understanding and mitigating the tradeoff between
play

Understanding and Mitigating the Tradeoff Between Robustness and - PowerPoint PPT Presentation

Feb 10, 2024 •106 likes •619 views

Understanding and Mitigating the Tradeoff Between Robustness and Accuracy Aditi Raghunathan* Sang Michael Xie* Fanny Yang John C. Duchi Percy Liang Stanford University Adversarial examples Standard training leads to models that are not

  1. Understanding and Mitigating the Tradeoff Between Robustness and Accuracy Aditi Raghunathan* Sang Michael Xie* Fanny Yang John C. Duchi Percy Liang Stanford University

  2. Adversarial examples • Standard training leads to models that are not robust [Goodfellow et al. 2015]

  3. Adversarial examples • Standard training leads to models that are not robust [Goodfellow et al. 2015] • Adversarial training is a popular approach to improve robustness • It augments the training set on-the-fly with adversarial examples

  4. Adversarial training increases standard error CIFAR-10 Method Robust Accuracy Standard Training 0% TRADES Adversarial 55.4% Training (Zhang et al. 2019) Robust Accuracy : % of test examples misclassified after an ℓ ! -bounded adversarial perturbation

  5. Adversarial training increases standard error CIFAR-10 Method Robust Accuracy Standard Accuracy Standard Training 0% 95.2% TRADES Adversarial 55.4% 84.0% Training (Zhang et al. 2019) Robust Accuracy: % of test examples misclassified after an ℓ ! -bounded adversarial perturbation Why is there a tradeoff between robustness and accuracy? We only augmented with more data!

  6. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy

  7. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy

  8. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy

  9. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy

  10. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy These hypotheses suggest a tradeoff even in the infinite data limit…

  11. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy These hypotheses suggest a tradeoff even in the infinite data limit…

  12. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy These hypotheses suggest a tradeoff even in the infinite data limit…

  13. Prior hypotheses for the tradeoff More realistic settings: • Optimal predictor not robust to adversarial perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, Consistent robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy These hypotheses suggest a tradeoff even in the infinite data limit…

  14. Prior hypotheses for the tradeoff More realistic settings: • Optimal predictor not robust to adversarial perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, Consistent robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches Well-specified 100% std and robust training accuracy These hypotheses suggest a tradeoff even in the infinite data limit…

  15. No tradeoff with infinite data CIFAR-10 • Observations • Gap between robust and standard accuracies are large for small data regime • Gap decreases with labeled sample size

  16. No tradeoff with infinite data CIFAR-10 • Observations • Gap between robust and standard accuracies are large for small data regime • Gap decreases with labeled sample size • We ask: if we have consistent perturbations + well-specified model family (no inherent tradeoff), why do we observe a tradeoff in practice?

  17. Results overview • Characterize how training with consistent extra data can increase standard error even in well-specified noiseless linear regression • Analysis suggests robust self-training to mitigate tradeoff [Carmon 2019, Najafi 2019, Uesato 2019]

  18. Results overview • Characterize how training with consistent extra data can increase standard error even in well-specified noiseless linear regression • Analysis suggests robust self-training to mitigate tradeoff [Carmon 2019, Najafi 2019, Uesato 2019] • Prove that robust self-training (RST) improves robust error without hurting standard error in linear setting with unlabeled data

  19. Results overview • Characterize how training with consistent extra data can increase standard error even in well-specified noiseless linear regression • Analysis suggests robust self-training to mitigate tradeoff [Carmon 2019, Najafi 2019, Uesato 2019] • Prove that robust self-training (RST) improves robust error without hurting standard error in linear setting with unlabeled data • Empirically, RST improves robust and standard error across different adversarial training algorithms and adversarial perturbation types

  20. Noiseless linear regression • Model: 𝑧 = 𝑦 ! 𝜄 ∗ Well-specified • Standard data: 𝑌 #$% ∈ ℝ &×% , 𝑧 #$% = 𝑌 #$% 𝜄 ∗ , 𝑜 ≪ 𝑒 (overparameterized) • Extra data (adv examples): 𝑌 ()$ ∈ ℝ *×% , 𝑧 ()$ = 𝑌 ()$ 𝜄 ∗ • We study min-norm interpolators • 𝜄 !"# = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# } • 𝜄 &'( = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# , 𝑌 )*" 𝜄 = 𝑧 )*" } • Standard error: 𝜄 − 𝜄 ∗ ! Σ 𝜄 − 𝜄 ∗ for population covariance Σ

  21. Noiseless linear regression • Model: 𝑧 = 𝑦 ! 𝜄 ∗ Well-specified • Standard data: 𝑌 #$% ∈ ℝ &×% , 𝑧 #$% = 𝑌 #$% 𝜄 ∗ , 𝑜 ≪ 𝑒 (overparameterized) • Extra data (adv examples): 𝑌 ()$ ∈ ℝ *×% , 𝑧 ()$ = 𝑌 ()$ 𝜄 ∗ • We study min-norm interpolators • 𝜄 !"# = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# } • 𝜄 &'( = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# , 𝑌 )*" 𝜄 = 𝑧 )*" } • Standard error: 𝜄 − 𝜄 ∗ ! Σ 𝜄 − 𝜄 ∗ for population covariance Σ

  22. Noiseless linear regression • Model: 𝑧 = 𝑦 ! 𝜄 ∗ Well-specified • Standard data: 𝑌 #$% ∈ ℝ &×% , 𝑧 #$% = 𝑌 #$% 𝜄 ∗ , 𝑜 ≪ 𝑒 (overparameterized) Consistent • Extra data (adv examples): 𝑌 ()$ ∈ ℝ *×% , 𝑧 ()$ = 𝑌 ()$ 𝜄 ∗ • We study min-norm interpolators • 𝜄 !"# = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# } • 𝜄 &'( = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# , 𝑌 )*" 𝜄 = 𝑧 )*" } • Standard error: 𝜄 − 𝜄 ∗ ! Σ 𝜄 − 𝜄 ∗ for population covariance Σ

  23. Noiseless linear regression • Model: 𝑧 = 𝑦 ! 𝜄 ∗ Well-specified • Standard data: 𝑌 #$% ∈ ℝ &×% , 𝑧 #$% = 𝑌 #$% 𝜄 ∗ , 𝑜 ≪ 𝑒 (overparameterized) Consistent • Extra data (adv examples): 𝑌 ()$ ∈ ℝ *×% , 𝑧 ()$ = 𝑌 ()$ 𝜄 ∗ • We study min-norm interpolants • 𝜄 !"# = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# } • 𝜄 &'( = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# , 𝑌 )*" 𝜄 = 𝑧 )*" } • Standard error: 𝜄 − 𝜄 ∗ ! Σ 𝜄 − 𝜄 ∗ for population covariance Σ

  24. Noiseless linear regression • Model: 𝑧 = 𝑦 ! 𝜄 ∗ Well-specified • Standard data: 𝑌 #$% ∈ ℝ &×% , 𝑧 #$% = 𝑌 #$% 𝜄 ∗ , 𝑜 ≪ 𝑒 (overparameterized) Consistent • Extra data (adv examples): 𝑌 ()$ ∈ ℝ *×% , 𝑧 ()$ = 𝑌 ()$ 𝜄 ∗ • We study min-norm interpolants • 𝜄 !"# = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# } • 𝜄 &'( = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# , 𝑌 )*" 𝜄 = 𝑧 )*" } • Standard error: 𝜄 − 𝜄 ∗ ! Σ 𝜄 − 𝜄 ∗ for population covariance Σ

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fatal Tradeoff? Toward A Better Understanding of the Costs of Not Evacuating from a Hurricane in

Fatal Tradeoff? Toward A Better Understanding of the Costs of Not Evacuating from a Hurricane in

Fatal Tradeoff? Toward A Better Understanding of the Costs of Not Evacuating from a Hurricane in Landfall Counties Jeffrey Czajkowski Austin College: Department of Economics Florida International University: Intnl Hurricane Research Center

665 views • 44 slides
Understanding and Mitigating the Impacts of Illegal CFC-11 Use in the Production of Polyurethane

Understanding and Mitigating the Impacts of Illegal CFC-11 Use in the Production of Polyurethane

Understanding and Mitigating the Impacts of Illegal CFC-11 Use in the Production of Polyurethane Foams Clare Perry Environmental Investigation Agency (EIA) International Symposium On The Unexpected Increase in Emissions of Ozone-Depleting

348 views • 18 slides
Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf

Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf

Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf (Xiaolong Bai , Luyi Xing) (co-first authors), Nan Zhang , XiaoFeng Wang , Xiaojing Liao , Tongxin Li , Shi-Min Hu TNList, Tsinghua University,

1.23k views • 70 slides
Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 , Pierre-Alain Fouque 2 , Brice Minaud 3 1 Direction Gnrale de lArmement - Matrise de lInformation 2 Universit de Rennes 1 3 INRIA &

836 views • 45 slides
UNDERSTANDING AND MITIGATING THE IMPACTS OF GPS/GNSS VULNERABILITIES NOVEMBER 2013 T.W. GEHRELS

UNDERSTANDING AND MITIGATING THE IMPACTS OF GPS/GNSS VULNERABILITIES NOVEMBER 2013 T.W. GEHRELS

ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013 UNDERSTANDING AND MITIGATING THE IMPACTS OF GPS/GNSS VULNERABILITIES NOVEMBER 2013 T.W. GEHRELS J.J. MAKELA, X. JIANG, A. DOMINGUEZ-GARCIA,G. GAO, R. BOBBA UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN

398 views • 16 slides
Understanding and Mitigating Regulatory Risk in Consumer Financial Transactions: Effective

Understanding and Mitigating Regulatory Risk in Consumer Financial Transactions: Effective

Understanding and Mitigating Regulatory Risk in Consumer Financial Transactions: Effective Diligence Strategies Jeffrey P. Taft Steven M. Kaplan Partner Partner +1 202 263 3293 +1 202 263 3005 jtaft@mayerbrown.com skaplan@mayerbrown.com

545 views • 27 slides
Shallow-Deep Networks: Understanding and Mitigating Network Overthinking Yiitcan Kaya , Sanghyun

Shallow-Deep Networks: Understanding and Mitigating Network Overthinking Yiitcan Kaya , Sanghyun

Shallow-Deep Networks: Understanding and Mitigating Network Overthinking Yiitcan Kaya , Sanghyun Hong, Tudor Dumitra University of Maryland, College Park ICML 2019 - Long Beach, CA What is overthinking? We, especially grad students , often

408 views • 24 slides
TCPA COMPLIANCE IN THE HEALTHCARE INDUSTRY: UNDERSTANDING AND MITIGATING RISKS DEREK KEARL,

TCPA COMPLIANCE IN THE HEALTHCARE INDUSTRY: UNDERSTANDING AND MITIGATING RISKS DEREK KEARL,

TCPA COMPLIANCE IN THE HEALTHCARE INDUSTRY: UNDERSTANDING AND MITIGATING RISKS DEREK KEARL, PARTNER INTRODUCTION DEREK KEARL jdkearl@hollandhart.com www.linkedin.com/in/derekkearl 801.799.5857 www.hhhealthlawblog.com AGENDA 1. Overview of

637 views • 35 slides
Understanding and mitigating gradient flow pathologies in physics-informed neural networks Paris

Understanding and mitigating gradient flow pathologies in physics-informed neural networks Paris

Understanding and mitigating gradient flow pathologies in physics-informed neural networks Paris Perdikaris Sifan Wang Department of Mechanical Engineering Applied Mathematics & Computational Science University of Pennsylvania University

444 views • 27 slides
Understanding and Mitigating Internet Routing Threats John Kristoff jtk@cymru.com

Understanding and Mitigating Internet Routing Threats John Kristoff jtk@cymru.com

Understanding and Mitigating Internet Routing Threats John Kristoff jtk@cymru.com Danny McPherson dmcpherson@verisign.com FIRST 2011 John Kristoff & Danny McPherson 1 One of two critical systems Routing (BGP) and naming

495 views • 28 slides
5. Structured Descriptions & Tradeoff Between Expressiveness and Tractability Outline

5. Structured Descriptions & Tradeoff Between Expressiveness and Tractability Outline

5. Structured Descriptions & Tradeoff Between Expressiveness and Tractability Outline Review Expressiveness & Tractability Tradeoff Modern Description Logics Object Oriented Representations Key Representation

652 views • 51 slides
Mitigating Seabird Mitigating Seabird Interactions with Interactions with Trawl Nets Trawl

Mitigating Seabird Mitigating Seabird Interactions with Interactions with Trawl Nets Trawl

Mitigating Seabird Mitigating Seabird Interactions with Interactions with Trawl Nets Trawl Nets Clement & Associates Ltd FISHERIES ADVISORS & ANALYSTS Objectives Objectives Characterise the nature and extent of

730 views • 35 slides
Bias-Variance Tradeoff Matthieu R. Bloch h in a given set H that minimizes the true risk R ( h ) .

Bias-Variance Tradeoff Matthieu R. Bloch h in a given set H that minimizes the true risk R ( h ) .

1 Regularization plays a similar role by biasing answer away from complex functions. Tiis is particu- ; We formalize the bias-variance tradeoff assuming the following: which takes the form We now develop an alternative method to quantify the

454 views • 3 slides
FCPA Compliance is No Longer Enough Understanding Key Provisions, Ensuring Compliance and

FCPA Compliance is No Longer Enough Understanding Key Provisions, Ensuring Compliance and

Presenting a live 90-minute webinar with interactive Q&A Anti-Corruption Reform in Mexico: FCPA Compliance is No Longer Enough Understanding Key Provisions, Ensuring Compliance and Mitigating Legal Risks WEDNESDAY, DECEMBER 9, 2015 1pm

420 views • 27 slides
Entities and Individuals in the Crosshairs Understanding Key Provisions, Ensuring Compliance and

Entities and Individuals in the Crosshairs Understanding Key Provisions, Ensuring Compliance and

Presenting a live 90-minute webinar with interactive Q&A Mexico's New Anti-Corruption Laws and Implementing Regulations: Private Entities and Individuals in the Crosshairs Understanding Key Provisions, Ensuring Compliance and Mitigating

867 views • 43 slides
Mitigating Vulnerabilities Lucas von Stockhausen, Senior Product Manager & Application

Mitigating Vulnerabilities Lucas von Stockhausen, Senior Product Manager & Application

Prioritizing Risk Relative to Mitigating Vulnerabilities Lucas von Stockhausen, Senior Product Manager & Application Security Strategist Jimmy Rabon, Senior Product Manager #MicroFocusCyberSummit Understanding Risk Relative to Remediation

281 views • 25 slides
Outline Assessing the precision of estimates of variance Estimates and standard errors

Outline Assessing the precision of estimates of variance Estimates and standard errors

Outline Assessing the precision of estimates of variance Estimates and standard errors components Summarizing mixed-effects model fits Douglas Bates A simple (but real) example Department of Statistics University of Wisconsin Madison A

371 views • 7 slides
Sparse Jurdjevic-Quinn stabilization Francesco Rossi - Universit dAix-Marseille, France

Sparse Jurdjevic-Quinn stabilization Francesco Rossi - Universit dAix-Marseille, France

Sparse Jurdjevic-Quinn stabilization in finite dimension Sparse Jurdjevic-Quinn stabilization for mean-field equations Sparse Jurdjevic-Quinn stabilization Francesco Rossi - Universit dAix-Marseille, France http://www.LSIS.org/frossi/

1.4k views • 110 slides
Practical denoising of clipped or overexposed noisy images Alessandro Foi www.cs.tut.fi/~foi

Practical denoising of clipped or overexposed noisy images Alessandro Foi www.cs.tut.fi/~foi

1 TAMPERE UNIVERSITY OF TECHNOLOGY Department of Signal Processing Transforms and Spectral Methods Group Practical denoising of clipped or overexposed noisy images Alessandro Foi www.cs.tut.fi/~foi EUSIPCO-2008 - Lausanne, Switzerland,

2.88k views • 40 slides
Stochastic Models of an Uncertain World x = F ( x , u ) x = F ( x , u , 1 ) Lecture

Stochastic Models of an Uncertain World x = F ( x , u ) x = F ( x , u , 1 ) Lecture

Stochastic Models of an Uncertain World x = F ( x , u ) x = F ( x , u , 1 ) Lecture 9: y G ( x ) y G ( x , 2 ) = = Observers and Kalman Filters Actions are uncertain. CS 344R/393R: Robotics Observations are

228 views • 3 slides
Blockchains, the web and standardization: the big opportunity conversation starter Keynote

Blockchains, the web and standardization: the big opportunity conversation starter Keynote

Blockchains, the web and standardization: the big opportunity conversation starter Keynote Arvind Narayanan Princeton University @random_walker Standardization: is it too soon? Are Bitcoin and other blockchains sound? Academic research on

445 views • 27 slides
A Statement on Standardization Orr Dunkelman 1 , Atul Luykx 2 , Lo Perrin 3 1 orrd@cs.haifa.ac.il

A Statement on Standardization Orr Dunkelman 1 , Atul Luykx 2 , Lo Perrin 3 1 orrd@cs.haifa.ac.il

A Statement on Standardization Orr Dunkelman 1 , Atul Luykx 2 , Lo Perrin 3 1 orrd@cs.haifa.ac.il 2 Atul.Luykx@esat.kuleuven.be 2 leo.perrin@uni.lu March 7, 2017 Fast Sofware Encryption 2017 ISO/IEC ISO, IEC ISO promotes worldwide

136 views • 9 slides
Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars

Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars

Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars Jason Sechrist Director of Audit and Compliance Solutions AuditBoard Former Head IT Compliance and Internal Audit Volunteer Board/Audit

427 views • 30 slides
Gaussian Multiscale Spatio-temporal Models for Areal Data Marco A. R. Ferreira (University of

Gaussian Multiscale Spatio-temporal Models for Areal Data Marco A. R. Ferreira (University of

Gaussian Multiscale Spatio-temporal Models for Areal Data Marco A. R. Ferreira (University of Missouri) Scott H. Holan (University of Missouri) Adelmo I. Bertolde (UFES) Outline Motivation Multiscale factorization The multiscale

974 views • 68 slides

More recommend