Robustness Reprogramming for Representation Learning
Zhichao Hou, MohamadAli Torkamani, Hamid Krim, Xiaorui Liu
TL;DR
This paper introduces a novel approach to reprogram pre-trained models for enhanced robustness against adversarial and noisy inputs without changing their parameters, using a non-linear pattern matching technique and flexible reprogramming paradigms.
Contribution
It proposes a new non-linear robust pattern matching method and three reprogramming paradigms to improve model robustness efficiently without parameter modification.
Findings
Effective robustness improvements demonstrated across various models.
Reprogramming paradigms offer flexible robustness control.
Insights into designing resilient AI systems.
Abstract
This work tackles an intriguing and fundamental open challenge in representation learning: Given a well-trained deep learning model, can it be reprogrammed to enhance its robustness against adversarial or noisy input perturbations without altering its parameters? To explore this, we revisit the core feature transformation mechanism in representation learning and propose a novel non-linear robust pattern matching technique as a robust alternative. Furthermore, we introduce three model reprogramming paradigms to offer flexible control of robustness under different efficiency requirements. Comprehensive experiments and ablation studies across diverse learning models ranging from basic linear model and MLPs to shallow and modern deep ConvNets demonstrate the effectiveness of our approaches. This work not only opens a promising and orthogonal direction for improving adversarial defenses in…
Peer Reviews
Decision·ICLR 2025 Spotlight
1. Proposed idea of reprogramming is interesting as it would allow reusing the learned features by the original model. May be an important approach to explore in large models. 2. Empirical results consider multiple datasets of various sizes and different perturbations
1. The approach is based on eq 1 and the precursor to this for what is named as "linear feature pattern matching". The first equation (unnumbered equation before eq 1) formulates the OLS solution as the minimum of \mathcal{L}=\sum_{d=1}^{D}{(\frac{y}{D}-a_d.x_d)^2}. However, this formulation of the solution assumes that the prediction error is distributed uniformly across all dimensions which is not generally true and may indeed be very constraining in certain situations. Despite this possible i
* There is a great deal of novelty in this approach. Many defenses against adversarial examples atttempt to learn weights that are more robust, or to detect/purify adversarial inputs to a network. I am not aware of any prior work that modifies the model of computation to increase robustness in this way. * Code and model weights have been provided for replication purposes. * The experimental results are impressive. In particular, in certain cases the third paradigm can increase both robustness a
* Theorem 3.2 is presented in a confusing manner. You refer to $x_0$ as the perturbation, but isn't it instead the location of a possible perturbation? * The theoretical justification for the robustness of NRPM largely relies on the influence functions that are derived for NRPM and LPM. However, there's no explicit connection that's made between influence functions and adversarial robustness. It's not immediately clear to me that the influence function on its own would immediately imply adversar
- This paper provides comprehensive and detailed theoretical analysis and explanations. - This paper is well written to follow.
- This paper leveraged old baselines for ResNet18 backbone while recent baselines (e.g., [1], [2]) are missing and evaluation against stronger attack (e.g., LGV, SPSA, DeepFool) could be beneficial. - [1] Consistency regularization for adversarial robustness - [2] Dynamic Label Adversarial Training for Deep Learning Robustness Against Adversarial Attacks - This paper utilizes backbones that are too small and tasks that are too easy. For example, main table (Table 1, 2) used MLPs and MNIST.
Videos
Taxonomy
TopicsReinforcement Learning in Robotics · Machine Learning and Algorithms · Neural Networks and Applications