While adversarial training can improve robust accuracy (against an adversary), it sometimes hurts
standard accuracy (when there is no adversary).
Previous work has studied this tradeoff between
standard and robust accuracy, but only in the
setting where no predictor performs well on both
objectives in the infinite data limit. In this paper,
we show that even when the optimal predictor
with infinite data performs well on both objectives,
a tradeoff can still manifest itself with finite data.
Furthermore, since our construction is based on a
convex learning problem, we rule out optimization
concerns, thus laying bare a fundamental tension
between robustness and generalization. Finally,
we show that robust self-training mostly eliminates
this tradeoff by leveraging unlabeled data.
more »
« less
Adversarial Training Can Hurt Generalization
While adversarial training can improve robust accuracy (against an adversary), it sometimes hurts
standard accuracy (when there is no adversary).
Previous work has studied this tradeoff between
standard and robust accuracy, but only in the
setting where no predictor performs well on both
objectives in the infinite data limit. In this paper,
we show that even when the optimal predictor
with infinite data performs well on both objectives,
a tradeoff can still manifest itself with finite data.
Furthermore, since our construction is based on a
convex learning problem, we rule out optimization
concerns, thus laying bare a fundamental tension
between robustness and generalization. Finally,
we show that robust self-training mostly eliminates
this tradeoff by leveraging unlabeled data.
more »
« less
- Award ID(s):
- 2343611
- NSF-PAR ID:
- 10472238
- Publisher / Repository:
- arXiv:1906.06032
- Date Published:
- Subject(s) / Keyword(s):
- ["Machine Learning (cs.LG)","Machine Learning (stat.ML)"]
- Format(s):
- Medium: X
- Location:
- ArXiv.org.
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
While adversarial training can improve robust accuracy (against an adversary), it sometimes hurts standard accuracy (when there is no adversary). Previous work has studied this tradeoff between standard and robust accuracy, but only in the setting where no predictor performs well on both objectives in the infinite data limit. In this paper, we show that even when the optimal predictor with infinite data performs well on both objectives, a tradeoff can still manifest itself with finite data. Furthermore, since our construction is based on a convex learning problem, we rule out optimization concerns, thus laying bare a fundamental tension between robustness and generalization. Finally, we show that robust self-training mostly eliminates this tradeoff by leveraging unlabeled data.more » « less
-
Despite breakthrough performance, modern learning models are known to be highly vulnerable to small adversarial perturbations in their inputs. While a wide variety of recent adversarial training methods have been effective at improving robustness to perturbed inputs (robust accuracy), often this benefit is accompanied by a decrease in accuracy on benign inputs (standard accuracy), leading to a tradeoff between often competing objectives. Complicating matters further, recent empirical evidence suggest that a variety of other factors (size and quality of training data, model size, etc.) affect this tradeoff in somewhat surprising ways. In this paper we provide a precise and comprehensive understanding of the role of adversarial training in the context of linear regression with Gaussian features. In particular, we characterize the fundamental tradeoff between the accuracies achievable by any algorithm regardless of computational power or size of the training data. Furthermore, we precisely characterize the standard/robust accuracy and the corresponding tradeoff achieved by a contemporary mini-max adversarial training approach in a high-dimensional regime where the number of data points and the parameters of the model grow in proportion to each other. Our theory for adversarial training algorithms also facilitates the rigorous study of how a variety of factors (size and quality of training data, model overparametrization etc.) affect the tradeoff between these two competing accuracies.more » « less
-
Adversarial training augments the training set with perturbations to improve the robust error (over worst-case perturbations), but it often leads to an increase in the standard error (on unperturbed test inputs). Previous explanations for this tradeoff rely on the assumption that no predictor in the hypothesis class has low standard and robust error. In this work, we precisely characterize the effect of augmentation on the standard error in linear regression when the optimal linear predictor has zero standard and robust error. In particular, we show that the standard error could increase even when the augmented perturbations have noiseless observations from the optimal linear predictor. We then prove that the recently proposed robust self-training (RST) estimator improves robust error without sacrificing standard error for noiseless linear regression. Empirically, for neural networks, we find that RST with different adversarial training methods improves both standard and robust error for random and adversarial rotations and adversarial l_infty perturbations in CIFAR-10.more » « less
-
Adversarial training augments the training set with perturbations to improve the robust error (over worst-case perturbations), but it often leads to an increase in the standard error (on unperturbed test inputs). Previous explanations for this tradeoff rely on the assumption that no predictor in the hypothesis class has low standard and robust error. In this work, we precisely characterize the effect of augmentation on the standard error in linear regression when the optimal linear predictor has zero standard and robust error. In particular, we show that the standard error could increase even when the augmented perturbations have noiseless observations from the optimal linear predictor. We then prove that the recently proposed robust self-training (RST) estimator improves robust error without sacrificing standard error for noiseless linear regression. Empirically, for neural networks, we find that RST with different adversarial training methods improves both standard and robust error for random and adversarial rotations and adversarial ℓ∞ perturbations in CIFAR-10.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- The DOI is not currently available.
