Doubly Robust Instance-Reweighted Adversarial Training
Daouda Sow, Sen Lin, Zhangyang Wang, Yingbin Liang
TL;DR
This paper introduces a doubly-robust instance reweighted adversarial training framework that leverages distributionally robust optimization to improve model robustness, especially on vulnerable data points, with theoretical guarantees.
Contribution
It proposes a novel importance weighting method based on DRO techniques with convergence guarantees, addressing heuristic limitations of prior methods.
Findings
Outperforms state-of-the-art methods in average robust accuracy.
Enhances robustness on the most vulnerable data points.
Provides theoretical convergence guarantees for the algorithm.
Abstract
Assigning importance weights to adversarial data has achieved great success in training adversarially robust networks under limited model capacity. However, existing instance-reweighted adversarial training (AT) methods heavily depend on heuristics and/or geometric interpretations to determine those importance weights, making these algorithms lack rigorous theoretical justification/guarantee. Moreover, recent research has shown that adversarial training suffers from a severe non-uniform robust performance across the training distribution, e.g., data points belonging to some classes can be much more vulnerable to adversarial attacks than others. To address both issues, in this paper, we propose a novel doubly-robust instance reweighted AT framework, which allows to obtain the importance weights via exploring distributionally robust optimization (DRO) techniques, and at the same time…
Peer Reviews
Decision·ICLR 2024 poster
1. The paper is well-written and easy to follow. 2. The motivation is clear and the equivalent compositional optimization problem is reasonable. 3. The proposed CID method has convergence guarantee.
1. The empirical studies is not sufficient. Only small-scale datasets is adopted in the experiment. 2. The computational analysis is missing. 3. The justifiability of the assumptions is not discussed.
Strength: 1. The mathematical formulation of instance-reweighted bilevel optimization is solved in an elegant manner. 2. The evaluation on imbalanced dataset suggest the worst case adversarial robustness can be improved.
Weakenss: 1. The improvements on PGD and AutoAttack seem to be less significant. The more significant improvements are observed from RA-Tail-30. Therefore, it is necessary to provide more details of the evaluation protocol for RA-Tail-30. 2. Since the advantage is mainly demonstrated at the imbalanced dataset, the current evaluations on Imbalanced datasets (CIFAR10 and SVHN imbalanced) are not enough for analyzing the performance breakpoint. 3. Comparisons with more recent adversarial trainin
1. The proposed framework addresses the issues of heuristics and non-uniform robust performance in adversarial training. The authors use a doubly robust optimization (DRO) approach that is theoretically grounded. It provides a principled way to reweight the training examples based on their vulnerability to adversarial attacks. 2. Even the algorithm falls under the category of iteratively-reweighted adversarial attack, this paper has a more principled optimization formulation than previous work
Since the algorithm requires computing Jacobian inner products to perform parameter updates in the bi-level optimization, could the authors comment on the incurred time complexity? I am wondering if the algorithm runs much slower than vanilla AT (but only improves the robust accuracy moderately). In their experiments, the authors have compared with AutoAttack which is good, but not with other SOTA methods such as TRADES or Diffusion-based Defense (ICML 2023). Adding some more comparison method
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Anomaly Detection Techniques and Applications · Advanced Neural Network Applications