Article

Comparing Complexities of Decision Boundaries for Robust Training: A Universal Approach

Authors:

Daniel Kienitz,

Ekaterina Komendantskaya,

Michael LonesAuthors Info & Claims

Computer Vision – ACCV 2022: 16th Asian Conference on Computer Vision, Macao, China, December 4–8, 2022, Proceedings, Part VI

Pages 627 - 645

https://doi.org/10.1007/978-3-031-26351-4_38

Published: 26 February 2023 Publication History

Abstract

We investigate the geometric complexity of decision boundaries for robust training compared to standard training. By considering the local geometry of nearest neighbour sets, we study them in a model-agnostic way and theoretically derive a lower-bound

R^{*} \in R

on the perturbation magnitude

δ \in R

for which robust training provably requires a geometrically more complex decision boundary than accurate training. We show that state-of-the-art robust models learn more complex decision boundaries than their non-robust counterparts, confirming previous hypotheses. Then, we compute

R^{*}

for common image benchmarks and find that it also empirically serves as an upper bound over which label noise is introduced. We demonstrate for deep neural network classifiers that perturbation magnitudes

δ \geq R^{*}

lead to reduced robustness and generalization performance. Therefore,

R^{*}

bounds the maximum feasible perturbation magnitude for norm-bounded robust training and data augmentation. Finally, we show that

R^{*} < 0.5 R

for common benchmarks, where R is a distribution’s minimum nearest neighbour distance. Thus, we improve previous work on determining a distribution’s maximum robust radius.

References

[1]

He, W., Li, B., Song, D.: Decision boundary analysis of adversarial examples. In: International Conference on Learning Representations (2018)

[2]

Fawzi, A., Moosavi-Dezfooli, S.M., Frossard, P., Soatto, S.: Classification regions of deep neural networks. arXiv preprint arXiv:1705.09552 (2017)

[3]

Ortiz-Jimenez G, Modas A, Moosavi SM, and Frossard P Hold me tight! influence of discriminative features on deep network boundaries Adv. Neural. Inf. Process. Syst. 2020 33 2935-2946

[4]

Narayanan, H., Mitter, S.: Sample complexity of testing the manifold hypothesis. In: Advances in Neural Information Processing Systems, pp. 1786–1794 (2010)

[5]

Narayanan, H., Niyogi, P.: On the sample complexity of learning smooth cuts on a manifold. In: COLT (2009)

[6]

Kienitz, D., Komendantskaya, E., Lones, M.: The effect of manifold entanglement and intrinsic dimensionality on learning. In: 36th AAAI Conference on Artificial Intelligence 2022, AAAI Press (2021)

[7]

Ding, G.W., Sharma, Y., Lui, K.Y.C., Huang, R.: Mma training: direct input space margin maximization through adversarial training. In: International Conference on Learning Representations. (2019)

[8]

Ribeiro, M.T., Singh, S., Guestrin, C.: “Why should i trust you?” explaining the predictions of any classifier. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1135–1144 (2016)

[9]

Krizhevsky, A., Sutskever, I., Hinton, G.E.: Imagenet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, pp. 1097–1105 (2012)

[10]

Radford, A., Metz, L., Chintala, S.: Unsupervised representation learning with deep convolutional generative adversarial networks. arXiv preprint arXiv:1511.06434 (2015)

[11]

Geirhos, R., et al.: Partial success in closing the gap between human and machine vision. Adv. Neural. Inf. Process. Syst. 34, 23885–23899 (2021)

[12]

Szegedy, C., et al.: Intriguing properties of neural networks. In: 2nd International Conference on Learning Representations, ICLR 2014 (2014)

[13]

Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)

[14]

Hendrycks, D., Dietterich, T.: Benchmarking neural network robustness to common corruptions and perturbations. In: International Conference on Learning Representations (2018)

[15]

Taori R, Dave A, Shankar V, Carlini N, Recht B, and Schmidt L Measuring robustness to natural distribution shifts in image classification Adv. Neural. Inf. Process. Syst. 2020 33 18583-18599

[16]

Recht, B., Roelofs, R., Schmidt, L., Shankar, V.: Do imagenet classifiers generalize to imagenet? In: International Conference on Machine Learning, PMLR, pp. 5389–5400 (2019)

[17]

Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: International Conference on Learning Representations (2018)

[18]

Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)

[19]

Zhang, X., Chen, J., Gu, Q., Evans, D.: Understanding the intrinsic robustness of image distributions using conditional generative models. In: International Conference on Artificial Intelligence and Statistics, PMLR, pp. 3883–3893(2020)

[20]

Tsipras, D., Santurkar, S., Engstrom, L., Turner, A., Madry, A.: Robustness may be at odds with accuracy. arXiv preprint arXiv:1805.12152 (2018)

[21]

Stutz, D., Hein, M., Schiele, B.: Disentangling adversarial robustness and generalization. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 6976–6987 (2019)

[22]

Yang, Y.Y., Rashtchian, C., Wang, Y., Chaudhuri, K.: Robustness for non-parametric classification: a generic attack and defense. In: International Conference on Artificial Intelligence and Statistics, PMLR, pp. 941–951 (2020)

[23]

Shah H, Tamuly K, Raghunathan A, Jain P, and Netrapalli P The pitfalls of simplicity bias in neural networks Adv. Neural. Inf. Process. Syst. 2020 33 9573-9585

[24]

Schmidt, L., Santurkar, S., Tsipras, D., Talwar, K., Madry, A.: Adversarially robust generalization requires more data. In: Proceedings of the 32nd International Conference on Neural Information Processing Systems, pp. 15019–503 (2018)

[25]

Yin, D., Kannan, R., Bartlett, P.: Rademacher complexity for adversarially robust generalization. In: International Conference on Machine Learning, PMLR, pp. 7085–7094 (2019)

[26]

Nakkiran, P.: Adversarial robustness may be at odds with simplicity. arXiv preprint arXiv:1901.00532 (2019)

[27]

Sanyal, A., Dokania, P.K., Kanade, V., Torr, P.: How benign is benign overfitting? In: International Conference on Learning Representations (2020)

[28]

Nguyen, Q., Mukkamala, M.C., Hein, M.: Neural networks should be wide enough to learn disconnected decision regions. In: International Conference on Machine Learning, PMLR, pp. 3740–3749 (2018)

[29]

Yang, Y.Y., Rashtchian, C., Zhang, H., Salakhutdinov, R.R., Chaudhuri, K.: A closer look at accuracy vs. robustness. In: Advances in Neural Information Processing Systems 33, pp. 8588–8601 (2020)

[30]

Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., Madry, A.: Adversarial examples are not bugs, they are features. In: Advances in Neural Information Processing Systems 32 (2019)

[31]

Joe, B., Hwang, S.J., Shin, I.: Learning to disentangle robust and vulnerable features for adversarial detection. arXiv preprint arXiv:1909.04311 (2019)

[32]

Singla, S., Feizi, S.: Salient imagenet: How to discover spurious features in deep learning? In: International Conference on Learning Representations (2021)

[33]

Nguyen, A., Yosinski, J., Clune, J.: Deep neural networks are easily fooled: High confidence predictions for unrecognizable images. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 427–436 (2015)

[34]

Arpit, D., et al.: A closer look at memorization in deep networks. In: Proceedings of the 34th International Conference on Machine Learning-Volume 70, JMLR. org, pp. 233–242(2017)

[35]

Hermann K and Lampinen A What shapes feature representations? exploring datasets, architectures, and training Adv. Neural. Inf. Process. Syst. 2020 33 9995-10006

[36]

Ahmed, F., Bengio, Y., van Seijen, H., Courville, A.: Systematic generalisation with group invariant predictions. In: International Conference on Learning Representations (2020)

[37]

Valle-Perez, G., Camargo, C.Q., Louis, A.A.: Deep learning generalizes because the parameter-function map is biased towards simple functions. In: International Conference on Learning Representations. (2018)

[38]

Jo, J., Bengio, Y.: Measuring the tendency of CNNs to learn surface statistical regularities. arXiv preprint arXiv:1711.11561 (2017)

[39]

Beery S, Van Horn G, and Perona P Ferrari V, Hebert M, Sminchisescu C, and Weiss Y Recognition in terra incognita Computer Vision – ECCV 2018 2018 Cham Springer 472-489

[40]

Geirhos, R., Rubisch, P., Michaelis, C., Bethge, M., Wichmann, F.A., Brendel, W.: Imagenet-trained CNNs are biased towards texture; increasing shape bias improves accuracy and robustness. In: International Conference on Learning Representations (2018)

[41]

Geirhos, R., Medina Temme, C., Rauber, J., Schütt, H., Bethge, M., Wichmann, F.: Generalisation in humans and deep neural networks. In: Thirty-second Annual Conference on Neural Information Processing Systems 2018 (NeurIPS 2018), Curran, pp. 7549–7561 (2019)

[42]

Hermann K, Chen T, and Kornblith S The origins and prevalence of texture bias in convolutional neural networks Adv. Neural. Inf. Process. Syst. 2020 33 19000-19015

[43]

Carter, B., Jain, S., Mueller, J.W., Gifford, D.: Overinterpretation reveals image classification model pathologies. In: Advances in Neural Information Processing Systems 34 (2021)

[44]

Singla, S., Nushi, B., Shah, S., Kamar, E., Horvitz, E.: Understanding failures of deep networks via robust feature extraction. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 12853–12862 (2021)

[45]

Bengio Y, Courville A, and Vincent P Representation learning: a review and new perspectives IEEE Trans. Pattern Anal. Mach. Intell. 2013 35 1798-1828

[46]

Bhagoji AN, Cullina D, and Mittal P Lower bounds on adversarial robustness from optimal transport Adv. Neural. Inf. Process. Syst. 2019 32 7498-7510

[47]

Dobriban, E., Hassani, H., Hong, D., Robey, A.: Provable tradeoffs in adversarially robust classification. arXiv preprint arXiv:2006.05161 (2020)

[48]

Dan, C., Wei, Y., Ravikumar, P.: Sharp statistical guaratees for adversarially robust gaussian classification. In: International Conference on Machine Learning, PMLR, pp. 2345–2355(2020)

[49]

Bhattacharjee, R., Jha, S., Chaudhuri, K.: Sample complexity of robust linear classification on separated data. In: International Conference on Machine Learning, PMLR, pp. 884–893 (2021)

[50]

Khim, J., Loh, P.L.: Adversarial risk bounds via function transformation. arXiv preprint arXiv:1810.09519 (2018)

[51]

Attias, I., Kontorovich, A., Mansour, Y.: Improved generalization bounds for robust learning. In: Algorithmic Learning Theory, PMLR, pp. 162–183 (2019)

[52]

Montasser, O., Hanneke, S., Srebro, N.: Vc classes are adversarially robustly learnable, but only improperly. In: Conference on Learning Theory, PMLR, pp. 2512–2530(2019)

[53]

Ashtiani, H., Pathak, V., Urner, R.: Black-box certification and learning under adversarial perturbations. In: International Conference on Machine Learning, PMLR, pp. 388–398 (2020)

[54]

Hendrycks, D., et al.: The many faces of robustness: a critical analysis of out-of-distribution generalization. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 8340–8349 (2021)

[55]

Hendrycks, D., Mu, N., Cubuk, E.D., Zoph, B., Gilmer, J., Lakshminarayanan, B.: Augmix: a simple data processing method to improve robustness and uncertainty. In: International Conference on Learning Representations (2019)

[56]

Rebuffi, S.A., Gowal, S., Calian, D.A., Stimberg, F., Wiles, O., Mann, T.A.: Data augmentation can improve robustness. In: Advances in Neural Information Processing Systems 34 (2021)

[57]

Hendrycks, D., Lee, K., Mazeika, M.: Using pre-training can improve model robustness and uncertainty. arXiv preprint arXiv:1901.09960 (2019)

[58]

Carmon, Y., Raghunathan, A., Schmidt, L., Liang, P., Duchi, J.C.: Unlabeled data improves adversarial robustness. In: Proceedings of the 33rd International Conference on Neural Information Processing Systems, pp. 11192–11203(2019)

[59]

Alayrac JB, Uesato J, Huang PS, Fawzi A, Stanforth R, and Kohli P Are labels required for improving adversarial robustness? Adv. Neural. Inf. Process. Syst. 2019 32 12214-12223

[60]

Qin, C., et al.: Adversarial robustness through local linearization. In: Advances in Neural Information Processing Systems 32 (2019)

[61]

Ross, A., Doshi-Velez, F.: Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 32 (2018)

[62]

Chan, A., Tay, Y., Ong, Y.S., Fu, J.: Jacobian adversarially regularized networks for robustness. In: International Conference on Learning Representations (2020)

[63]

Etmann, C., Lunz, S., Maass, P., Schönlieb, C.: On the connection between adversarial robustness and saliency map interpretability. In: ICML (2019)

[64]

Simpson, B., Dutil, F., Bengio, Y., Cohen, J.P.: Gradmask: reduce overfitting by regularizing saliency. In: International Conference on Medical Imaging with Deep Learning-Extended Abstract Track (2019)

[65]

Fawzi, A., Moosavi-Dezfooli, S.M., Frossard, P., Soatto, S.: Empirical study of the topology and geometry of deep networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 3762–3770(2018)

[66]

Andriushchenko M and Flammarion N Understanding and improving fast adversarial training Adv. Neural. Inf. Process. Syst. 2020 33 16048-16059

[67]

Rice, L., Wong, E., Kolter, Z.: Overfitting in adversarially robust deep learning. In: International Conference on Machine Learning, PMLR, pp. 8093–8104 (2020)

[68]

LeCun, Y., Boser, B.E., Denker, J.S., Henderson, D., Howard, R.E., Hubbard, W.E., Jackel, L.D.: Handwritten digit recognition with a back-propagation network. In: Advances in Neural Information Processing Systems, pp. 396–404(1990)

[69]

Xiao, H., Rasul, K., Vollgraf, R.: Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017)

[70]

Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning 2011 (2011)

[71]

Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Technical report, University of Toronto (2009)

[72]

Croce, F., et al.: Robustbench: a standardized adversarial robustness benchmark. In: Thirty-Fifth Conference on Neural Information Processing Systems Datasets and Benchmarks Track (2021)

[73]

Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. In: ICLR (Poster) (2015)

[74]

Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420 (2018)

[75]

Boser, B.E., Guyon, I.M., Vapnik, V.N.: A training algorithm for optimal margin classifiers. In: Proceedings of the Fifth Annual Workshop on Computational Learning Theory, pp. 144–152 (1992)

[76]

Moosavi-Dezfooli, S.M., Fawzi, A., Frossard, P.: Deepfool: a simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2574–2582(2016)

[77]

Addepalli, S., Jain, S., Sriramanan, G., Khare, S., Radhakrishnan, V.B.: Towards achieving adversarial robustness beyond perceptual limits. In: ICML 2021 Workshop on Adversarial Machine Learning (2021)

[78]

Augustin M, Meinke A, and Hein M Vedaldi A, Bischof H, Brox T, and Frahm J-M Adversarial robustness on in- and out-distribution improves explainability Computer Vision – ECCV 2020 2020 Cham Springer 228-245

[79]

Engstrom, L., Ilyas, A., Salman, H., Santurkar, S., Tsipras, D.: Robustness (python library) (2019)

[80]

Kireev, K., Andriushchenko, M., Flammarion, N.: On the effectiveness of adversarial training against common corruptions. In: Uncertainty in Artificial Intelligence, PMLR, pp. 1012–1021 (2022)

[81]

Modas, A., Rade, R., Ortiz-Jiménez, G., Moosavi-Dezfooli, S.M., Frossard, P.: Prime: A few primitives can boost robustness to common corruptions. arXiv preprint arXiv:2112.13547 (2021)

[82]

Rade: Helper-based adversarial training: Reducing excessive margin to achieve a better accuracy vs. robustness trade-off. In: ICML 2021 Workshop on Adversarial Machine Learning (2021)

[83]

Wong, E., Rice, L., Kolter, J.Z.: Fast is better than free: Revisiting adversarial training. In: International Conference on Learning Representations (2019)

[84]

Ioffe, S., Szegedy, C.: Batch normalization: accelerating deep network training by reducing internal covariate shift. In: International conference on machine learning, PMLR, pp. 448–456 (2015)

[85]

Fukushima K Visual feature extraction by a multilayered network of analog threshold elements IEEE Trans. Syst. Sci. Cybern. 1969 5 322-333

[86]

Fukushima, K., Miyake, S.: Neocognitron: a self-organizing neural network model for a mechanism of visual pattern recognition. In: Competition and Cooperation in Neural Nets, pp. 267–285. Springer (1982).

[87]

Glorot, X., Bordes, A., Bengio, Y.: Deep sparse rectifier neural networks. In: Proceedings of the Fourteenth International Conference on Artificial Intelligence and Statistics, JMLR Workshop and Conference Proceedings, pp. 315–323 (2011)

[88]

Paszke, A., et al.: Pytorch: an imperative style, high-performance deep learning library. In: Advances in Neural Information Processing Systems 32, pp. 8024–8035. Curran Associates, Inc. (2019)

Index Terms

Comparing Complexities of Decision Boundaries for Robust Training: A Universal Approach
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Supervised learning
        Supervised learning by classification
    2. Machine learning approaches
      1. Classification and regression trees
2. Theory of computation
  1. Design and analysis of algorithms
  2. Theory and algorithms for application domains

Index terms have been assigned to the content through auto-classification.

Recommendations

Doubly robust self-training
NIPS '23: Proceedings of the 37th International Conference on Neural Information Processing Systems

Self-training is an important technique for solving semi-supervised learning problems. It leverages unlabeled data by generating pseudo-labels and combining them with a limited labeled dataset for training. The effectiveness of self-training heavily ...
Robust Training of Graph Neural Networks via Noise Governance
WSDM '23: Proceedings of the Sixteenth ACM International Conference on Web Search and Data Mining

Graph Neural Networks (GNNs) have become widely-used models for semi-supervised learning. However, the robustness of GNNs in the presence of label noise remains a largely under-explored problem. In this paper, we consider an important yet challenging ...
Effective and Robust Adversarial Training Against Data and Label Corruptions
Corruptions due to data perturbations and label noise are prevalent in the datasets from unreliable sources, which poses significant threats to model training. Despite existing efforts in developing robust models, current learning methods commonly ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Computer Vision – ACCV 2022: 16th Asian Conference on Computer Vision, Macao, China, December 4–8, 2022, Proceedings, Part VI

Dec 2022

785 pages

ISBN:978-3-031-26350-7

DOI:10.1007/978-3-031-26351-4

Editors:
Lei Wang
University of Wollongong, Wollongong, NSW, Australia
,
Juergen Gall
University of Bonn, Bonn, Germany
,
Tat-Jun Chin
University of Adelaide, Adelaide, SA, Australia
,
Imari Sato
National Institute of Informatics, Tokyo, Japan
,
Rama Chellappa
Johns Hopkins University, Baltimore, MD, USA

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 26 February 2023

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 29 Jan 2025

Other Metrics

View Author Metrics

Citations

View Options

View options

Figures

Tables

Media

View Table of Conten