Learning perturbation sets for robust machine learning

Wong, Eric; Kolter, J. Zico

doi:10.48550/arxiv.2007.08450

Cited by 11 publications

(10 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, in this paper we make no particular assumption on the specific form of ∆. In particular, our results apply to arbitrary perturbation sets, such as those used in [62][63][64][65][66].…”

Section: Problem Formulationmentioning

confidence: 99%

“…Due to space constraints, we considered only pertubations of the form G(x, δ) = x + δ as in (P-RO). Yet, by once again fixing the pertubation distribution λ, we can obtain a myriad of data augmentation techniques, including the group-theoretic data-augmentation scheme discussed in [93], where G denotes the group action, and the model-based robust training methods discussed in [62][63][64][65]. Indeed, exploring the efficacy of DALE toward improving robustness beyond norm-bounded perturbations is an exciting direction for future work.…”

Section: Acknowledgements and Disclosure Of Funding A Connections To ...mentioning

confidence: 99%

See 1 more Smart Citation

Adversarial Robustness with Semi-Infinite Constrained Learning

Robey¹,

Chamon²,

Pappas³

et al. 2021

Preprint

View full text Add to dashboard Cite

Despite strong performance in numerous applications, the fragility of deep learning to input perturbations has raised serious questions about its use in safety-critical domains. While adversarial training can mitigate this issue in practice, state-ofthe-art methods are increasingly application-dependent, heuristic in nature, and suffer from fundamental trade-offs between nominal performance and robustness. Moreover, the problem of finding worst-case perturbations is non-convex and underparameterized, both of which engender a non-favorable optimization landscape. Thus, there is a gap between the theory and practice of adversarial training, particularly with respect to when and why adversarial training works. In this paper, we take a constrained learning approach to address these questions and to provide a theoretical foundation for robust learning. In particular, we leverage semi-infinite optimization and non-convex duality theory to show that adversarial training is equivalent to a statistical problem over perturbation distributions, which we characterize completely. Notably, we show that a myriad of previous robust training techniques can be recovered for particular, sub-optimal choices of these distributions. Using these insights, we then propose a hybrid Langevin Monte Carlo approach of which several common algorithms (e.g., PGD) are special cases. Finally, we show that our approach can mitigate the trade-off between nominal and robust performance, yielding state-of-the-art results on MNIST and CIFAR-10. Our code is available at: https://github.com/arobey1/advbench.

show abstract

Section: Problem Formulationmentioning

confidence: 99%

Section: Acknowledgements and Disclosure Of Funding A Connections To ...mentioning

confidence: 99%

Adversarial Robustness with Semi-Infinite Constrained Learning

Robey¹,

Chamon²,

Pappas³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Gulshad et al [10] trained on images with adversarial as well as natural perturbations like occlusions or elastic deformations, while achieving good generalization for many other unseen perturbations. Robey et al [18] and Wong et al [26] argued that it is impossible to capture all possible natural perturbations mathematically. Therefore, they used generative models to generate images with perturbations to train the network.…”

Section: Related Workmentioning

confidence: 99%

Built-in Elastic Transformations for Improved Robustness

Gulshad¹,

Sosnovik²,

Smeulders³

2021

Preprint

View full text Add to dashboard Cite

We focus on building robustness in the convolutions of neural visual classifiers, especially against natural perturbations like elastic deformations, occlusions and Gaussian noise. Existing CNNs show outstanding performance on clean images, but fail to tackle naturally occurring perturbations. In this paper, we start from elastic perturbations, which approximate (local) view-point changes of the object. We present elastically-augmented convolutions (EAConv) by parameterizing filters as a combination of fixed elasticallyperturbed bases functions and trainable weights for the purpose of integrating unseen viewpoints in the CNN. We show on CIFAR-10 and STL-10 datasets that the general robustness of our method on unseen occlusion and Gaussian perturbations improves, while even improving the performance on clean images slightly without performing any data augmentation.

show abstract

“…[16] trained on images with adversarial as well as natural perturbations like occlusions or elastic deformations, while achieving good generalization for many other unseen perturbations. [31] and [43] argued that it is impossible to capture all possible natural perturbations mathematically. Therefore, they used generative models to generate images with perturbations to train the network.…”

Section: Related Workmentioning

confidence: 99%

Wiggling Weights to Improve the Robustness of Classifiers

Gulshad¹,

Sosnovik²,

Smeulders³

2021

Preprint

View full text Add to dashboard Cite

Robustness against unwanted perturbations is an important aspect of deploying neural network classifiers in the real world. Common natural perturbations include noise, saturation, occlusion, viewpoint changes, and blur deformations. All of them can be modelled by the newly proposed transform-augmented convolutional networks. While many approaches for robustness train the network by providing augmented data to the network, we aim to integrate perturbations in the network architecture to achieve improved and more general robustness. To demonstrate that wiggling the weights consistently improves classification, we choose a standard network and modify it to a transform-augmented network. On perturbed CIFAR-10 images, the modified network delivers a better performance than the original network. For the much smaller STL-10 dataset, in addition to delivering better general robustness, wiggling even improves the classification of unperturbed, clean images substantially. We conclude that wiggled transform-augmented networks acquire good robustness even for perturbations not seen during training.

show abstract

Learning perturbation sets for robust machine learning

Cited by 11 publications

References 37 publications

Adversarial Robustness with Semi-Infinite Constrained Learning

Adversarial Robustness with Semi-Infinite Constrained Learning

Built-in Elastic Transformations for Improved Robustness

Wiggling Weights to Improve the Robustness of Classifiers

Contact Info

Product

Resources

About