Excessive Invariance Causes Adversarial Vulnerability

Jacobsen, Jörn-Henrik; Behrmann, Jens; Zemel, Richard S.; Bethge, Matthias

doi:10.48550/arxiv.1811.00401

Cited by 22 publications

(44 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Improving the generalization of deep learning models has become a major research topic, with many different threads of research including Bayesian deep learning (Neal, 1996;Gal, 2016), adversarial (Engstrom et al, 2019;Jacobsen et al, 2018) and non-adversarial (Hendrycks & Dietterich, 2019;Yin et al, 2019) robustness, causality (Arjovsky et al, 2019), and other works aimed at distinguishing statistical features from semantic features (Gowal et al, 2019;Geirhos et al, 2018). While neural networks often exhibit superhuman generalization performance on the training distribution, they can be extremely sensitive to minute changes in distribution (Su et al, 2019;Engstrom et al, 2017; In this work, we consider out-of-distribution (OoD) generalization, where a model must generalize to new distributions at test time without seeing any training data from them.…”

Section: Introductionmentioning

confidence: 99%

Out-of-Distribution Generalization via Risk Extrapolation (REx)

Krueger,

Caballero,

Jacobsen

et al. 2020

Preprint

113

View full text Add to dashboard Cite

Generalizing outside of the training distribution is an open challenge for current machine learning systems. A weak form of out-of-distribution (OoD) generalization is the ability to successfully interpolate between multiple observed distributions. One way to achieve this is through robust optimization, which seeks to minimize the worstcase risk over convex combinations of the training distributions. However, a much stronger form of OoD generalization is the ability of models to extrapolate beyond the distributions observed during training. In pursuit of strong OoD generalization, we introduce the principle of Risk Extrapolation (REx). REx can be viewed as encouraging robustness over affine combinations of training risks, by encouraging strict equality between training risks. We show conceptually how this principle enables extrapolation, and demonstrate the effectiveness and scalability of instantiations of REx on various OoD generalization tasks. Our code can be found at https://github.com/capybaralet/ REx_code_release.

show abstract

Section: Introductionmentioning

confidence: 99%

Out-of-Distribution Generalization via Risk Extrapolation (REx)

Krueger,

Caballero,

Jacobsen

et al. 2020

Preprint

113

View full text Add to dashboard Cite

show abstract

“…This also contributes to mixing the variables between layers, complementing the soft permutations. Similarly, [18] uses a discrete cosine transform as a final transformation in their INN, to replace global average pooling.…”

Section: Important Detailsmentioning

confidence: 99%

Guided Image Generation with Conditional Invertible Neural Networks

Ardizzone,

Lüth,

Kruse

et al. 2019

Preprint

109

216

View full text Add to dashboard Cite

In this work, we address the task of natural image generation guided by a conditioning input. We introduce a new architecture called conditional invertible neural network (cINN). The cINN combines the purely generative INN model with an unconstrained feed-forward network, which efficiently preprocesses the conditioning input into useful features. All parameters of the cINN are jointly optimized with a stable, maximum likelihood-based training procedure. By construction, the cINN does not experience mode collapse and generates diverse samples, in contrast to e.g. cGANs. At the same time our model produces sharp images since no reconstruction loss is required, in contrast to e.g. VAEs. We demonstrate these properties for the tasks of MNIST digit generation and image colorization. Furthermore, we take advantage of our bidirectional cINN architecture to explore and manipulate emergent properties of the latent space, such as changing the image style in an intuitive way.

show abstract

“…Szegedy et al 2013 linked adversarial vulnerability to blind spots in the discontinuous classification boundary of the neural network, Goodfellow et al 2014 blamed it on the local linearity of neural networks and showed it by constructing an attack that leverages this property. Some recent work has connected it with random noise (Fawzi et al, 2016;Ford et al, 2019), spurious correlations learned by neural networks (Ilyas et al, 2019), insufficient data (Schmidt et al, 2018) high dimensions of input data (Gilmer et al, 2018;Fawzi et al, 2018), and distributional shift (Jacobsen et al, 2018;Ding et al, 2019). Similarly, researchers have also focused on constructing techniques to fight against these attacks.…”

Section: Related Workmentioning

confidence: 99%

“…While there exist a plethora of reasons for the adversarial behavior of neural networks (Jacobsen et al, 2018;Simon-Gabriel et al, 2018;Yuan et al, 2019;Ilyas et al, 2019;Geirhos et al, 2018), a recent study by Galloway et al 2019 has shown that BatchNorm is one of them. They have empirically shown that we can enhance the robustness of neural networks against adversarial perturbations by removing BatchNorm.…”

Section: Introductionmentioning

confidence: 99%

Towards an Adversarially Robust Normalization Approach

Awais,

Shamshad,

Bae

2020

Preprint

View full text Add to dashboard Cite

Batch Normalization (BatchNorm) is effective for improving the performance and accelerating the training of deep neural networks. However, it has also shown to be a cause of adversarial vulnerability, i.e., networks without it are more robust to adversarial attacks. In this paper, we investigate how BatchNorm causes this vulnerability and proposed new normalization that is robust to adversarial attacks. We first observe that adversarial images tend to shift the distribution of BatchNorm input, and this shift makes train-time estimated population statistics inaccurate. We hypothesize that these inaccurate statistics make models with BatchNorm more vulnerable to adversarial attacks. We prove our hypothesis by replacing train-time estimated statistics with statistics calculated from the inference-time batch. We found that the adversarial vulnerability of Batch-Norm disappears if we use these statistics. However, without estimated batch statistics, we can not use BatchNorm in the practice if large batches of input are not available. To mitigate this, we propose Robust Normalization (RobustNorm); an adversarially robust version of BatchNorm. We experimentally show that models trained with Ro-bustNorm perform better in adversarial settings while retaining all the benefits of BatchNorm.

show abstract

Excessive Invariance Causes Adversarial Vulnerability

Cited by 22 publications

References 19 publications

Out-of-Distribution Generalization via Risk Extrapolation (REx)

Out-of-Distribution Generalization via Risk Extrapolation (REx)

Guided Image Generation with Conditional Invertible Neural Networks

Towards an Adversarially Robust Normalization Approach

Contact Info

Product

Resources

About