Unlabeled Data Improves Adversarial Robustness

Carmon, Yair; Raghunathan, Aditi; Schmidt, Ludwig; Duchi, John C.; Liang, Percy

doi:10.48550/arxiv.1905.13736

Cited by 95 publications

(64 citation statements)

References 23 publications

(79 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Please see Appendix.B for more details and complete proof. Here the distillation loss is formulated by the prediction accuracy for pseudo-labels generated by a learnt teacher model, which is also considered by [15].…”

Section: Theoretical Analysismentioning

confidence: 99%

“…The adversarial training consists of an inner, iterative maximization loop to augment natural examples with adversarial perturbations, and an outer minimization loop similar to normal training. Many different methods have been introduced to improve robustness [77,15,53,92,80,67,95,79,7,82,40,45,57], but all of them are fundamentally based on the principle of training on adversarially augmented examples.…”

Section: Introductionmentioning

confidence: 99%

“…Even over-parameterized models that can easily fit data for normal training [93] may have insufficient capacity to fit adversarially augmented data [98]. The sample complexity of adversarial training can be significantly higher than normal training, and it requires more labeled [65] or unlabeled data [77,15,53,92]. The inner maximization for the generation of adversarial perturbations for adversarial training is significantly more expensive computationally as it requires iterative gradient steps with respect to the inputs (e.g., adversarial training takes ∼7x more time compared with normal training).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

MixACM: Mixup-Based Robustness Transfer via Distillation of Activated Channel Maps

Awais¹,

Zhou²,

Xie³

et al. 2021

Preprint

View full text Add to dashboard Cite

Deep neural networks are susceptible to adversarially crafted, small and imperceptible changes in the natural inputs. The most effective defense mechanism against these examples is adversarial training which constructs adversarial examples during training by iterative maximization of loss. The model is then trained to minimize the loss on these constructed examples. This min-max optimization requires more data, larger capacity models, and additional computing resources. It also degrades the standard generalization performance of a model. Can we achieve robustness more efficiently? In this work, we explore this question from the perspective of knowledge transfer. First, we theoretically show the transferability of robustness from an adversarially trained teacher model to a student model with the help of mixup augmentation. Second, we propose a novel robustness transfer method called Mixup-Based Activated Channel Maps (MixACM) Transfer. MixACM transfers robustness from a robust teacher to a student by matching activated channel maps generated without expensive adversarial perturbations. Finally, extensive experiments on multiple datasets and different learning scenarios show our method can transfer robustness while also improving generalization on natural images.

show abstract

Section: Theoretical Analysismentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

MixACM: Mixup-Based Robustness Transfer via Distillation of Activated Channel Maps

Awais¹,

Zhou²,

Xie³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…For this reason, significant efforts have been made to improve the robustness of models without resorting to AT. Proposed solutions cover a wide range of techniques based on curvature regularization [17], robust optimization to improve local stability [23], the use of additional unlabeled data [4], local linearization [21], Parseval networks [5], defensive distillation [19], model ensembles [18], channel-wise activations suppressing [2], feature denoising [29], self-supervised learning for adversarial purification [25], and input manipulations [7,9,15]. All the listed techniques, except those based on input manipulations, require training the model or an auxiliary module from scratch.…”

Section: Related Workmentioning

confidence: 99%

Improving Robustness with Image Filtering

Terzi¹,

Carletti²,

Susto³

2021

Preprint

View full text Add to dashboard Cite

Adversarial robustness is one of the most challenging problems in Deep Learning and Computer Vision research. All the state-of-the-art techniques require a time-consuming procedure that creates cleverly perturbed images. Due to its cost, many solutions have been proposed to avoid Adversarial Training. However, all these attempts proved ineffective as the attacker manages to exploit spurious correlations among pixels to trigger brittle features implicitly learned by the model. This paper first introduces a new image filtering scheme called Image-Graph Extractor (IGE) that extracts the fundamental nodes of an image and their connections through a graph structure. By leveraging the IGE representation, we build a new defense method, Filtering As a Defense, that does not allow the attacker to entangle pixels to create malicious patterns. Moreover, we show that data augmentation with filtered images effectively improves the model's robustness to data corruption. We validate our techniques on CIFAR-10, CIFAR-100, and ImageNet.

show abstract

“…for both supervised classifier and attack generator (that ensures misclassification). The recent work [22][23][24] demonstrated that with a properly-designed attacker's objective, AT-type defenses can be generalized to the semi-supervised setting, and showed that the incorporation of additional unlabeled data could further improve adversarial robustness in image classification. Such an extension from supervised to semi-supervised defenses further inspires us to ask whether there exist unsupervised defenses that can eliminate the prerequisite of labeled data but improve model robustness.…”

Section: Introductionmentioning

confidence: 99%

When Does Contrastive Learning Preserve Adversarial Robustness from Pretraining to Finetuning?

Fan¹,

Liu²,

Chen³

et al. 2021

Preprint

View full text Add to dashboard Cite

Contrastive learning (CL) can learn generalizable feature representations and achieve state-of-the-art performance of downstream tasks by finetuning a linear classifier on top of it. However, as adversarial robustness becomes vital in image classification, it remains unclear whether or not CL is able to preserve robustness to downstream tasks. The main challenge is that in the 'self-supervised pretraining + supervised finetuning' paradigm, adversarial robustness is easily forgotten due to a learning task mismatch from pretraining to finetuning. We call such challenge 'cross-task robustness transferability'. To address the above problem, in this paper we revisit and advance CL principles through the lens of robustness enhancement. We show that (1) the design of contrastive views matters: High-frequency components of images are beneficial to improving model robustness; (2) Augmenting CL with pseudo-supervision stimulus (e.g., resorting to feature clustering) helps preserve robustness without forgetting. Equipped with our new designs, we propose ADVCL, a novel adversarial contrastive pretraining framework. We show that ADVCL is able to enhance cross-task robustness transferability without loss of model accuracy and finetuning efficiency. With a thorough experimental study, we demonstrate that ADVCL outperforms the state-of-the-art self-supervised robust learning methods across multiple datasets (CIFAR-10, CIFAR-100 and STL-10) and finetuning schemes (linear evaluation and full model finetuning). Code is available at https://github.com/LijieFan/AdvCL.

show abstract

Unlabeled Data Improves Adversarial Robustness

Cited by 95 publications

References 23 publications

MixACM: Mixup-Based Robustness Transfer via Distillation of Activated Channel Maps

MixACM: Mixup-Based Robustness Transfer via Distillation of Activated Channel Maps

Improving Robustness with Image Filtering

When Does Contrastive Learning Preserve Adversarial Robustness from Pretraining to Finetuning?

Contact Info

Product

Resources

About