Defending Against Image Corruptions Through Adversarial Augmentations

Calian, Dan A.; Stimberg, Florian; Wiles, Olivia; Rebuffi, Sylvestre-Alvise; György, András; Mann, Timothy; Gowal, Sven

doi:10.48550/arxiv.2104.01086

Cited by 4 publications

(8 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…(Koh et al, 2021) presented WILDS, a curated benchmark of 10 datasets reflecting a diverse range of distribution shifts that naturally arise in real-world applications. ; Cubuk et al (2018); Calian et al (2021) proposed augmentation methods to improve the corruption robustness in 2D vision tasks. On the adversarial robustness benchmarking front, Carlini et al (2019) discussed the methodological foundations, reviewed commonly accepted best practices, and suggested new methods for evaluating defenses to adversarial examples.…”

Section: Related Workmentioning

confidence: 99%

Benchmarking Robustness of 3D Point Cloud Recognition Against Common Corruptions

Sun¹,

Zhang²,

Kailkhura³

et al. 2022

Preprint

View full text Add to dashboard Cite

Deep neural networks on 3D point cloud data have been widely used in the real world, especially in safety-critical applications. However, their robustness against corruptions is less studied. In this paper, we present ModelNet40-C, the first comprehensive benchmark on 3D point cloud corruption robustness, consisting of 15 common and realistic corruptions. Our evaluation shows a significant gap between the performances on ModelNet40 and ModelNet40-C for state-of-the-art (SOTA) models. To reduce the gap, we propose a simple but effective method by combining PointCutMix-R and TENT after evaluating a wide range of augmentation and testtime adaptation strategies. We identify a number of critical insights for future studies on corruption robustness in point cloud recognition. For instance, we unveil that Transformer-based architectures with proper training recipes achieve the strongest robustness. We hope our in-depth analysis will motivate the development of robust training strategies or architecture designs in the 3D point cloud domain. Our codebase and dataset are included in https://github. com/jiachens/ModelNet40-C.

show abstract

Section: Related Workmentioning

confidence: 99%

Benchmarking Robustness of 3D Point Cloud Recognition Against Common Corruptions

Sun¹,

Zhang²,

Kailkhura³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Besides, there are cases where offline augmentation is not feasible as it relies on pre-trained or generative models which are unavailable in certain scenarios, e.g. DeepAugment [20] or AdA [6] cannot be applied on C-100. On the other hand, off-line augmentation may be necessary to avoid the computational cost of generating augmentations during training.…”

Section: Sample Complexitymentioning

confidence: 99%

“…Although AugMix attains significant gains on CIFAR-10-C, it does not perform well against sophisticated benchmarks like ImageNet-C. DeepAugment (DA) [20] addresses this issue and diversifies the space of augmentations by introducing distorted images computed by perturbing the weights of image-to-image networks. DA, combined with AugMix, achieves the current state-of-the-art on ImageNet-C. Other schemes include: (i) worst-case noise training [37], (ii) inducing shape bias through stylized images [17], (iii) adversarial counterparts of DeepAugment [6] and AugMix [43], (iv) pre-training and/or adversarial training [24,45], (v) constraining the total variation of convolutional layers [38] and (vi) learning the image information in the phase rather than amplitude [7]. Besides, Vision Transformers [15] have been shown to be more robust to common corruptions than standard CNNs [4,31].…”

Section: Related Workmentioning

confidence: 99%

“…All models are implemented in PyTorch [33] and are trained for 100 epochs using a cyclic learning rate schedule [40] with cosine annealing and a maximum learning rate of 0.2 unless stated otherwise. For IN, we fine-tune a regularly pretrained network 6 with a maximum learning rate of 0.01 following Hendrycks et al [20]. We use SGD optimizer with momentum factor 0.9 and Nesterov momentum [32].…”

Section: Detailed Experimental Setupmentioning

confidence: 99%

“…Still, guaranteeing a good coverage over the whole space of such corruptions is hard. Hence, the current literature relies mostly on increasing the complexity of their training pipelines by combining independently developed data augmentation strategies, to hopefully increase diversity of augmentations and achieve state-of-the-art results on different common corruptions benchmarks [6,7,20,24,37,43]. This incremental research strategy, though, has come at a cost.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

PRIME: A few primitives can boost robustness to common corruptions

Modas¹,

Rade²,

Ortiz-Jiménez³

et al. 2021

Preprint

View full text Add to dashboard Cite

Despite their impressive performance on image classification tasks, deep networks have a hard time generalizing to many common corruptions of their data. To fix this vulnerability, prior works have mostly focused on increasing the complexity of their training pipelines, combining multiple methods, in the name of diversity. However, in this work, we take a step back and follow a principled approach to achieve robustness to common corruptions. We propose PRIME, a general data augmentation scheme that consists of simple families of max-entropy image transformations. We show that PRIME outperforms the prior art for corruption robustness, while its simplicity and plug-and-play nature enables it to be combined with other methods to further boost their robustness. Furthermore, we analyze PRIME to shed light on the importance of the mixing strategy on synthesizing corrupted images, and to reveal the robustnessaccuracy trade-offs arising in the context of common corruptions. Finally, we show that the computational efficiency of our method allows it to be easily used in both on-line and off-line data augmentation schemes 1 .

show abstract

GSmooth: Certified Robustness against Semantic Transformations via Generalized Randomized Smoothing

Hao¹,

Cui²,

Dong³

et al. 2022

Preprint

View full text Add to dashboard Cite

Certified defenses such as randomized smoothing have shown promise towards building reliable machine learning systems against p -norm bounded attacks. However, existing methods are insufficient or unable to provably defend against semantic transformations, especially those without closed-form expressions (such as defocus blur and pixelate), which are more common in practice and often unrestricted. To fill up this gap, we propose generalized randomized smoothing (GSmooth), a unified theoretical framework for certifying robustness against general semantic transformations via a novel dimension augmentation strategy. Under the GSmooth framework, we present a scalable algorithm that uses a surrogate image-to-image network to approximate the complex transformation. The surrogate model provides a powerful tool for studying the properties of semantic transformations and certifying robustness. Experimental results on several datasets demonstrate the effectiveness of our approach for robustness certification against multiple kinds of semantic transformations and corruptions, which is not achievable by the alternative baselines.

show abstract

Defending Against Image Corruptions Through Adversarial Augmentations

Cited by 4 publications

References 39 publications

Benchmarking Robustness of 3D Point Cloud Recognition Against Common Corruptions

Benchmarking Robustness of 3D Point Cloud Recognition Against Common Corruptions

PRIME: A few primitives can boost robustness to common corruptions

GSmooth: Certified Robustness against Semantic Transformations via Generalized Randomized Smoothing

Contact Info

Product

Resources

About