Seasoning Model Soups for Robustness to Adversarial and Natural Distribution Shifts

TL;DR

This paper introduces adversarially-robust model soups, linear combinations of models that can smoothly trade-off robustness to multiple adversarial threats and adapt to distribution shifts without joint training on all threats.

Contribution

It proposes a novel method to create model soups that achieve robustness to multiple adversaries and distribution shifts without needing to train on all threats simultaneously.

Findings

Model soups can trade off robustness to different $ ext{l}_p$ threats.

Robust model soups can outperform specialized models against certain adversaries.

Model soups enable adaptation to distribution shifts with few examples.

Abstract

Adversarial training is widely used to make classifiers robust to a specific threat or adversary, such as $\ell_p$-norm bounded perturbations of a given $p$-norm. However, existing methods for training classifiers robust to multiple threats require knowledge of all attacks during training and remain vulnerable to unseen distribution shifts. In this work, we describe how to obtain adversarially-robust model soups (i.e., linear combinations of parameters) that smoothly trade-off robustness to different $\ell_p$-norm bounded adversaries. We demonstrate that such soups allow us to control the type and level of robustness, and can achieve robustness to all threats without jointly training on all of them. In some cases, the resulting model soups are more robust to a given $\ell_p$-norm adversary than the constituent model specialized against that same adversary. Finally, we show that adversarially-robust model soups can be a viable tool to adapt to distribution shifts from a few examples.