with ReLU activation using randomly gradient descent indeed this principle.
arXiv Detail & Related papers (2020-05-20T16:56:08Z) - Improving the Tightness of Convex Relaxation Bounds for Training
Certifiably Robust Classifiers [72.56180590447835]
Convex relaxations are effective for certifying training and neural networks against norm-bounded adversarial attacks, but they leave a large gap between certifiable and empirical robustness.
We propose two experiments that can be used to train neural networks that can be trained in higher certified accuracy than non-regularized baselines.
arXiv Detail & Related papers (2020-02-22T20:19:53Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.