Robust Learning Meets Generative Models: Can Proxy Distributions Improve Adversarial Robustness?

Sehwag, Vikash; Mahloujifar, Saeed; Handina, Tinashe; Dai, Sihui; Xiang, Chong; Chiang, Mung; Mittal, Prateek

doi:10.48550/arxiv.2104.09425

Cited by 5 publications

(9 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this section, we discuss how teachers' performance or architecture influences the student's performance. We conduct experiments using three different robust teacher models -adversarially trained WRT-34 [39], ResNet-50 [10], and ResNet-18 [43] on the CIFAR-10 dataset. All RNAS-Cl models, while achieving similar clean accuracy, exceed its counterpart by more than 10% in PGD accuracy.…”

Section: Teacher's Influence On Student's Performancementioning

confidence: 99%

RNAS-CL: Robust Neural Architecture Search by Cross-Layer Knowledge Distillation

Nath¹,

Wang²,

Yang³

2023

Preprint

View full text Add to dashboard Cite

Deep Neural Networks are vulnerable to adversarial attacks. Neural Architecture Search (NAS), one of the driving tools of deep neural networks, demonstrates superior performance in prediction accuracy in various machine learning applications. However, it is unclear how it performs against adversarial attacks. Given the presence of a robust teacher, it would be interesting to investigate if NAS would produce robust neural architecture by inheriting robustness from the teacher. In this paper, we propose Robust Neural Architecture Search by Cross-Layer Knowledge Distillation (RNAS-CL), a novel NAS algorithm that improves the robustness of NAS by learning from a robust teacher through cross-layer knowledge distillation. Unlike previous knowledge distillation methods that encourage close student/teacher output only in the last layer, RNAS-CL automatically searches for the best teacher layer to supervise each student layer. Experimental result evidences the effectiveness of RNAS-CL and shows that RNAS-CL produces small and robust neural architecture.

show abstract

Section: Teacher's Influence On Student's Performancementioning

confidence: 99%

RNAS-CL: Robust Neural Architecture Search by Cross-Layer Knowledge Distillation

Nath¹,

Wang²,

Yang³

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…However, since performance of pseudo-labelling itself depends on the amount of labeled data, the performance of their technique drops considerably as labeled data is reduced. To alleviate this problem, Sehwag et al [28] illustrated the benefit of using additional data generated from generative models for improving adversarial robustness.…”

Section: Related Workmentioning

confidence: 99%

DE-CROP: Data-efficient Certified Robustness for Pretrained Classifiers

Nayak

Ruchit

Chakraborty

2023

2023 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV)

View full text Add to dashboard Cite

Certified defense using randomized smoothing is a popular technique to provide robustness guarantees for deep neural networks against l 2 adversarial attacks. Existing works use this technique to provably secure a pretrained non-robust model by training a custom denoiser network on entire training data. However, access to the training set may be restricted to a handful of data samples due to constraints such as high transmission cost and the proprietary nature of the data. Thus, we formulate a novel problem of "how to certify the robustness of pretrained models using only a few training samples". We observe that training the custom denoiser directly using the existing techniques on limited samples yields poor certification. To overcome this, our proposed approach (DE-CROP) 1 generates class-boundary and interpolated samples corresponding to each training sample, ensuring high diversity in the feature space of the pretrained classifier. We train the denoiser by maximizing the similarity between the denoised output of the generated sample and the original training sample in the classifier's logit space. We also perform distribution level matching using domain discriminator and maximum mean discrepancy that yields further benefit. In white box setup, we obtain significant improvements over the baseline on multiple benchmark datasets and also report similar performance under the challenging black box setup.* denotes equal contribution.

show abstract

“…Our work is different from these works since we are concerned with distributional robustness guarantees for DG, i.e., a certification that allows us to quantify the generalization performance on an unseen distribution rather than certifying the instance-wise performance (see Appendix C.3 for a comparison between point-wise and distributional robustness). Recently, certified robustness has gained attention in the context of certifying the performance of the classifier (in a distributional sense) on bounded distribution shifts [40,70,59].…”

Section: Domain Generalization and Domain Adaptationmentioning

confidence: 99%

“…To address this, we propose a distance normalization technique that uses the distance between the source P S and a unique reference distribution P S adv as the unit length in the representation space. This distribution P S adv consists of points (z , y) generated similarly to the CW-attack [59,13]: for each z from the source, z is the closest misclassified point (h(z ) = y). Using this, we report all distances in this paper as the normalized distance W2(P S ,•) ρ adv :=W2(P S ,P S adv ) .…”

Section: Domain Generalization Via Minimizing Wasserstein Distancementioning

confidence: 99%

“…[59]: Another recent work showed that distribution divergence can also be used to explain the transfer of robustness across the two domains. In particular, Theorem 1 [59] shows that the difference in the average margin (Rob(h, P ) := E (x,y)∼P [inf h(x ) =y x − x ]) of the classifier h : X → Y under distribution shift is bounded by conditional Wasserstein distance between the two domains (see the original paper for definition).…”

Section: B2 Analyses Of Dg Using Distributional Divergencementioning

confidence: 99%

See 1 more Smart Citation

On Certifying and Improving Generalization to Unseen Domains

Mehra¹,

Kailkhura²,

Chen³

et al. 2022

Preprint

View full text Add to dashboard Cite

Domain Generalization (DG) aims to learn models whose performance remains high on unseen domains encountered at test-time by using data from multiple related source domains. Many existing DG algorithms reduce the divergence between source distributions in a representation space to potentially align the unseen domain close to the sources. This is motivated by the analysis that explains generalization to unseen domains using distributional distance (such as the Wasserstein distance) to the sources. However, due to the openness of the DG objective, it is challenging to evaluate DG algorithms comprehensively using a few benchmark datasets. In particular, we demonstrate that the accuracy of the models trained with DG methods varies significantly across unseen domains, generated from popular benchmark datasets. This highlights that the performance of DG methods on a few benchmark datasets may not be representative of their performance on unseen domains in the wild. To overcome this roadblock, we propose a universal certification framework based on distributionally robust optimization (DRO) that can efficiently certify the worst-case performance of any DG method. This enables a data-independent evaluation of a DG method complementary to the empirical evaluations on benchmark datasets. Furthermore, we propose a training algorithm that can be used with any DG method to provably improve their certified performance. Our empirical evaluation demonstrates the effectiveness of our method at significantly improving the worst-case loss (i.e., reducing the risk of failure of these models in the wild) without incurring a significant performance drop on benchmark datasets.Preprint. Under review.

show abstract

Robust Learning Meets Generative Models: Can Proxy Distributions Improve Adversarial Robustness?

Cited by 5 publications

References 0 publications

RNAS-CL: Robust Neural Architecture Search by Cross-Layer Knowledge Distillation

RNAS-CL: Robust Neural Architecture Search by Cross-Layer Knowledge Distillation

DE-CROP: Data-efficient Certified Robustness for Pretrained Classifiers

On Certifying and Improving Generalization to Unseen Domains

Contact Info

Product

Resources

About