Adversarially robust transfer learning (1905.08232v2)

Abstract: Transfer learning, in which a network is trained on one task and re-purposed on another, is often used to produce neural network classifiers when data is scarce or full-scale training is too costly. When the goal is to produce a model that is not only accurate but also adversarially robust, data scarcity and computational limitations become even more cumbersome. We consider robust transfer learning, in which we transfer not only performance but also robustness from a source model to a target domain. We start by observing that robust networks contain robust feature extractors. By training classifiers on top of these feature extractors, we produce new models that inherit the robustness of their parent networks. We then consider the case of fine tuning a network by re-training end-to-end in the target domain. When using lifelong learning strategies, this process preserves the robustness of the source network while achieving high accuracy. By using such strategies, it is possible to produce accurate and robust models with little data, and without the cost of adversarial training. Additionally, we can improve the generalization of adversarially trained models, while maintaining their robustness.

• The paper reveals that transferring robust feature extractors significantly improves model resilience and accuracy on new domains.
• It details two approaches: training only the final layer and end-to-end retraining with lifelong learning to preserve robustness.
• Experimental results show a 22.66% robustness improvement against PGD-20 attacks on CIFAR-10 by transferring robust ImageNet features.

Overview of "Adversarially Robust Transfer Learning"

The paper presents a comprehensive paper on leveraging transfer learning to enhance both the accuracy and robustness of neural network models, particularly in scenarios with limited data availability or computational resources, making adversarial training infeasible. The authors focus on a method to transfer not only the performance but also the robustness of a pre-trained source model to a target domain, which offers significant advancements over traditional transfer learning methods and adversarial training approaches.

The research is grounded in the observation that models trained to be robust against adversarial attacks possess inherent robust feature extractors. These extractors are crucial in maintaining resilience to adversarial perturbations, even when transferred across different domains. By utilizing these robust feature extractors, the paper posits that it is possible to construct new models for the target domain that inherit these robustness properties without the extensive costs typically associated with adversarial training.

Key Contributions

1. Robust Feature Extractors: The paper identifies that robust models across various domains exhibit robust deep feature extractors. This insight underpins the methodology for adversarially robust transfer learning by reusing these extractors in new domains.
2. Transfer Learning Approaches: The research examines two primary approaches:
   • Training only the final classification layer on top of a frozen robust feature extractor.
   • End-to-end retraining with lifelong learning strategies to retain the source model's robust features.
3. Numerical Results: The authors demonstrate meaningful results by transferring robustness from robust ImageNet models to CIFAR datasets without adversarial training. The paper reports significant improvements in validation accuracy and robustness, especially in data-scarce scenarios. For instance, transferring from robust ImageNet models achieved approximately 22.66% robustness against PGD-20 attacks on CIFAR-10, which underlines the effectiveness of robustness transfer.
4. Lifelong Learning to Mitigate Forgetting: The authors leverage Lifelong Learning techniques such as Learning without Forgetting (LwF) to mitigate the robustness loss when performing end-to-end training. The method involves using distillation techniques to maintain feature representation similarities between source and target models, thereby enhancing generalization while preserving robustness.
5. Additional Experiments: Crucially, the research also investigates how the increasing complexity of networks on top of robust feature extractors impacts robustness and generalization. The analysis indicates that deeper networks improve robustness in certain scenarios, suggesting intrinsic benefits of layered architectures when combined with robust feature extraction.

Implications and Future Directions

The paper's findings have important implications for the practical deployment of robust machine learning models, particularly where adversarial robustness potentially adds significant value, such as in security-critical applications. The approach of using robust transfer learning to overcome data limitations without incurring high computational costs presents an attractive pathway for organizations seeking robust AI solutions.

Theoretically, the insights into feature extractor robustness offer a rich avenue for further exploration, specifically in understanding how robust feature spaces impact optimization landscapes in adversarial contexts. Moreover, the intersection between lifelong learning and robust transfer methodologies offers fertile ground for advancements in building adaptive yet resilient AI systems.

Future research could delve into refining these methods, aiming to further minimize the trade-offs between robustness and generalization while exploring the potential of these techniques across even broader domains and adversarially complex tasks. As technology progresses, crafting mechanisms that dynamically adjust robustness and accuracy to meet varying operational requirements may become increasingly relevant.