ICML20 paper reading (continuous updates)

Virtual Conference

Posted by Yanghao ZHANG on July 7, 2020

Overfitting in adversarially robust deep learning (CMU)

Plenty experiments shows that overfitting to the training set does in fact harm robust performance to a very large degree in adversarially robust training across multiple datasets for both (L-infinity and L-2) model.

Performance gain can be mataching by using early stopping, outperforming other methods like regularization and data augmentation.

Curse of Dimensionality on Randomized Smoothing for Certifiable Robustness (Maryland)

This paper prove the upper bound for cetificate :

  • using I.I.D smoothing distributions
  • using generalized gaussian distributions
  • using uniform L-infinity distributions
  • using uniform L-1 distributions

For L_p attack with p>2, Guassian Certificate is best possible out of I.I.D smoothing distribution. But it deseareses rapidly with the number of demension.

Open Question:

  • can non-I.I.D distributions achieve better certificates?
  • can we use low intrinsic demension of images to mitigate the Curse of Dimensionality

Towards Understanding the Dynamics of the First-Order Adversaries (Harvard University)

It proves that projected gradient ascent finds a local maximum of this non-concave problem in a polynomial number of iterations with high probability.

This is the first work that provides a convergence analysis of the first-order adversaries

In the initial phase of adversarial training, the scale of the inputs matters in the sense that a smaller input scale leads to faster convergence of adversarial training and a more regular landscape. Small numarical scale means small eplison, this leads to:

  • PGM can escape local minimum quickly
  • no sadlle points on the sphere
  • PGM can converge to a local maximum quickly

Attacks Which Do Not Kill Training Make Adversarial Learning Stronger (NUS)

PGD adversarial training has a cross over mixture problem. (The minimax formulation is pessimistic)

This proposes a Min-min formulation for the adversarial training, to provide a tighter upper bound on the adversarial risk.

Adversarial risk captures two purposes: 1) correstly classify the natural data and b)make the decision boundary thick.


  • alleviate the cross-over mixture problem

  • computationally eddicient.

  • can enable larger defennse parameter epslison

  • best performance for wide resnet on CIFAR-10

Future work: a better realizationnn of the min-min formulation.

On Breaking Deep Generative Model-based Defenses and Beyond (PkU)

This paper proposed a method to break the defense of obfuscated gradient, which views the inversion phase as a dynamical system, through which we extract the gradient w.r.t the input by tracing its recent trajectory.

The proposed method can generate the projected samples highly resemble normal samples than DefennseGAN, which is more matching the on-manifold conjecture: normal samples lie on a low dimensional manifold, and adversarial samples are away form it.

Second-Order Provable Defenses against Adversarial Attacks (Maryland) $\color{#FF3030}{Reread}$❗️

Intuition: Curvature effect in robustness (low Curvature leads to large robustness radius)

Curvature-based Robustness Certificate (CRC)

Curvaturebased Robust Training (CRT)

Randomized Smoothing of All Shapes and Sizes

Randomization matters How to defend against strong adversarial attacks

Efficient Robustness Certificates for Discrete Data: Sparsity-Aware Randomized Smoothing for Graphs, Images and More

Scalable Differential Privacy with Certified Robustness in Adversarial Learning

Certified Robustness to Label-Flipping Attacks via Randomized Smoothing

Defense Through Diverse Directions

Towards Understanding the Regularization of Adversarial Robustness on Neural Networks

Adversarial Robustness via Runtime Masking and Cleansing

Stronger and Faster Wasserstein Adversarial Attacks

Learning Adversarially Robust Representations via Worst-Case Mutual Information Maximization

Robustness to Programmable String Transformations via Augmented Abstract Training

Adversarial Robustness for Code

Understanding and Mitigating the Tradeoff between Robustness and Accuracy

Hierarchical Verification for Adversarial Robustness

Neural Network Control Policy Verification With Persistent Adversarial Perturbation

Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations