Disentangling Adversarial Robustness and Generalization

Stutz, David; Hein, Matthias; Schiele, Bernt

doi:10.1109/cvpr.2019.00714

Cited by 185 publications

(176 citation statements)

References 42 publications

Supporting

Mentioning

153

Contrasting

Order By: Relevance

“…Additionally, increasing the number of prototypes leads to a better ability to generalize. This observation provides empirical evidence supporting the results of [4]. In [4] it was stated that generalization and robustness are not necessarily contradicting goals, which is a topic recently under discussion.…”

Section: Hypothesis Margin Maximization In a Space Different To The Isupporting

confidence: 77%

“…All experiments and models were implemented using the Keras framework in Python on top of Tensorflow. 4 All evaluated LVQ models are made available as pretrained Tensorflow graphs and as part of the Foolbox zoo 5 at https: //github.com/LarsHoldijk/robust_LVQ_models.…”

Section: Methodsmentioning

confidence: 99%

“…Thus, adversarials are also related to the analysis of the decision boundaries in a learned model. It is important to define the difference between the ability to generalize and the robustness of a model [4]. Assume a model trained on a finite number of data points drawn from an unknown data manifold in X .…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Robustness of Generalized Learning Vector Quantization Models Against Adversarial Attacks

Saralajew¹,

Holdijk

Rees³

et al. 2019

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

Adversarial attacks and the development of (deep) neural networks robust against them are currently two widely researched topics. The robustness of Learning Vector Quantization (LVQ) models against adversarial attacks has however not yet been studied to the same extent. We therefore present an extensive evaluation of three LVQ models: Generalized LVQ, Generalized Matrix LVQ and Generalized Tangent LVQ. The evaluation suggests that both Generalized LVQ and Generalized Tangent LVQ have a high base robustness, on par with the current state-of-the-art in robust neural network methods. In contrast to this, Generalized Matrix LVQ shows a high susceptibility to adversarial attacks, scoring consistently behind all other models. Additionally, our numerical evaluation indicates that increasing the number of prototypes per class improves the robustness of the models.

show abstract

Section: Hypothesis Margin Maximization In a Space Different To The Isupporting

confidence: 77%

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Robustness of Generalized Learning Vector Quantization Models Against Adversarial Attacks

Saralajew¹,

Holdijk

Rees³

et al. 2019

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

show abstract

“…It is important to note that x may not necessarily follow the distribution D. Thus, the studies on adversarial examples are different from these on model generalization. Moreover, a number of studies reported the relation between these two properties Su et al, 2018;Stutz et al, 2019;Zhang et al, 2019b). From our clarification, we hope that our audience get the difference and relation between risk and adversarial risk, and the importance of studying adversarial countermeasures.…”

Section: Adversarial Risk Vs Riskmentioning

confidence: 99%

Adversarial Attacks and Defenses in Images, Graphs and Text: A Review

Liu

et al. 2020

Int. J. Autom. Comput.

495

215

View full text Add to dashboard Cite

Deep neural networks (DNN) have achieved unprecedented success in numerous machine learning tasks in various domains. However, the existence of adversarial examples has raised concerns about applying deep learning to safety-critical applications. As a result, we have witnessed increasing interests in studying attack and defense mechanisms for DNN models on different data types, such as images, graphs and text. Thus, it is necessary to provide a systematic and comprehensive overview of the main threats of attacks and the success of corresponding countermeasures. In this survey, we review the state of the art algorithms for generating adversarial examples and the countermeasures against adversarial examples, for the three popular data types, i.e., images, graphs and text.

show abstract

“…Recent work by Tsipras et al [11] argued that this might be due to the natural tendency of high-accuracy classifiers to exploit small differences as a means of greedily leveraging available information. Stutz et al [17] interestingly studied the creation of "on-manifold" adversarial examples, which conform to the original input distribution as defined by a Variational Autoencoder (VAE) -Generative Adversarial Network (GAN) hybrid. Unlike with off-manifold, or traditional, adversarial examples, they found that generalization accuracy would actually be increased by training with onmanifold adversarial examples [17].…”

Section: Related Workmentioning

confidence: 99%

Adversarial explanations for understanding image classification decisions and improved neural network robustness

2019

View full text Add to dashboard Cite

For sensitive problems, such as medical imaging or fraud detection, Neural Network (NN) adoption has been slow due to concerns about their reliability, leading to a number of algorithms for explaining their decisions. NNs have also been found vulnerable to a class of imperceptible attacks, called adversarial examples, which arbitrarily alter the output of the network. Here we demonstrate both that these attacks can invalidate prior attempts to explain the decisions of NNs, and that with very robust networks, the attacks themselves may be leveraged as explanations with greater fidelity to the model. We show that the introduction of a novel regularization technique inspired by the Lipschitz constraint, alongside other proposed improvements, greatly improves an NN's resistance to adversarial examples. On the ImageNet classification task, we demonstrate a network with an Accuracy-Robustness Area (ARA) of 0.0053, an ARA 2.4 × greater than the previous state of the art. Improving the mechanisms by which NN decisions are understood is an important direction for both establishing trust in sensitive domains and learning more about the stimuli to which NNs respond.

show abstract

Disentangling Adversarial Robustness and Generalization

Cited by 185 publications

References 42 publications

Robustness of Generalized Learning Vector Quantization Models Against Adversarial Attacks

Robustness of Generalized Learning Vector Quantization Models Against Adversarial Attacks

Adversarial Attacks and Defenses in Images, Graphs and Text: A Review

Adversarial explanations for understanding image classification decisions and improved neural network robustness

Contact Info

Product

Resources

About