Adversarially Robust Generalization Requires More Data

Schmidt, Ludwig; Santurkar, Shibani; Tsipras, Dimitris; Talwar, Kunal; Mądry, Aleksander

doi:10.48550/arxiv.1804.11285

Cited by 39 publications

(70 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Adversarial examples: Several schools of thought suggest adversarial examples as an unavoidable consequence of various aspects of the ML pipeline: a) high dimensionality of input data [22,18,30,43], b) model misspecification [37]; c) label noise [17,19,3], d) larger sample complexity(upper bounds) of adversarial robustness v.s. regular generalization [42]. This motivates a commonly conjectured fundamental tradeoff between regular accuracy and robustness.…”

Section: Related Workmentioning

confidence: 68%

“…The estimation-centric explanation is in contrast to the majority of existing explanations for adversarial examples, which suggest that these are an unavoidable consequence of various aspects of the ML pipeline: (a) high dimensionality of input data [22,18,30,43] (b) model misspecification [37] (c) label noise [17,19,3] (d) larger sample complexity (upper bounds) of adversarial robustness v.s. regular generalization [42,49]. To rule-out the above as possible causes for adversarial examples in our model, we intentionally study a setup with low-dimensional input-data and without misspecification or label-noise.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Classification and Adversarial examples in an Overparameterized Linear Model: A Signal Processing Perspective

Narang,

Muthukumar,

Sahai

2021

Preprint

View full text Add to dashboard Cite

State-of-the-art deep learning classifiers are heavily overparameterized with respect to the amount of training examples and observed to generalize well on "clean" data, but be highly susceptible to infinitesmal adversarial perturbations. In this paper, we identify an overparameterized linear ensemble, that uses the "lifted" Fourier feature map, that demonstrates both of these behaviors 1 . The input is one-dimensional, and the adversary is only allowed to perturb these inputs and not the non-linear features directly. We find that the learned model is susceptible to adversaries in an intermediate regime where classification generalizes but regression does not. Notably, the susceptibility arises despite the absence of model misspecification or label noise, which are commonly cited reasons for adversarial-susceptibility. These results are extended theoretically to a random-Fourier-sum setup that exhibits double-descent behavior. In both feature-setups, the adversarial vulnerability arises because of a phenomenon we term spatial localization: the predictions of the learned model are markedly more sensitive in the vicinity of training points than elsewhere. This sensitivity is a consequence of feature lifting and is reminiscent of Gibb's and Runge's phenomena from signal processing and functional analysis. Despite the adversarial susceptibility, we find that classification with these features can be easier than the more commonly studied "independent feature" models.

show abstract

Section: Related Workmentioning

confidence: 68%

Section: Introductionmentioning

confidence: 99%

Classification and Adversarial examples in an Overparameterized Linear Model: A Signal Processing Perspective

Narang,

Muthukumar,

Sahai

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Semi-supervised and self-supervised for Adversarial Training. Schmidt et al [196] show that sample complexity in adversarial learning can be significantly larger than that of "standard" learning and hence requires more samples to achieve non-trivial adversarial robust classifier. However, conventional adversarial training needs class labels and can not be easily applied to unlabeled data.…”

Section: Adversarial Training Adversarial Training (At) Incorporates ...mentioning

confidence: 99%

Taxonomy of Machine Learning Safety: A Survey and Primer

Mohseni¹,

Wang²,

Yu³

et al. 2021

Preprint

View full text Add to dashboard Cite

The open-world deployment of Machine Learning (ML) algorithms in safety-critical applications such as autonomous vehicles needs to address a variety of ML vulnerabilities such as interpretability, verifiability, and performance limitations. Research explores different approaches to improve ML dependability by proposing new models and training techniques to reduce generalization error, achieve domain adaptation, and detect outlier examples and adversarial attacks. In this paper, we review and organize practical ML techniques that can improve the safety and dependability of ML algorithms and therefore ML-based software. Our organization maps state-of-the-art ML techniques to safety strategies in order to enhance the dependability of the ML algorithm from different aspects, and discuss research gaps as well as promising solutions.

show abstract

“…Parallel to this line of work, we provide theory to understand how NFM can improve robustness. Also related to this line of work is the study of the trade-offs between robustness and accuracy [47,54,58,63,65,73,78]. There are also attempts to study generalization in terms of robustness [16,33,72].…”

Section: Related Workmentioning

confidence: 99%

Noisy Feature Mixup

Lim¹,

Erichson²,

Utrera³

et al. 2021

Preprint

View full text Add to dashboard Cite

We introduce Noisy Feature Mixup (NFM), an inexpensive yet effective method for data augmentation that combines the best of interpolation based training and noise injection schemes. Rather than training with convex combinations of pairs of examples and their labels, we use noise-perturbed convex combinations of pairs of data points in both input and feature space. This method includes mixup and manifold mixup as special cases, but it has additional advantages, including better smoothing of decision boundaries and enabling improved model robustness. We provide theory to understand this as well as the implicit regularization effects of NFM. Our theory is supported by empirical results, demonstrating the advantage of NFM, as compared to mixup and manifold mixup. We show that residual networks and vision transformers trained with NFM have favorable trade-offs between predictive accuracy on clean data and robustness with respect to various types of data perturbation across a range of computer vision benchmark datasets.

show abstract

Adversarially Robust Generalization Requires More Data

Cited by 39 publications

References 22 publications

Classification and Adversarial examples in an Overparameterized Linear Model: A Signal Processing Perspective

Classification and Adversarial examples in an Overparameterized Linear Model: A Signal Processing Perspective

Taxonomy of Machine Learning Safety: A Survey and Primer

Noisy Feature Mixup

Contact Info

Product

Resources

About