understanding and mitigating the tradeoff between
play

Understanding and Mitigating the Tradeoff Between Robustness and - PowerPoint PPT Presentation

Feb 10, 2024 •106 likes •619 views

Understanding and Mitigating the Tradeoff Between Robustness and Accuracy Aditi Raghunathan* Sang Michael Xie* Fanny Yang John C. Duchi Percy Liang Stanford University Adversarial examples Standard training leads to models that are not

  1. Understanding and Mitigating the Tradeoff Between Robustness and Accuracy Aditi Raghunathan* Sang Michael Xie* Fanny Yang John C. Duchi Percy Liang Stanford University

  2. Adversarial examples • Standard training leads to models that are not robust [Goodfellow et al. 2015]

  3. Adversarial examples • Standard training leads to models that are not robust [Goodfellow et al. 2015] • Adversarial training is a popular approach to improve robustness • It augments the training set on-the-fly with adversarial examples

  4. Adversarial training increases standard error CIFAR-10 Method Robust Accuracy Standard Training 0% TRADES Adversarial 55.4% Training (Zhang et al. 2019) Robust Accuracy : % of test examples misclassified after an ℓ ! -bounded adversarial perturbation

  5. Adversarial training increases standard error CIFAR-10 Method Robust Accuracy Standard Accuracy Standard Training 0% 95.2% TRADES Adversarial 55.4% 84.0% Training (Zhang et al. 2019) Robust Accuracy: % of test examples misclassified after an ℓ ! -bounded adversarial perturbation Why is there a tradeoff between robustness and accuracy? We only augmented with more data!

  6. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy

  7. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy

  8. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy

  9. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy

  10. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy These hypotheses suggest a tradeoff even in the infinite data limit…

  11. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy These hypotheses suggest a tradeoff even in the infinite data limit…

  12. Prior hypotheses for the tradeoff • Optimal predictor not robust to adversarial Perturb perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy These hypotheses suggest a tradeoff even in the infinite data limit…

  13. Prior hypotheses for the tradeoff More realistic settings: • Optimal predictor not robust to adversarial perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, Consistent robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches 100% std and robust training accuracy These hypotheses suggest a tradeoff even in the infinite data limit…

  14. Prior hypotheses for the tradeoff More realistic settings: • Optimal predictor not robust to adversarial perturbations [Tsipras et al. 2019] • But typical perturbations are imperceptible, Consistent robustness should be possible • Hypothesis class not expressive enough [Nakkiran et al. 2019] • But neural networks highly expressive, reaches Well-specified 100% std and robust training accuracy These hypotheses suggest a tradeoff even in the infinite data limit…

  15. No tradeoff with infinite data CIFAR-10 • Observations • Gap between robust and standard accuracies are large for small data regime • Gap decreases with labeled sample size

  16. No tradeoff with infinite data CIFAR-10 • Observations • Gap between robust and standard accuracies are large for small data regime • Gap decreases with labeled sample size • We ask: if we have consistent perturbations + well-specified model family (no inherent tradeoff), why do we observe a tradeoff in practice?

  17. Results overview • Characterize how training with consistent extra data can increase standard error even in well-specified noiseless linear regression • Analysis suggests robust self-training to mitigate tradeoff [Carmon 2019, Najafi 2019, Uesato 2019]

  18. Results overview • Characterize how training with consistent extra data can increase standard error even in well-specified noiseless linear regression • Analysis suggests robust self-training to mitigate tradeoff [Carmon 2019, Najafi 2019, Uesato 2019] • Prove that robust self-training (RST) improves robust error without hurting standard error in linear setting with unlabeled data

  19. Results overview • Characterize how training with consistent extra data can increase standard error even in well-specified noiseless linear regression • Analysis suggests robust self-training to mitigate tradeoff [Carmon 2019, Najafi 2019, Uesato 2019] • Prove that robust self-training (RST) improves robust error without hurting standard error in linear setting with unlabeled data • Empirically, RST improves robust and standard error across different adversarial training algorithms and adversarial perturbation types

  20. Noiseless linear regression • Model: 𝑧 = 𝑦 ! 𝜄 ∗ Well-specified • Standard data: 𝑌 #$% ∈ ℝ &×% , 𝑧 #$% = 𝑌 #$% 𝜄 ∗ , 𝑜 ≪ 𝑒 (overparameterized) • Extra data (adv examples): 𝑌 ()$ ∈ ℝ *×% , 𝑧 ()$ = 𝑌 ()$ 𝜄 ∗ • We study min-norm interpolators • 𝜄 !"# = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# } • 𝜄 &'( = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# , 𝑌 )*" 𝜄 = 𝑧 )*" } • Standard error: 𝜄 − 𝜄 ∗ ! Σ 𝜄 − 𝜄 ∗ for population covariance Σ

  21. Noiseless linear regression • Model: 𝑧 = 𝑦 ! 𝜄 ∗ Well-specified • Standard data: 𝑌 #$% ∈ ℝ &×% , 𝑧 #$% = 𝑌 #$% 𝜄 ∗ , 𝑜 ≪ 𝑒 (overparameterized) • Extra data (adv examples): 𝑌 ()$ ∈ ℝ *×% , 𝑧 ()$ = 𝑌 ()$ 𝜄 ∗ • We study min-norm interpolators • 𝜄 !"# = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# } • 𝜄 &'( = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# , 𝑌 )*" 𝜄 = 𝑧 )*" } • Standard error: 𝜄 − 𝜄 ∗ ! Σ 𝜄 − 𝜄 ∗ for population covariance Σ

  22. Noiseless linear regression • Model: 𝑧 = 𝑦 ! 𝜄 ∗ Well-specified • Standard data: 𝑌 #$% ∈ ℝ &×% , 𝑧 #$% = 𝑌 #$% 𝜄 ∗ , 𝑜 ≪ 𝑒 (overparameterized) Consistent • Extra data (adv examples): 𝑌 ()$ ∈ ℝ *×% , 𝑧 ()$ = 𝑌 ()$ 𝜄 ∗ • We study min-norm interpolators • 𝜄 !"# = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# } • 𝜄 &'( = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# , 𝑌 )*" 𝜄 = 𝑧 )*" } • Standard error: 𝜄 − 𝜄 ∗ ! Σ 𝜄 − 𝜄 ∗ for population covariance Σ

  23. Noiseless linear regression • Model: 𝑧 = 𝑦 ! 𝜄 ∗ Well-specified • Standard data: 𝑌 #$% ∈ ℝ &×% , 𝑧 #$% = 𝑌 #$% 𝜄 ∗ , 𝑜 ≪ 𝑒 (overparameterized) Consistent • Extra data (adv examples): 𝑌 ()$ ∈ ℝ *×% , 𝑧 ()$ = 𝑌 ()$ 𝜄 ∗ • We study min-norm interpolants • 𝜄 !"# = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# } • 𝜄 &'( = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# , 𝑌 )*" 𝜄 = 𝑧 )*" } • Standard error: 𝜄 − 𝜄 ∗ ! Σ 𝜄 − 𝜄 ∗ for population covariance Σ

  24. Noiseless linear regression • Model: 𝑧 = 𝑦 ! 𝜄 ∗ Well-specified • Standard data: 𝑌 #$% ∈ ℝ &×% , 𝑧 #$% = 𝑌 #$% 𝜄 ∗ , 𝑜 ≪ 𝑒 (overparameterized) Consistent • Extra data (adv examples): 𝑌 ()$ ∈ ℝ *×% , 𝑧 ()$ = 𝑌 ()$ 𝜄 ∗ • We study min-norm interpolants • 𝜄 !"# = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# } • 𝜄 &'( = argmin $ { 𝜄 % : 𝑌 !"# 𝜄 = 𝑧 !"# , 𝑌 )*" 𝜄 = 𝑧 )*" } • Standard error: 𝜄 − 𝜄 ∗ ! Σ 𝜄 − 𝜄 ∗ for population covariance Σ

Recommend

Fatal Tradeoff? Toward A Better Understanding of the Costs of Not Evacuating from a Hurricane in

Fatal Tradeoff? Toward A Better Understanding of the Costs of Not Evacuating from a Hurricane in

Fatal Tradeoff? Toward A Better Understanding of the Costs of Not Evacuating from a Hurricane in Landfall Counties Jeffrey Czajkowski Austin College: Department of Economics Florida International University: Intnl Hurricane Research Center

665 views • 44 slides
Understanding and Mitigating the Impacts of Illegal CFC-11 Use in the Production of Polyurethane

Understanding and Mitigating the Impacts of Illegal CFC-11 Use in the Production of Polyurethane

Understanding and Mitigating the Impacts of Illegal CFC-11 Use in the Production of Polyurethane Foams Clare Perry Environmental Investigation Agency (EIA) International Symposium On The Unexpected Increase in Emissions of Ozone-Depleting

348 views • 18 slides
Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf

Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf

Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf (Xiaolong Bai , Luyi Xing) (co-first authors), Nan Zhang , XiaoFeng Wang , Xiaojing Liao , Tongxin Li , Shi-Min Hu TNList, Tsinghua University,

1.23k views • 70 slides
Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 , Pierre-Alain Fouque 2 , Brice Minaud 3 1 Direction Gnrale de lArmement - Matrise de lInformation 2 Universit de Rennes 1 3 INRIA &

836 views • 45 slides
UNDERSTANDING AND MITIGATING THE IMPACTS OF GPS/GNSS VULNERABILITIES NOVEMBER 2013 T.W. GEHRELS

UNDERSTANDING AND MITIGATING THE IMPACTS OF GPS/GNSS VULNERABILITIES NOVEMBER 2013 T.W. GEHRELS

ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013 UNDERSTANDING AND MITIGATING THE IMPACTS OF GPS/GNSS VULNERABILITIES NOVEMBER 2013 T.W. GEHRELS J.J. MAKELA, X. JIANG, A. DOMINGUEZ-GARCIA,G. GAO, R. BOBBA UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN

398 views • 16 slides
Understanding and Mitigating Regulatory Risk in Consumer Financial Transactions: Effective

Understanding and Mitigating Regulatory Risk in Consumer Financial Transactions: Effective

Understanding and Mitigating Regulatory Risk in Consumer Financial Transactions: Effective Diligence Strategies Jeffrey P. Taft Steven M. Kaplan Partner Partner +1 202 263 3293 +1 202 263 3005 jtaft@mayerbrown.com skaplan@mayerbrown.com

545 views • 27 slides
Shallow-Deep Networks: Understanding and Mitigating Network Overthinking Yiitcan Kaya , Sanghyun

Shallow-Deep Networks: Understanding and Mitigating Network Overthinking Yiitcan Kaya , Sanghyun

Shallow-Deep Networks: Understanding and Mitigating Network Overthinking Yiitcan Kaya , Sanghyun Hong, Tudor Dumitra University of Maryland, College Park ICML 2019 - Long Beach, CA What is overthinking? We, especially grad students , often

408 views • 24 slides
TCPA COMPLIANCE IN THE HEALTHCARE INDUSTRY: UNDERSTANDING AND MITIGATING RISKS DEREK KEARL,

TCPA COMPLIANCE IN THE HEALTHCARE INDUSTRY: UNDERSTANDING AND MITIGATING RISKS DEREK KEARL,

TCPA COMPLIANCE IN THE HEALTHCARE INDUSTRY: UNDERSTANDING AND MITIGATING RISKS DEREK KEARL, PARTNER INTRODUCTION DEREK KEARL jdkearl@hollandhart.com www.linkedin.com/in/derekkearl 801.799.5857 www.hhhealthlawblog.com AGENDA 1. Overview of

637 views • 35 slides
Understanding and mitigating gradient flow pathologies in physics-informed neural networks Paris

Understanding and mitigating gradient flow pathologies in physics-informed neural networks Paris

Understanding and mitigating gradient flow pathologies in physics-informed neural networks Paris Perdikaris Sifan Wang Department of Mechanical Engineering Applied Mathematics & Computational Science University of Pennsylvania University

444 views • 27 slides
Understanding and Mitigating Internet Routing Threats John Kristoff jtk@cymru.com

Understanding and Mitigating Internet Routing Threats John Kristoff jtk@cymru.com

Understanding and Mitigating Internet Routing Threats John Kristoff jtk@cymru.com Danny McPherson dmcpherson@verisign.com FIRST 2011 John Kristoff & Danny McPherson 1 One of two critical systems Routing (BGP) and naming

495 views • 28 slides
5. Structured Descriptions & Tradeoff Between Expressiveness and Tractability Outline

5. Structured Descriptions & Tradeoff Between Expressiveness and Tractability Outline

5. Structured Descriptions & Tradeoff Between Expressiveness and Tractability Outline Review Expressiveness & Tractability Tradeoff Modern Description Logics Object Oriented Representations Key Representation

652 views • 51 slides
Mitigating Seabird Mitigating Seabird Interactions with Interactions with Trawl Nets Trawl

Mitigating Seabird Mitigating Seabird Interactions with Interactions with Trawl Nets Trawl

Mitigating Seabird Mitigating Seabird Interactions with Interactions with Trawl Nets Trawl Nets Clement & Associates Ltd FISHERIES ADVISORS & ANALYSTS Objectives Objectives Characterise the nature and extent of

730 views • 35 slides
Bias-Variance Tradeoff Matthieu R. Bloch h in a given set H that minimizes the true risk R ( h ) .

Bias-Variance Tradeoff Matthieu R. Bloch h in a given set H that minimizes the true risk R ( h ) .

1 Regularization plays a similar role by biasing answer away from complex functions. Tiis is particu- ; We formalize the bias-variance tradeoff assuming the following: which takes the form We now develop an alternative method to quantify the

454 views • 3 slides
FCPA Compliance is No Longer Enough Understanding Key Provisions, Ensuring Compliance and

FCPA Compliance is No Longer Enough Understanding Key Provisions, Ensuring Compliance and

Presenting a live 90-minute webinar with interactive Q&A Anti-Corruption Reform in Mexico: FCPA Compliance is No Longer Enough Understanding Key Provisions, Ensuring Compliance and Mitigating Legal Risks WEDNESDAY, DECEMBER 9, 2015 1pm

420 views • 27 slides
Entities and Individuals in the Crosshairs Understanding Key Provisions, Ensuring Compliance and

Entities and Individuals in the Crosshairs Understanding Key Provisions, Ensuring Compliance and

Presenting a live 90-minute webinar with interactive Q&A Mexico's New Anti-Corruption Laws and Implementing Regulations: Private Entities and Individuals in the Crosshairs Understanding Key Provisions, Ensuring Compliance and Mitigating

867 views • 43 slides
Mitigating Vulnerabilities Lucas von Stockhausen, Senior Product Manager & Application

Mitigating Vulnerabilities Lucas von Stockhausen, Senior Product Manager & Application

Prioritizing Risk Relative to Mitigating Vulnerabilities Lucas von Stockhausen, Senior Product Manager & Application Security Strategist Jimmy Rabon, Senior Product Manager #MicroFocusCyberSummit Understanding Risk Relative to Remediation

281 views • 25 slides
Analysis of the Parallel Distinguished Point Tradeoff Jin Hong, *Ga Won Lee, Daegun Ma Seoul

Analysis of the Parallel Distinguished Point Tradeoff Jin Hong, *Ga Won Lee, Daegun Ma Seoul

Analysis of the Parallel Distinguished Point Tradeoff Jin Hong, *Ga Won Lee, Daegun Ma Seoul National University 13/12/2011 J. Hong, G.W. Lee, D. Ma (SNU) Analysis of the pD tradeoff 13/12/2011 1 / 24 The Inversion Problem N : key space

952 views • 80 slides
Corporate Misconduct: Implications for Companies Understanding Key Provisions of the Yates Memo,

Corporate Misconduct: Implications for Companies Understanding Key Provisions of the Yates Memo,

Presenting a live 90-minute webinar with interactive Q&A DOJ Guidance on Individual Accountability for Corporate Misconduct: Implications for Companies Understanding Key Provisions of the Yates Memo, Ensuring Compliance and Mitigating Legal

502 views • 35 slides
Mitigating Stress: What Neuroscience Teaches Us About Virtual Work and Collaboration Ryan J.

Mitigating Stress: What Neuroscience Teaches Us About Virtual Work and Collaboration Ryan J.

Mitigating Stress: What Neuroscience Teaches Us About Virtual Work and Collaboration Ryan J. Mullenix , AIA Megha Parekh Sinha , AICP, LEED AP BD+C Partner, NBBJ Principal, NBBJ Mitigating Stress Dr. John Medina Professor of Bioengineering,

1.01k views • 33 slides
Performance Tradeoff Considerations in a Graphics Processing Unit

Performance Tradeoff Considerations in a Graphics Processing Unit

Performance Tradeoff Considerations in a Graphics Processing Unit (GPU) Implementation of a Low Detectable Aircraft Sensor System Christopher SCANNELL, Kevin COX,

335 views • 7 slides
Draft Mitigating COVID-19 Impacts in the Workplace Policy Personnel Committee Meeting June

Draft Mitigating COVID-19 Impacts in the Workplace Policy Personnel Committee Meeting June

Draft Mitigating COVID-19 Impacts in the Workplace Policy Personnel Committee Meeting June 3, 2020 TRANSFORMING WASTEWATER TO RESOURCES Background Mitigating COVID-19 Impacts Ensuring the health and safety of District employees is

397 views • 10 slides
Adjoint Data-Flow analyses applied to checkpointing - Tradeoff between snapshots and TBR Benjamin

Adjoint Data-Flow analyses applied to checkpointing - Tradeoff between snapshots and TBR Benjamin

Adjoint Data-Flow analyses applied to checkpointing - Tradeoff between snapshots and TBR Benjamin Dauvergne Tropics Project, INRIA Sophia-Antipolis Adjoint Data-Flow analyses applied to checkpointing -Tradeoff between snapshots and TBR p.1/9

251 views • 12 slides
Mitigating Geomagnetic Induced Currents Using Surge Arresters ALBERTO RAMIREZ MITIGATING

Mitigating Geomagnetic Induced Currents Using Surge Arresters ALBERTO RAMIREZ MITIGATING

Mitigating Geomagnetic Induced Currents Using Surge Arresters ALBERTO RAMIREZ MITIGATING GEOMAGNETIC INDUCED CURRENTS USING SURGE ARRESTERS Alberto Ramirez Orquin Vanessa Ramirez University of Puerto Rico

656 views • 29 slides
Compressed Sensing and Dictionary Learning to Alleviate Tradeoff between Temporal and Spatial

Compressed Sensing and Dictionary Learning to Alleviate Tradeoff between Temporal and Spatial

Compressed Sensing and Dictionary Learning to Alleviate Tradeoff between Temporal and Spatial Resolution in Videos EE 771 Course Project Karan Taneja (15D070022) Anmol Kagrecha (15D070024) Pranav Kulkarni (15D070017) Contents Problem

427 views • 41 slides

More recommend