TL;DR
This paper introduces a novel approach to enhance computer vision models' robustness against distributional shifts caused by image transformations by identifying vulnerable regions and iteratively training with targeted data augmentation.
Contribution
It formulates a combinatorial optimization framework to pinpoint vulnerable image regions and integrates this into a training process for improved robustness.
Findings
Models trained with the proposed method are more robust to image manipulations.
The approach improves performance on classification and segmentation tasks under distributional shifts.
Empirical results demonstrate increased resilience against content-preserving transformations.
Abstract
We are concerned with the vulnerability of computer vision models to distributional shifts. We formulate a combinatorial optimization problem that allows evaluating the regions in the image space where a given model is more vulnerable, in terms of image transformations applied to the input, and face it with standard search algorithms. We further embed this idea in a training procedure, where we define new data augmentation rules according to the image transformations that the current model is most vulnerable to, over iterations. An empirical evaluation on classification and semantic segmentation problems suggests that the devised algorithm allows to train models that are more robust against content-preserving image manipulations and, in general, against distributional shifts.
| Domain generalization performance of MNIST models | ||||||
|---|---|---|---|---|---|---|
| Testing dataset | ||||||
|
SVHN | SYN | MNIST-M | USPS | ||
| ERM | ||||||
| ADA [58] | ||||||
| RDA | ||||||
| RSDA | ||||||
| ESDA | ||||||
| Performance of CamVid models | ||||
|---|---|---|---|---|
| Training procedure | ||||
| Test | ERM | RDA | RSDA | ESDA |
| Original | ||||
| RS | ||||
| ES | ||||
| Performance of Face Detection API [1] | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
||||||||||
| Transformation Sets for the Experiments | ||||||
| Experiment | ||||||
| Transformations | Range | No. Levels | MNIST [31] | CIFAR-10 [29] | CamVid [10] | Faces [1] |
| Autocontrast | ✓ | ✓ | ✓ | ✓ | ||
| Brightness | ✓ | |||||
| ✓ | ✓ | ✓ | ||||
| Color | ✓ | ✓ | ✓ | ✓ | ||
| Contrast | ✓ | ✓ | ✓ | ✓ | ||
| Sharpness | ✓ | ✓ | ✓ | ✓ | ||
| Solarize | ✓ | |||||
| Grayscale | ✓ | ✓ | ||||
| R-channel enhancer | ✓ | ✓ | ✓ | |||
| ✓ | ||||||
| G-channel enhancer | ✓ | ✓ | ✓ | |||
| ✓ | ||||||
| B-channel enhancer | ✓ | ✓ | ✓ | |||
| ✓ | ||||||
| Size of | ||||||
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Addressing Model Vulnerability to Distributional Shifts
over Image Transformation Sets
Riccardo Volpi1, Vittorio Murino1,2,
1Istituto Italiano di Tecnologia 2Università di Verona
{riccardo.volpi,vittorio.murino}@iit.it VM is also with Huawei Technologies (Ireland) Co., Ltd., Dublin.
Abstract
We are concerned with the vulnerability of computer vision models to distributional shifts. We formulate a combinatorial optimization problem that allows evaluating the regions in the image space where a given model is more vulnerable, in terms of image transformations applied to the input, and face it with standard search algorithms. We further embed this idea in a training procedure, where we define new data augmentation rules according to the image transformations that the current model is most vulnerable to, over iterations. An empirical evaluation on classification and semantic segmentation problems suggests that the devised algorithm allows to train models that are more robust against content-preserving image manipulations and, in general, against distributional shifts111Code at github.com/ricvolpi/domain-shift-robustness.
1 Introduction
When designing a machine learning system, we generally desire it may perform well on a wide realm of different domains. However, the training data at disposal is typically defined by samples from a limited number of distributions, resulting in unsatisfactory performance when the model has to process data from unseen distributions [26, 9, 7, 55]. This problem is typically referred to as distributional shift or domain shift, and it was shown to affect models even in cases where the distance between training and testing domain is—apparently—very limited [46, 47].
This vulnerability also affects the robustness of machine learning models against input manipulations [19, 24, 25], potentially leading to harmful situations. As a concrete example, consider the algorithms that analyze images uploaded to social networks in order to evaluate, e.g., if an image contains violence or adult content. The huge set of image modifications that users might carry out can make the underlying learning systems fail in several ways if they, accidentally or with malicious intent, cause a shift that the models are not able to figure out. Recognizing this weakness of modern learning systems, an important research direction is defining methods to understand a priori which distributional shifts will lead to a fail of the model.
In this paper, we start from this idea, and develop methods to evaluate and improve the performance of machine learning models for vision tasks, when the input can be modified through a series of content-preserving image transformations. By “content-preserving” [19], we intend transformations that do not modify an image content, but only the way it is portrayed (e.g., modifying RGB intensities, enhancing contrast, applying filters, etc).
We cast this problem in terms of combinatorial optimization. Given a black-box model, a bunch of samples, and a set of image transformations, our goal is to individuate the distributional shifts that the model is most vulnerable to when image transformation tuples (namely, concatenations of transformations) are applied. To find these tuples, we investigate two different search algorithms—random search and evolution-based search—showing that it is easy to find tuples that severely deteriorate the model performance for a variety of tasks, such as face detection, semantic scene segmentation, and classification. The main application for this method as-is, is to evaluate the vulnerability of a machine learning model before its deployment. Coupled with proper transformation sets, this tool can indeed be used to verify the robustness of a model under a broad variety of input manipulations and visual conditions.
Furthermore, we introduce a training procedure to learn more robust models against this class of transformations. We design an algorithm where new data augmentation rules are included over iterations, in order to cover the distributional shifts where the current model is more vulnerable. We show that models trained in this way are more robust against content-preserving input image manipulations and, moreover, better generalize to unseen scenarios at test time.
1.1 Background and related work
Vulnerability of learning systems.
Recently, the vulnerability of learning systems in different scenarios has gained a lot of attention, in particular in relations with computer vision models (typically, deep convolutional neural networks, or “ConvNets” [30]). A widely studied area is the one related to defense against adversarial perturbations. Gilmer et al. [19] makes a distinction between adversarial samples that are merely content-preserving or also indistinguishable from the originals. The latter case takes into account imperceptible (to human eye) input perturbations that make a model fail. This paradigm has been extensively studied in a substantial body of works (e.g., [20, 51, 32, 22, 41, 38]).
Instead, we can include a broader range of transformations in the “content-preserving” class. Given some input, the content-preserving transformations are the ones that do not change its content, even if the appearance may change significantly. For example, Gilmer et al. [19] explore the performance of a classifier trained on MNIST [31] when the input is modified by altering the background or adding random lines. Brown et al. [11] show that we can cause model failure by including adversarial patches in an image. Hosseini et al. [24] realize that vision models are vulnerable to negative images. The same research group, in an other work [25], shows that we can find hue and saturation shifts for a given image that a model is vulnerable to. Furthermore, recent works [23, 18] show that state-of-the-art ImageNet [15] models are vulnerable towards simple image modifications. In particular, Hendrycks et al. [23] have found that these models are not resistant towards basic noise sources, and Geirhos et al. [18] have shown that these models are biased towards the texture of the objects.
As stated by Gilmer et al. [19], we also deem that “the space of content-preserving image transformations remains largely unexplored in the literature”. One of the aims of this work is to help filling this gap, proposing methods to study, generate, and be robust against content-preserving image transformations. Differently from previous works [19, 25], we are not interested in finding adversarial transformations for single images. We are instead interested in discovering the distributional shifts that a model is in general more vulnerable, applying the same transformation to all the images in the provided set. In this sense, this work is related to Moosavi-Dezfooli et al. [41], where a single, imperceptible perturbation that fools ImageNet models is found.
Robustness against distributional shifts.
There is a significant body of works whose goal is overcoming issues related to distributional shift.
One of the main research direction is domain adaptation [26, 9, 49, 17, 56, 52, 42, 57], where the goal is to better generalize on domains of interest for which only unlabeled data are available. While there are algorithms that tackle this problem with remarkable results across a variety of tasks, the assumption of an a priori fixed target distribution is often too strong. In domain generalization [33, 43, 44, 50, 39, 58, 34, 36, 58] the problem of dealing with unseen distributions is coped. Usually, the proposed algorithms start from the assumption that the training dataset comprises a number of different populations. One exception is the method proposed by Volpi et al. [58], where the authors introduce a worst-case formulation that improves generalization performance across distributions close to the training one in the semantic space, using a single-source distribution as starting point. Tobin et al. [54] introduce domain randomization for models trained through simulated data. It generates a randomized variety of visual conditions during training, hoping to better generalize when coping with real data.
In this context, the method devised by Volpi et al. [58] is the most related approach to the proposed training strategy (detailed in Section 4) since they are aimed at learning models that better generalize to unseen scenarios, without any assumptions on the number of data populations in the training set. As results will show, the competing algorithm [58] results in models that are only slightly more resistant than the Empirical Risk Minimization (ERM) baseline in the testbed presented in Section 3, and significantly less performing than models trained through the Algorithm proposed in this work in domain generalization settings.
2 Problem formulation
Let be a model that takes in input images and provides an output according to the given task. Let be a set of datapoints with their labeling, drawn from some data distribution. Finally, let be a set where each object is a data transformation with a related magnitude . The transformations give in output datapoints in the same format as the input ones (RGB images throughout this work)222To provide a practical example, one object from might be the “brightness” operation, and the intensity level might be .. The transformations can be concatenated and repetitions are allowed; we define a composite transformations as a transformation tuple. We define the set of all the possible transformation tuples that one can obtain by combining objects in as
[TABLE]
A tuple is the concatenation of objects from , and we define it as , with . When we apply the tuple to a datapoint , we apply all the transformations from to . Armed with this set, we propose the following combinatorial optimization problem
[TABLE]
where is a fitness function that measures the performance of a model when provided with some labelled datapoints , transformed according to the tuple . Assuming that the maximum and minimum values for the metric associated with are and [math], respectively, we have
[TABLE]
Intuitively, the tuples that induce lower values, are the ones that a model is more vulnerable to, with respect to the chosen metric. For classifiers, the optimization problem 2 assumes the form
[TABLE]
In general, one can define an instance of problem 2 if provided with a set of annotated samples , a transformation set (and, consequently, a tuple set ), a model , a measure to evaluate the performance of the model, and, consequently, a fitness function . It is not required to have access to the model parameters: it can be a black-box. A legit critique to this formulation is that we are not constraining the transformation tuples to be content-preserving. For instance, in the classification problem 3, a proper formulation would include a constraint similar to the following:
[TABLE]
which means that an oracle \mathcal{O}\big{(}.\big{)} would classify the transformed images in the same way as the original images. In this work, we do not explicitly constraint the transformation tuples to be content-preserving through the optimization problem. We satisfy the constraint by properly defining the set of available image transformations, e.g., focusing on simple color transformations such as RGB enhancement, contrast/brightness adjustments, and setting a proper value for in . Explicitly imposing the constraint is an important research direction, since it would allow to consider more complex sets, and we reserve it for future work.
2.1 Transformation set and size of the search space
Given a transformation set with available transformations , where the has available magnitude values, the size of , and consequently the size of the search space of the optimization problem 2, is .
In this work, we consider a transformation set including standard image transformations from the Python library Pillow [4], as done by Cubuk et al. [14], and a few more we included. It is defined by the following transformations, with the number of available intensity levels indicated in parenthesis: autocontrast (20), sharpness (20), brightness (20), color (20), contrast (20), grayscale conversion (1), R-channel enhancer (30), G-channel enhancer (30), B-channel enhancer (30), solarize (20). The description of the various transformations is reported in Appendix A, as well as the ranges of intensity levels. This set results in a search space with size . Throughout this work, we will consider tuple sets with and , resulting in search spaces with size in the order of and , respectively.
3 Searching worst-case image transformations
In this section, we analyze different solutions to face the combinatorial optimization problem 2. Specifically, the two approaches rely on random search and evolution-based [40] search. We provide a proof of concept experiment on MNIST models, and report a more exhaustive experimental evaluation in Section 5.
3.1 Random search.
Facing the optimization problem 2 through random search is important for several reasons. First, it is the simplest approach that we can adopt, thus it is worth to be explored. Further, random search is often a very strong baseline to compare against, as shown, e.g., in hyper-parameter optimization [8] and neural architecture search [35]. Finally, it sheds light on a relevent question: how is a model affected by random image transformations?
The idea is to evaluate the fitness function over an arbitrary number of random transformation tuples, thus the implementation is straightforward. For clarity and reproducibility, we detail it step-by-step on Algorithm 1. In the following, we will refer to this procedure as RS (short for Random Search)
3.2 Evolution-based search.
We define a simple genetic algorithm [40], aimed at minimizing the objective in problem 2. Each individual of the population is defined by a transformation tuple from a set . We define standard Selection, Crossover and Mutation operations. For a detailed explanation of genetic algorithms and the definitions we provided, we refer to [40]. In the following, we briefly discuss how we use these concepts in our framework.
- •
Selection. Given in input a population pop, the fitness score of each individual fit, and a positive integer , returns in output a population of individuals sampled from pop with individual probabilities proportional to .
- •
Crossover. Given in input two initialized populations pop1, where and pop2, where , for each couple of elements we uniformly draw an integer and return the following two individuals: and . The output is the population defined by the new individuals.
- •
Mutation. Given in input an initialized population pop1 and a mutation rate , it changes each transformation of each tuple in pop with probability , sampling from .
Endowed of these methods, we implement an evolution-based search procedure, detailed in Algorithm 2. The complexity is , where is the population size and is the number of evolutionary steps. Notice that the operations associated with lines 5 and 11, namely computing the fitness function value for each transformation in the population, constitute the computationally expensive part of the algorithm. For each run, we perform fitness function evaluations. In the following, we will refer to this procedure as ES (short for Evolution-based Search).
3.3 Proof of concept: MNIST
The MNIST dataset [31] is defined by pixel images, representing white digits on a black background. It is divided into a sample training set and a sample test set. In our experiments, we train a small ConvNet (conv-pool-conv-pool-fc-fc-softmax) on the whole training set, via backpropagation [48]. We resize the images to pixels, in order to be comparable with other digit datasets (in view of the domain generalization experiments reported in Section 5). We apply the search algorithms (RS and ES) on problem 2 using samples from the test set. We set , namely, we use transformation tuples defined by three transformations.
The blue curve in Figure 2 is the density plot associated with all the fitness function values obtained while running RS for iterations, using as model the trained ConvNet—that achieves accuracy on the clean test set. The accuracy values are reported on the x-axis. Values lower than the one indicated by the black flag have less than probability to be achieved by transforming the input through transformation tuples sampled from . This plot provides a glance on the vulnerability of MNIST models to the image transformations included in our set. It shows that there is a substantial mass of transformation tuples that the model is resistant to, but, even though with lower probability to be sampled, there are transformation tuples against which the model is severely vulnerable.
Table 1 (RS row) shows the minimum accuracy obtained in evaluations of the fitness function , averaged over different models. We report results associated with both models trained via standard ERM (homonymous column) and models trained through the method proposed by Volpi et al. [58] (“ADA” column). As one can observe, both types of models are severely vulnerable to the transformation tuples found through RS. For comparison with previous work, we also report results obtained on negative images [24] and on images with random hue/value perturbations [25] (for the latter, we used the original code).
We proceed by approaching problem 2 through ES, setting population size , number of generations and mutation rate . With this setting, the number of fitness evaluations is . The red flags in Figure 2 indicate the values achieved on different runs, using the same ConvNet as in the RS experiment. A comparison between the threshold (black flag) and the results obtained via evolution shows that ES allows to efficiently find low-probability transformation tuples that the model is most vulnerable to. Furthermore, even though we set , EF can find transformation tuples that go beyond the threshold in less iterations. We report this evidence in Figure 2 (bottom), which shows the evolution of during iterations of ES. Comparing this result with the ones pictured in Figure 2 (top), one can observe that even by setting ( fitness function evaluations), ES outperforms the threshold in the RS results. We report numerical results in Table 1 (ES row), where we average over models the lowest achieved over runs of ES with different initializations. In Section 5, we will provide a more exhaustive analysis of the efficacy of RS and ES to approach different instances of problem 2.
4 Training more robust models
In this section, we detail two straightforward methods devised to train models that are robust against content-preserving transformations from a given set.
The simplest approach that one can devise is likely the following: given a set , we can perform data augmentation by sampling transformation tuples and applying them to the training images throughout the training procedure. We term this method Randomized Data Augmentation, in short RDA. This technique can be interpreted as an application of domain randomization [54] to real data instead of simulated ones.
Drawing inspiration from the literature related to adversarial robustness [20, 51, 58], where a loss is minimized with respect to adversarially perturbed inputs, we devise a method that is more effective than RDA in our setting. We propose a training procedure where transformation tuples that the current model is most vulnerable to are searched throughout the training procedure (via RS or ES), and data augmentation is performed according to the so-found transformations. We implement this idea as follows: (a) we define a transformation set to sample from during training (the “data augmentation set” ), that at the beginning of training only comprises the identity transformation; (b) we train the network via gradient descent updates [12], augmenting samples by applying transformations uniformly sampled from (in this work, the loss used is the cross-entropy function between the output of the model and the ground truth labels); (c) we run RS or ES, using appropriate fitness function and tuple set , and append the so-found transformation tuple to . We alternate between steps (b) and (c) for the desired number of times, and (d) we repeat step (b) until the value of the loss is satisfactory. The procedure is also detailed in Algorithm 3.
As results will show, the latter method performs significantly better than RDA in several settings. In the next Sections, we will refer to this method as RSDA or ESDA, short for Random Search Data Augmentation and Evolution-based Search Data Augmentation, respectively
5 Experiments
In Section 3.3, we provided a first evidence that the problem formulation introduced in Section 2 can be useful to detect harmful distributional shifts for a given model—in terms of image transformations. In Section 4, we introduced different methods to train more robust models.
In this section, we further validate the effectiveness of RS and ES on different instances of problem 2, associated with models for classification, semantic segmentation and face detection. Furthermore, we evaluate the performance of classification and semantic segmentation models trained through RDA, RSDA and ESDA, assessing both their robustness against image transformations and their domain generalization properties. When we search for transformations while running RSDA and ESDA (Algorithm 3, line 9), we set for RS and for ES. When we apply ES, we set number of individual and mutation rate throughout the entire analysis. We use accuracy as evaluation metric in all the experiments.
5.1 Digit Recognition
Experimental setup.
We adopt the same experimental setting detailed in Section 3.3. We train models via ERM and RDA for gradient descent updates. When we train models through RSDA/ESDA, we set and , running a total of weight updates also in this case. We use a subset of samples from the training set when we run RS/ES (Algorithm 3, line 9). In all the experiments, we set the size of the transformation tuples as . We use Adam [28] as optimizer, with learning rate , , and .
In addition to assessing model vulnerability against the transformations found via RS and ES, we also evaluate the domain generalization capabilities of MNIST models, testing on different, unseen digit datasets (SVHN [45], SYN [17], MNIST-M [17], USPS [16]), following the evaluation protocol used by Volpi et al. [58]. Samples from every dataset were resized to pixels and treated as RGB images, to be comparable. Notice that we do not use any sample from other dataset than MNIST during training.
Results.
In Section 3.3 we showed that our setup allows to find transformation tuples that lower the accuracy of MNIST models to values as low as (Table 1 – ES row, ERM column). We are now interested in evaluating the performance on MNIST models trained through the methods detailed in Section 4 (RDA, RSDA and ESDA). Table 1 (last three columns) shows the performance of models trained with the proposed methods. The most robust model is the one trained through ESDA, for which the accuracy related to each testing case is greater than . All our models are resistant to the negative operation applied to the images [24], with accuracy values greater than . An important result is that there is not a statistically significant accuracy loss on original samples (Table 1 – first row).
Having confirmed that we can train more robust models against the types of perturbations introduced in this work, we are interested in evaluating the performance in the domain generalization testbed; Table 2 reports our findings. Also in this setting, we observe that models trained via ESDA are the most robust against distributional shifts. Models trained via RSDA are slightly less performing, but significantly more robust than the ones trained via RDA in different test cases. The more significant result is that, when testing on SVHN, there is gap when comparing RDA and ESDA. Furthermore, despite the transformation set used is biased towards color transformations, we can observe improved performance with respect to ERM also when testing on USPS, whose samples differ from MNIST ones only in their shape.
5.2 CIFAR-10 Classification
Experimental setup.
We use the CIFAR-10 [29] dataset, and train Wide Residual Network models (WRN [59]) on the provided training set. We have chosen this class of models because they are broadly used in the community and they provide results competitive with the state of the art on CIFAR-10. We train networks with layers and set the width to , choosing a trade-off between accuracy and training/testing speed, among the recipes proposed in the original work [59]. We use the original code provided by the authors [5].
When training ERM and RDA the models, we follow the procedure proposed in [59], and run stochastic gradient descent with momentum for epochs, starting with a learning rate and decaying it at epochs , and . When training RSDA and ESDA models, we observed that the learning procedure is eased if the new augmentation rules are included while we are training the model with a large learning rate. For this reason, we start the learning rate decay after having searched for a satisfactory number of transformations. In the results proposed in this section, we search for different ones, and each search procedure is followed by epochs of training.
We set the size of the tuples in as ; with respect to the transformation set described in Section 2.1, we do not include solarize and grayscale. When we search for transformations, we use samples drawn from the training set. When we test the models, we search for transformations through RS and ES using the whole test set. We run RS with iterations and three runs of ES with iterations; the results reported in the next paragraph are associated with the optimal found. In addition to testing the model vulnerability against such transformations, we also evaluate the domain generalization capabilities of WRN models, assessing the performance on CIFAR-10.1 [46] dataset and on STL [13] dataset. We remove samples associated with the class “monkey”, not present in the CIFAR-10 dataset, and resize images to , to be comparable.
Results.
Table 3 reports the achieved results. The “ERM” column, which shows the results obtained by testing baseline models in different conditions, confirms the results we observed in the MNIST experiment, although with less dramatic effects. Indeed, we can find transformation tuples that the model is significantly vulnerable to, by using RS () and ES (, with a larger standard deviation). Concerning models trained with our methods, also in this experiment RDA represents an effective strategy, but RSDA and ESDA allow to train more robust models, with respect to the transformations we are testing against.
Furthermore, the last row, reporting results obtained when testing on STL dataset, confirms the domain generalization capabilities of models trained with our method; using Algorithm 3, we can observe improvement in accuracy, when compared against ERM. When testing on CIFAR 10.1, the benefits are less marked, but still noticeable in the RSDA case. Each accuracy value reported was obtained by averaging over different runs.
5.3 Semantic Scene Segmentation
Experimental setup.
We train FC-DenseNet [27] models on the CamVid [10] dataset. We use the layer version of the model, relying on an open-source implementation [6]. Also in this case, the choice of the model is due to its success with respect to the analyzed benchmark. The CamVid dataset contains training images, validation images and testing images from classes. We lower the sample resolution from to , and train the models for epochs.
When we train using RSDA/ESDA, we run RS and ES on samples from the training set, and search for new transformations every epochs. We set the size of the tuples as . With respect to the transformation set introduced in Section 2.1, we do not include solarize and grayscale. When we test the vulnerability of the models, we run RS (with ) and three different runs of ES (with ) on samples from the test set. As for previous experiments, we report results related to the minimum values found. Notice that the output of semantic segmentation models is richer than the output of classification models, since a prediction is associated with each pixel; indeed, samples lead to pixel predictions. We use pixel accuracy as a metric [37]. We use RMSprop [53] as optimizer, with decay .
Results.
Table 4 reports the results we obtained. They confirm the higher level of robustness of models trained via RDA, RSDA and ESDA. In this experiment though, we can observe a narrower gap between RDA and RSDA/ESDA.
Figure 3 shows the output of a model trained via ESDA (middle) and the output of a model trained via standard ERM (bottom), when the original input (first column, top) is perturbed with different image transformations (top). These results not only qualitatively show the better performance of ESDA, but also that the transformation tuples we are sampling from are realistic approximations of possible visual conditions that a vision module (for instance, for a self-driving car) might encounter. For example, images in the middle row, second and third column, can be considered as simulations of the light conditions that one could encounter during dawn or sunset—and in which the baseline model performs poorly.
5.4 Face detection
Experimental setup.
We test our search methods on a widely used API for face detection [1], that takes RGB images as input and provides in output the locations of the faces in the image. We use four subsets of images uniformly sampled from the MS-Celeb-1M [21], resized to , as datapoints in input to RS and ES. Each image contains one celebrity face, thus the API gives in output a single location if it detects a face, or nothing otherwise. In practical terms, due to the nature of the input, we can interpret the API as a binary model and test it through the optimization problem 3. We set the number of transformations as and . For each value and each subset of faces, we run RS with iterations, and run different runs of ES with . We average results over the optimal values obtained in the four subsets. With respect to the transformation set depicted in Section 2.1, we do not include solarize.
Results.
Table 5 reports the accuracy values obtained, and Figure 4 reports different examples of faces modified through the transformation tuples found via RS and ES. Green and red squares indicate whether the API has detected or not a face, respectively. Qualitatively, we observed that the model tends to fail when the input manipulation is such that some facial features are no longer visible or deteriorated (for example, the nose). The importance of these vulnerabilities depends on the different API use cases. For example, vulnerability to some grayscale tones might not matter for a model that deals with images recorded in the streets, but it might matter for a social network application. Vulnerability to extreme brightness conditions can be harmful for a street camera, where the broad variety of possible visual conditions might not allow to have a proper view of the facial features. One strength of the search methods we proposed is that they allow users to set transformation sets according to the applications they are concerned about.
6 Conclusions
We propose a combinatorial optimization problem to find distributional shifts that a given model is vulnerable to, in terms of tuples of image transformations. We show that random search and, in particular, evolution-based search are effective approaches to face this problem. Further, we show that the same search algorithms can be exploited in a training procedure, where harmful distributional shifts are searched and harnessed. We report results for a variety of tasks (classification, segmentation and face detection), showing that the problem formulation is flexible and can be adopted in different circumstances.
Among others, some valuable directions for future works consist in (i) the implementation of more effective methods to approach the optimization problem 2, in order to find more harmful transformations with reduced computational cost, (ii) the analysis of more complex transformation sets, and (iii) the definition of a proper content-preserving constraint in the optimization problem.
Acknowledgments.
We are grateful to Jacopo Cavazza and Federico Marmoreo for helpful discussions concerning the problem formulation proposed in this work.
Appendix A Transformation Sets
In this Section, we report the image transformations briefly introduced in Section 2.1, and used throughout Sections 3.3 and 5. Table 6 reports them (column ), with the range of magnitude values (column ) and the number of values in which the ranges have been discretized (column ). Columns indicate whether a transformation is used (✓) in the experiments of Sections 5.1, 5.2, 5.3 and 5.4, respectively. Grayscale conversion (“Grayscale” row) has only one magnitude value. For all the transformations, excluding the R/G/B-channel enhancement operations, the reader can refer to the PIL library [4], and in particular to the modules [3, 2]. We summarize them in the following, reporting the core descriptions.
- •
Autocontrast: “Maximize (normalize) image contrast. This function calculates a histogram of the input image, removes cutoff percent of the lightest and darkest pixels from the histogram, and remaps the image so that the darkest pixel becomes black (0), and the lightest becomes white (255)” [3].
- •
Brightness: “Adjust image brightness. […] An enhancement factor of 0.0 gives a black image. A factor of 1.0 gives the original image” [2].
- •
Color: “Adjust image color balance. […] An enhancement factor of 0.0 gives a black and white image. A factor of 1.0 gives the original image” [2].
- •
Contrast: “Adjust image contrast. […] An enhancement factor of 0.0 gives a solid grey image. A factor of 1.0 gives the original image” [2].
- •
Sharpness: “ Adjust image sharpness. […] An enhancement factor of 0.0 gives a blurred image, a factor of 1.0 gives the original image, and a factor of 2.0 gives a sharpened image” [2].
- •
Solarize: “Invert all pixel values above a threshold” [3].
- •
Grayscale: “Convert the image to grayscale” [3]. We treat the output as an RGB image by replicating it in three different channels.
- •
R-channel enhancer: add a value to the R-channel of all pixels.
- •
G-channel enhancer: add a value to the G-channel of all pixels
- •
B-channel enhancer: add a value to the B-channel of all pixels
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Face recognition. https://github.com/ageitgey/face_recognition .
- 2[2] Pillow imageenhance module. https://pillow.readthedocs.io/en/3.0.x/reference/Image Enhance.html .
- 3[3] Pillow imageops module. https://pillow.readthedocs.io/en/3.0.x/reference/Image Ops.html .
- 4[4] Python imaging library. https://github.com/python-pillow/Pillow .
- 5[5] Pytorch training code for wide residual networks. https://github.com/szagoruyko/wide-residual-networks/tree/master/pytorch .
- 6[6] Semantic segmentation suite. https://github.com/George Seif/Semantic-Segmentation-Suite .
- 7[7] Shai Ben-David, John Blitzer, Koby Crammer, and Fernando Pereira. Analysis of representations for domain adaptation. In B. Schölkopf, J. C. Platt, and T. Hoffman, editors, Advances in Neural Information Processing Systems 19 , pages 137–144. MIT Press, 2007.
- 8[8] James Bergstra and Yoshua Bengio. Random search for hyper-parameter optimization. J. Mach. Learn. Res. , 13:281–305, Feb. 2012.
