On the Adversarial Robustness of Mixture of Experts

TL;DR

This paper investigates the adversarial robustness of sparse Mixture of Experts models, showing they can be more robust than dense models of similar size both theoretically and empirically, especially under certain data and routing conditions.

Contribution

It provides the first theoretical analysis of MoEs' Lipschitz constants related to robustness and empirically demonstrates their improved adversarial robustness on ImageNet.

Findings

MoEs can have smaller Lipschitz constants than dense models under certain conditions.

Empirical results show MoEs are more robust to adversarial attacks than dense models with similar computational cost.

Robustness of MoEs depends on the similarity of the top experts' functions for an input.

Abstract

Adversarial robustness is a key desirable property of neural networks. It has been empirically shown to be affected by their sizes, with larger networks being typically more robust. Recently, Bubeck and Sellke proved a lower bound on the Lipschitz constant of functions that fit the training data in terms of their number of parameters. This raises an interesting open question, do -- and can -- functions with more parameters, but not necessarily more computational cost, have better robustness? We study this question for sparse Mixture of Expert models (MoEs), that make it possible to scale up the model size for a roughly constant computational cost. We theoretically show that under certain conditions on the routing and the structure of the data, MoEs can have significantly smaller Lipschitz constants than their dense counterparts. The robustness of MoEs can suffer when the highest weighted experts for an input implement sufficiently different functions. We next empirically evaluate the robustness of MoEs on ImageNet using adversarial attacks and show they are indeed more robust than dense models with the same computational cost. We make key observations showing the robustness of MoEs to the choice of experts, highlighting the redundancy of experts in models trained in practice.