Robust Few-shot Learning Without Using any Adversarial Samples

—The high cost of acquiring and annotating samples has made the ‘few-shot’ learning problem of prime importance. Existing works mainly focus on improving performance on clean data and overlook robustness concerns on the data perturbed with adversarial noise. Recently, a few efforts have been made to combine the few-shot problem with the robustness objective using sophisticated Meta-Learning techniques. These methods rely on the generation of adversarial samples in every episode of training, which further adds a computational burden. To avoid such time- consuming and complicated procedures, we propose a simple but effective alternative that does not require any adversarial samples. Inspired by the cognitive decision-making process in humans, we enforce high-level feature matching between the base class data and their corresponding low-frequency samples in the pretraining stage via self distillation. The model is then fine-tuned on the samples of novel classes where we additionally improve the discriminability of low-frequency query set features via cosine similarity. On a 1 -shot setting of the CIFAR-FS dataset, our method yields a massive improvement of 60 . 55% & 62 . 05% in adversarial accuracy on the PGD and state-of-the-art Auto Attack, respectively, with a minor drop in clean accuracy compared to the baseline. Moreover, our method only takes 1 . 69 × of the standard training time while being ≈ 5 × faster than state-of-the-art adversarial meta-learning methods. The code is available at https://github.com/vcl-iisc/robust-few-shot-learning.

[1]  Ankit B. Patel,et al.  Robust deep learning object recognition models rely on low frequency information in natural images , 2022, bioRxiv.

[2]  Yu-Gang Jiang,et al.  Revisiting Adversarial Robustness Distillation: Robust Soft Labels Make Student Better , 2021, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[3]  F. Liu,et al.  Long-term Cross Adversarial Training: A Robust Meta-learning Method for Few-shot Classification Tasks , 2021, ArXiv.

[4]  Ayan Chakrabarti,et al.  Finding Physical Adversarial Examples for Autonomous Driving with Fast and Differentiable Image Compositing , 2020, 2010.08844.

[5]  Yilin Yang,et al.  Towards Frequency-Based Explanation for Robust CNN , 2020, ArXiv.

[6]  R. Venkatesh Babu,et al.  Towards Achieving Adversarial Robustness by Enforcing Feature Consistency Across Bit Planes , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[7]  Zhihua Xia,et al.  Adversarial attacks on fingerprint liveness detection , 2020, EURASIP J. Image Video Process..

[8]  Yi Tay,et al.  Jacobian Adversarially Regularized Networks for Robustness , 2019, ICLR.

[9]  Micah Goldblum,et al.  Adversarially Robust Few-Shot Learning: A Meta-Learning Approach , 2019, NeurIPS.

[10]  Stefano Soatto,et al.  A Baseline for Few-Shot Image Classification , 2019, ICLR.

[11]  Ludwig Schmidt,et al.  Unlabeled Data Improves Adversarial Robustness , 2019, NeurIPS.

[12]  Po-Sen Huang,et al.  Are Labels Required for Improving Adversarial Robustness? , 2019, NeurIPS.

[13]  Yu-Chiang Frank Wang,et al.  A Closer Look at Few-shot Classification , 2019, ICLR.

[14]  Subhransu Maji,et al.  Meta-Learning With Differentiable Convex Optimization , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[15]  Wei Wei,et al.  Improving Adversarial Robustness via Guided Complement Entropy , 2019, 2019 IEEE/CVF International Conference on Computer Vision (ICCV).

[16]  Michael I. Jordan,et al.  Theoretically Principled Trade-off between Robustness and Accuracy , 2019, ICML.

[17]  Luca Bertinetto,et al.  Meta-learning with differentiable closed-form solvers , 2018, ICLR.

[18]  Tao Xiang,et al.  Learning to Compare: Relation Network for Few-Shot Learning , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[19]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[20]  Dawn Xiaodong Song,et al.  Adversarial Example Defenses: Ensembles of Weak Defenses are not Strong , 2017, ArXiv.

[21]  Richard S. Zemel,et al.  Prototypical Networks for Few-shot Learning , 2017, NIPS.

[22]  Sergey Levine,et al.  Model-Agnostic Meta-Learning for Fast Adaptation of Deep Networks , 2017, ICML.

[23]  Oriol Vinyals,et al.  Matching Networks for One Shot Learning , 2016, NIPS.

[24]  Nikos Komodakis,et al.  Wide Residual Networks , 2016, BMVC.

[25]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[26]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[27]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[28]  Bernhard Schölkopf,et al.  A Kernel Two-Sample Test , 2012, J. Mach. Learn. Res..

[29]  Yoshua Bengio,et al.  Deep Learning of Representations for Unsupervised and Transfer Learning , 2011, ICML Unsupervised and Transfer Learning.

[30]  Huaiyu Zhu On Information and Sufficiency , 1997 .

[31]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .