It begins with a boundary: A geometric view on probabilistically robust learning

Although deep neural networks have achieved super-human performance on many classification tasks, they often exhibit a worrying lack of robustness towards adversarially generated examples. Thus, considerable effort has been invested into reformulating Empirical Risk Minimization (ERM) into an adversarially robust framework. Recently, attention has shifted towards approaches which interpolate between the robustness offered by adversarial training and the higher clean accuracy and faster training times of ERM. In this paper, we take a fresh and geometric view on one such method -- Probabilistically Robust Learning (PRL) (Robey et al., ICML, 2022). We propose a geometric framework for understanding PRL, which allows us to identify a subtle flaw in its original formulation and to introduce a family of probabilistic nonlocal perimeter functionals to address this. We prove existence of solutions using novel relaxation methods and study properties as well as local limits of the introduced perimeters.

[1]  M. Jacobs,et al.  On the existence of solutions to adversarial training in multiclass classification , 2023, ArXiv.

[2]  Leon Bungert,et al.  Gamma-convergence of a nonlocal perimeter arising in adversarial machine learning , 2022, ArXiv.

[3]  Ambuj Tewari,et al.  On Proper Learnability between Average- and Worst-case Robustness , 2022, 2211.05656.

[4]  Natalie Frank Existence and Minimax Theorems for Adversarial Surrogate Risks in Binary Classification , 2022, ArXiv.

[5]  Jonathan Niles-Weed,et al.  The Consistency of Adversarial Training for Binary Classification , 2022, ArXiv.

[6]  Doina Precup,et al.  Improving Robustness against Real-World and Worst-Case Distribution Shifts through Decision Region Quantification , 2022, ICML.

[7]  George J. Pappas,et al.  Probabilistically Robust Learning: Balancing Average- and Worst-case Performance , 2022, ICML.

[8]  Muni Sreenivas Pydi The Many Faces of Adversarial Risk: An Expanded Study , 2022, IEEE Transactions on Information Theory.

[9]  Mehryar Mohri,et al.  On the Existence of the Adversarial Bayes Classifier (Extended Version) , 2021, NeurIPS.

[10]  Leon Bungert,et al.  The Geometry of Adversarial Training in Binary Classification , 2021, ArXiv.

[11]  Martin Burger,et al.  Identifying Untrustworthy Predictions in Neural Networks by Geometric Gradient Analysis , 2021, UAI.

[12]  Wotao Yin,et al.  A Zeroth-Order Block Coordinate Descent Algorithm for Huge-Scale Black-Box Optimization , 2021, ICML.

[13]  Ryan W. Murray,et al.  Adversarial Classification: Necessary conditions and geometric flows , 2020, J. Mach. Learn. Res..

[14]  Stanley J. Osher,et al.  EnResNet: ResNets Ensemble via the Feynman-Kac Formalism for Adversarial Defense and Beyond , 2020, SIAM J. Math. Data Sci..

[15]  Nicolas Flammarion,et al.  Understanding and Improving Fast Adversarial Training , 2020, NeurIPS.

[16]  D. Song,et al.  The Many Faces of Robustness: A Critical Analysis of Out-of-Distribution Generalization , 2020, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[17]  J. Zico Kolter,et al.  Fast is better than free: Revisiting adversarial training , 2020, ICLR.

[18]  J. M. Mazón,et al.  The total variation flow in metric random walk spaces , 2019, Calculus of Variations and Partial Differential Equations.

[19]  Larry S. Davis,et al.  Adversarial Training for Free! , 2019, NeurIPS.

[20]  Colin Raffel,et al.  Imperceptible, Robust, and Targeted Adversarial Examples for Automatic Speech Recognition , 2019, ICML.

[21]  J. Zico Kolter,et al.  Certified Adversarial Robustness via Randomized Smoothing , 2019, ICML.

[22]  Michael I. Jordan,et al.  Theoretically Principled Trade-off between Robustness and Accuracy , 2019, ICML.

[23]  Aleksander Madry,et al.  Robustness May Be at Odds with Accuracy , 2018, ICLR.

[24]  Jinfeng Yi,et al.  ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models , 2017, AISec@CCS.

[25]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[26]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[27]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[28]  Antonin Chambolle,et al.  Nonlocal Curvature Flows , 2014, Archive for Rational Mechanics and Analysis.

[29]  Matthew D. Zeiler ADADELTA: An Adaptive Learning Rate Method , 2012, ArXiv.

[30]  Neil D. Lawrence,et al.  Dataset Shift in Machine Learning , 2009 .

[31]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[32]  R. Rockafellar,et al.  Optimization of conditional value-at risk , 2000 .