Bridging the Gap Between Adversarial Robustness and Optimization Bias
- URL: http://arxiv.org/abs/2102.08868v1
- Date: Wed, 17 Feb 2021 16:58:04 GMT
- Title: Bridging the Gap Between Adversarial Robustness and Optimization Bias
- Authors: Fartash Faghri, Cristina Vasconcelos, David J. Fleet, Fabian
Pedregosa, Nicolas Le Roux
- Abstract summary: Adrial robustness is an open challenge in deep learning, most often tackled using adversarial training.
We show that it is possible to achieve both perfect standard accuracy and a certain degree of robustness without a trade-off.
In particular, we characterize the robustness of linear convolutional models, showing that they resist attacks subject to a constraint on the Fourier-$ell_infty$ norm.
- Score: 28.56135898767349
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Adversarial robustness is an open challenge in deep learning, most often
tackled using adversarial training. Adversarial training is computationally
costly, involving alternated optimization with a trade-off between standard
generalization and adversarial robustness. We explore training robust models
without adversarial training by revisiting a known result linking maximally
robust classifiers and minimum norm solutions, and combining it with recent
results on the implicit bias of optimizers. First, we show that, under certain
conditions, it is possible to achieve both perfect standard accuracy and a
certain degree of robustness without a trade-off, simply by training an
overparameterized model using the implicit bias of the optimization. In that
regime, there is a direct relationship between the type of the optimizer and
the attack to which the model is robust. Second, we investigate the role of the
architecture in designing robust models. In particular, we characterize the
robustness of linear convolutional models, showing that they resist attacks
subject to a constraint on the Fourier-$\ell_\infty$ norm. This result explains
the property of $\ell_p$-bounded adversarial perturbations that tend to be
concentrated in the Fourier domain. This leads us to a novel attack in the
Fourier domain that is inspired by the well-known frequency-dependent
sensitivity of human perception. We evaluate Fourier-$\ell_\infty$ robustness
of recent CIFAR-10 models with robust training and visualize adversarial
perturbations.
Related papers
- Adversarial Robustification via Text-to-Image Diffusion Models [56.37291240867549]
Adrial robustness has been conventionally believed as a challenging property to encode for neural networks.
We develop a scalable and model-agnostic solution to achieve adversarial robustness without using any data.
arXiv Detail & Related papers (2024-07-26T10:49:14Z) - Enhancing Multiple Reliability Measures via Nuisance-extended
Information Bottleneck [77.37409441129995]
In practical scenarios where training data is limited, many predictive signals in the data can be rather from some biases in data acquisition.
We consider an adversarial threat model under a mutual information constraint to cover a wider class of perturbations in training.
We propose an autoencoder-based training to implement the objective, as well as practical encoder designs to facilitate the proposed hybrid discriminative-generative training.
arXiv Detail & Related papers (2023-03-24T16:03:21Z) - TWINS: A Fine-Tuning Framework for Improved Transferability of
Adversarial Robustness and Generalization [89.54947228958494]
This paper focuses on the fine-tuning of an adversarially pre-trained model in various classification tasks.
We propose a novel statistics-based approach, Two-WIng NormliSation (TWINS) fine-tuning framework.
TWINS is shown to be effective on a wide range of image classification datasets in terms of both generalization and robustness.
arXiv Detail & Related papers (2023-03-20T14:12:55Z) - Explicit Tradeoffs between Adversarial and Natural Distributional
Robustness [48.44639585732391]
In practice, models need to enjoy both types of robustness to ensure reliability.
In this work, we show that in fact, explicit tradeoffs exist between adversarial and natural distributional robustness.
arXiv Detail & Related papers (2022-09-15T19:58:01Z) - Self-Ensemble Adversarial Training for Improved Robustness [14.244311026737666]
Adversarial training is the strongest strategy against various adversarial attacks among all sorts of defense methods.
Recent works mainly focus on developing new loss functions or regularizers, attempting to find the unique optimal point in the weight space.
We devise a simple but powerful emphSelf-Ensemble Adversarial Training (SEAT) method for yielding a robust classifier by averaging weights of history models.
arXiv Detail & Related papers (2022-03-18T01:12:18Z) - Adaptive Feature Alignment for Adversarial Training [56.17654691470554]
CNNs are typically vulnerable to adversarial attacks, which pose a threat to security-sensitive applications.
We propose the adaptive feature alignment (AFA) to generate features of arbitrary attacking strengths.
Our method is trained to automatically align features of arbitrary attacking strength.
arXiv Detail & Related papers (2021-05-31T17:01:05Z) - Self-Progressing Robust Training [146.8337017922058]
Current robust training methods such as adversarial training explicitly uses an "attack" to generate adversarial examples.
We propose a new framework called SPROUT, self-progressing robust training.
Our results shed new light on scalable, effective and attack-independent robust training methods.
arXiv Detail & Related papers (2020-12-22T00:45:24Z) - Affine-Invariant Robust Training [0.0]
This project reviews work in spatial robustness methods and proposes zeroth order optimization algorithms to find the worst affine transforms for each input.
The proposed method effectively yields robust models and allows introducing non-parametric adversarial perturbations.
arXiv Detail & Related papers (2020-10-08T18:59:19Z) - Adversarial Vertex Mixup: Toward Better Adversarially Robust
Generalization [28.072758856453106]
Adversarial examples cause neural networks to produce incorrect outputs with high confidence.
We show that adversarial training can overshoot the optimal point in terms of robust generalization, leading to Adversarial Feature Overfitting (AFO)
We propose Adversarial Vertex mixup (AVmixup) as a soft-labeled data augmentation approach for improving adversarially robust generalization.
arXiv Detail & Related papers (2020-03-05T08:47:46Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.