Explicit Tradeoffs between Adversarial and Natural Distributional Robustness

TL;DR

This paper explores the inherent tradeoffs between adversarial robustness and natural distributional robustness in deep neural networks, revealing that improving one can negatively impact the other, with both theoretical analysis and extensive empirical validation.

Contribution

It provides a theoretical and empirical analysis of the tradeoffs between adversarial and natural robustness, highlighting how adversarial training influences reliance on spurious features.

Findings

Adversarial training increases reliance on spurious features.

Spurious reliance in adversarial training depends on feature scale.

Adversarial training can reduce distributional robustness in changing domains.

Abstract

Several existing works study either adversarial or natural distributional robustness of deep neural networks separately. In practice, however, models need to enjoy both types of robustness to ensure reliability. In this work, we bridge this gap and show that in fact, explicit tradeoffs exist between adversarial and natural distributional robustness. We first consider a simple linear regression setting on Gaussian data with disjoint sets of core and spurious features. In this setting, through theoretical and empirical analysis, we show that (i) adversarial training with $\ell_1$ and $\ell_2$ norms increases the model reliance on spurious features; (ii) For $\ell_\infty$ adversarial training, spurious reliance only occurs when the scale of the spurious features is larger than that of the core features; (iii) adversarial training can have an unintended consequence in reducing distributional robustness, specifically when spurious correlations are changed in the new test domain. Next, we present extensive empirical evidence, using a test suite of twenty adversarially trained models evaluated on five benchmark datasets (ObjectNet, RIVAL10, Salient ImageNet-1M, ImageNet-9, Waterbirds), that adversarially trained classifiers rely on backgrounds more than their standardly trained counterparts, validating our theoretical results. We also show that spurious correlations in training data (when preserved in the test domain) can improve adversarial robustness, revealing that previous claims that adversarial vulnerability is rooted in spurious correlations are incomplete.