Overfitting in adversarially robust deep learning (CMU)
Plenty experiments shows that overfitting to the training set does in fact harm robust performance to a very large degree in adversarially robust training across multiple datasets for both (L-infinity and L-2) model.
Performance gain can be mataching by using early stopping, outperforming other methods like regularization and data augmentation.
Curse of Dimensionality on Randomized Smoothing for Certifiable Robustness (Maryland)
This paper prove the upper bound for cetificate :
- using I.I.D smoothing distributions
- using generalized gaussian distributions
- using uniform L-infinity distributions
- using uniform L-1 distributions
For L_p attack with p>2, Guassian Certificate is best possible out of I.I.D smoothing distribution. But it deseareses rapidly with the number of demension.
Open Question:
- can non-I.I.D distributions achieve better certificates?
- can we use low intrinsic demension of images to mitigate the Curse of Dimensionality
Towards Understanding the Dynamics of the First-Order Adversaries (Harvard University)
It proves that projected gradient ascent finds a local maximum of this non-concave problem in a polynomial number of iterations with high probability.
This is the first work that provides a convergence analysis of the first-order adversaries
In the initial phase of adversarial training, the scale of the inputs matters in the sense that a smaller input scale leads to faster convergence of adversarial training and a more regular landscape. Small numarical scale means small eplison, this leads to:
- PGM can escape local minimum quickly
- no sadlle points on the sphere
- PGM can converge to a local maximum quickly
Attacks Which Do Not Kill Training Make Adversarial Learning Stronger (NUS)
PGD adversarial training has a cross over mixture problem. (The minimax formulation is pessimistic)
This proposes a Min-min formulation for the adversarial training, to provide a tighter upper bound on the adversarial risk.
Adversarial risk captures two purposes: 1) correstly classify the natural data and b)make the decision boundary thick.
Benefits:
-
alleviate the cross-over mixture problem
-
computationally eddicient.
-
can enable larger defennse parameter epslison
-
best performance for wide resnet on CIFAR-10
Future work: a better realizationnn of the min-min formulation.
On Breaking Deep Generative Model-based Defenses and Beyond (PkU)
This paper proposed a method to break the defense of obfuscated gradient, which views the inversion phase as a dynamical system, through which we extract the gradient w.r.t the input by tracing its recent trajectory.
The proposed method can generate the projected samples highly resemble normal samples than DefennseGAN, which is more matching the on-manifold conjecture: normal samples lie on a low dimensional manifold, and adversarial samples are away form it.
Second-Order Provable Defenses against Adversarial Attacks (Maryland) $\color{#FF3030}{Reread}$❗️
Intuition: Curvature effect in robustness (low Curvature leads to large robustness radius)
Curvature-based Robustness Certificate (CRC)
Curvaturebased Robust Training (CRT)
