Adversarially robust transfer learning

Shafahi, Ali; Saadatpanah, Parsa; Chen, Zhu; Ghiasi, Amin; Studer, Christoph; Jacobs, David R.; Goldstein, Tom

doi:10.48550/arxiv.1905.08232

Cited by 13 publications

(16 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Their findings theoretically back the efficacy of adversarial training for robustness. In [356], it is also demonstrated that transfer learning on adversarially robust models retains (to an extent) the robustness effect for the target domain. Sehwag et al [357] also devised a method for an adversarial trainingaware model pruning in resource constrained environment.…”

Section: A Model Alteration For Defensementioning

confidence: 95%

Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey

2018

View full text Add to dashboard Cite

Deep learning is at the heart of the current rise of artificial intelligence. In the field of Computer Vision, it has become the workhorse for applications ranging from self-driving cars to surveillance and security. Whereas deep neural networks have demonstrated phenomenal success (often beyond human capabilities) in solving complex problems, recent studies show that they are vulnerable to adversarial attacks in the form of subtle perturbations to inputs that lead a model to predict incorrect outputs. For images, such perturbations are often too small to be perceptible, yet they completely fool the deep learning models. Adversarial attacks pose a serious threat to the success of deep learning in practice. This fact has recently lead to a large influx of contributions in this direction. This article presents the first comprehensive survey on adversarial attacks on deep learning in Computer Vision. We review the works that design adversarial attacks, analyze the existence of such attacks and propose defenses against them. To emphasize that adversarial attacks are possible in practical conditions, we separately review the contributions that evaluate adversarial attacks in the real-world scenarios. Finally, drawing on the reviewed literature, we provide a broader outlook of this research direction.

show abstract

Section: A Model Alteration For Defensementioning

confidence: 95%

Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey

2018

View full text Add to dashboard Cite

show abstract

“…There are some recent works studying when and how adversarial robustness will transfer in different machine learning settings, such as transfer learning (Hendrycks et al, 2019;Shafahi et al, 2019), representation learning (Chan et al, 2020) and Model-agnostic meta-learning (MAML) (Wang et al, 2021a). In contrast, we focus on the setting of knowledge distillation.…”

Section: Related Workmentioning

confidence: 99%

How and When Adversarial Robustness Transfers in Knowledge Distillation?

Shao¹,

Yi²,

Chen³

et al. 2021

Preprint

View full text Add to dashboard Cite

Knowledge distillation (KD) has been widely used in teacher-student training, with applications to model compression in resource-constrained deep learning. Current works mainly focus on preserving the accuracy of the teacher model. However, other important model properties, such as adversarial robustness, can be lost during distillation. This paper studies how and when the adversarial robustness can be transferred from a teacher model to a student model in KD. We show that standard KD training fails to preserve adversarial robustness, and we propose KD with input gradient alignment (KDIGA) for remedy. Under certain assumptions, we prove that the student model using our proposed KDIGA can achieve at least the same certified robustness as the teacher model. Our experiments of KD contain a diverse set of teacher and student models with varying network architectures and sizes evaluated on ImageNet and CIFAR-10 datasets, including residual neural networks (ResNets) and vision transformers (ViTs). Our comprehensive analysis shows several novel insights that (1) With KDIGA, students can preserve or even exceed the adversarial robustness of the teacher model, even when their models have fundamentally different architectures; (2) KDIGA enables robustness to transfer to pre-trained students, such as KD from an adversarially trained ResNet to a pre-trained ViT, without loss of clean accuracy; and(3) Our derived local linearity bounds for characterizing adversarial robustness in KD are consistent with the empirical results.

show abstract

“…The current literature considers the scenario where the model is adversarially trained on both the source and target datasets to obtain better robustness [6]. Or where the model is adversarially trained on the source dataset and naturally trained on the target dataset [16]. In these approaches, while training on the target datasets may be fast because many epochs are not required, training the model on the source dataset is costly.…”

Section: Related Workmentioning

confidence: 99%

Improving the affordability of robustness training for DNNs

Gupta¹,

Dube²,

Verma³

2020

Preprint

View full text Add to dashboard Cite

Projected Gradient Descent (PGD) based adversarial training has become one of the most prominent methods for building robust deep neural network models. However, the computational complexity associated with this approach, due to the maximization of the loss function when finding adversaries, is a longstanding problem and may be prohibitive when using larger and more complex models. In this paper, we propose a modification of the PGD method for adversarial training and demonstrate that models can be trained much more efficiently without any loss in accuracy on natural and adversarial samples. We argue that the initial phase of adversarial training is redundant and can be replaced with natural training thereby increasing the computational efficiency significantly. We support our argument with insights on the nature of the adversaries and their relative strength during the training process. We show that our proposed method can reduce the training time to up to 38% of the original training time with comparable model accuracy and generalization on various strengths of adversarial attacks.

show abstract

Adversarially robust transfer learning

Cited by 13 publications

References 16 publications

Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey

Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey

How and When Adversarial Robustness Transfers in Knowledge Distillation?

Improving the affordability of robustness training for DNNs

Contact Info

Product

Resources

About