5 research outputs found
Adversarial Training Versus Weight Decay
Performance-critical machine learning models should be robust to input
perturbations not seen during training. Adversarial training is a method for
improving a model's robustness to some perturbations by including them in the
training process, but this tends to exacerbate other vulnerabilities of the
model. The adversarial training framework has the effect of translating the
data with respect to the cost function, while weight decay has a scaling
effect. Although weight decay could be considered a crude regularization
technique, it appears superior to adversarial training as it remains stable
over a broader range of regimes and reduces all generalization errors. Equipped
with these abstractions, we provide key baseline results and methodology for
characterizing robustness. The two approaches can be combined to yield one
small model that demonstrates good robustness to several white-box attacks
associated with different metrics
Adversarial Examples as an Input-Fault Tolerance Problem
We analyze the adversarial examples problem in terms of a model's fault
tolerance with respect to its input. Whereas previous work focuses on
arbitrarily strict threat models, i.e., -perturbations, we consider
arbitrary valid inputs and propose an information-based characteristic for
evaluating tolerance to diverse input faults.Comment: NIPS 2018 Workshop on Security and Machine Learning. Source available
at https://github.com/uoguelph-mlrg/nips18-secml-advex-input-faul
How do SGD hyperparameters in natural training affect adversarial robustness?
Learning rate, batch size and momentum are three important hyperparameters in
the SGD algorithm. It is known from the work of Jastrzebski et al.
arXiv:1711.04623 that large batch size training of neural networks yields
models which do not generalize well. Yao et al. arXiv:1802.08241 observe that
large batch training yields models that have poor adversarial robustness. In
the same paper, the authors train models with different batch sizes and compute
the eigenvalues of the Hessian of loss function. They observe that as the batch
size increases, the dominant eigenvalues of the Hessian become larger. They
also show that both adversarial training and small-batch training leads to a
drop in the dominant eigenvalues of the Hessian or lowering its spectrum. They
combine adversarial training and second order information to come up with a new
large-batch training algorithm and obtain robust models with good
generalization. In this paper, we empirically observe the effect of the SGD
hyperparameters on the accuracy and adversarial robustness of networks trained
with unperturbed samples. Jastrzebski et al. considered training models with a
fixed learning rate to batch size ratio. They observed that higher the ratio,
better is the generalization. We observe that networks trained with constant
learning rate to batch size ratio, as proposed in Jastrzebski et al., yield
models which generalize well and also have almost constant adversarial
robustness, independent of the batch size. We observe that momentum is more
effective with varying batch sizes and a fixed learning rate than with constant
learning rate to batch size ratio based SGD training.Comment: Preliminary version presented in ICML 2019 Workshop on "Understanding
and Improving Generalization in Deep Learning" as "On Adversarial Robustness
of Small vs Large Batch Training
Adversarially Robust Training through Structured Gradient Regularization
We propose a novel data-dependent structured gradient regularizer to increase
the robustness of neural networks vis-a-vis adversarial perturbations. Our
regularizer can be derived as a controlled approximation from first principles,
leveraging the fundamental link between training with noise and regularization.
It adds very little computational overhead during learning and is simple to
implement generically in standard deep learning frameworks. Our experiments
provide strong evidence that structured gradient regularization can act as an
effective first line of defense against attacks based on low-level signal
corruption
Measuring Robustness to Natural Distribution Shifts in Image Classification
We study how robust current ImageNet models are to distribution shifts
arising from natural variations in datasets. Most research on robustness
focuses on synthetic image perturbations (noise, simulated weather artifacts,
adversarial examples, etc.), which leaves open how robustness on synthetic
distribution shift relates to distribution shift arising in real data. Informed
by an evaluation of 204 ImageNet models in 213 different test conditions, we
find that there is often little to no transfer of robustness from current
synthetic to natural distribution shift. Moreover, most current techniques
provide no robustness to the natural distribution shifts in our testbed. The
main exception is training on larger and more diverse datasets, which in
multiple cases increases robustness, but is still far from closing the
performance gaps. Our results indicate that distribution shifts arising in real
data are currently an open research problem. We provide our testbed and data as
a resource for future work at https://modestyachts.github.io/imagenet-testbed/