Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
110 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Improving Model Generalization by On-manifold Adversarial Augmentation in the Frequency Domain (2302.14302v3)

Published 28 Feb 2023 in cs.CV

Abstract: Deep neural networks (DNNs) may suffer from significantly degenerated performance when the training and test data are of different underlying distributions. Despite the importance of model generalization to out-of-distribution (OOD) data, the accuracy of state-of-the-art (SOTA) models on OOD data can plummet. Recent work has demonstrated that regular or off-manifold adversarial examples, as a special case of data augmentation, can be used to improve OOD generalization. Inspired by this, we theoretically prove that on-manifold adversarial examples can better benefit OOD generalization. Nevertheless, it is nontrivial to generate on-manifold adversarial examples because the real manifold is generally complex. To address this issue, we proposed a novel method of Augmenting data with Adversarial examples via a Wavelet module (AdvWavAug), an on-manifold adversarial data augmentation technique that is simple to implement. In particular, we project a benign image into a wavelet domain. With the assistance of the sparsity characteristic of wavelet transformation, we can modify an image on the estimated data manifold. We conduct adversarial augmentation based on AdvProp training framework. Extensive experiments on different models and different datasets, including ImageNet and its distorted versions, demonstrate that our method can improve model generalization, especially on OOD data. By integrating AdvWavAug into the training process, we have achieved SOTA results on some recent transformer-based models.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (56)
  1. Defense against universal adversarial perturbations, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 3389–3398.
  2. Wasserstein generative adversarial networks, in: International conference on machine learning, PMLR. pp. 214–223.
  3. Defending against image corruptions through adversarial augmentations. arXiv preprint arXiv:2104.01086 .
  4. Towards evaluating the robustness of neural networks, in: 2017 IEEE Symposium on Security and Privacy (SP), IEEE. pp. 39–57.
  5. Amplitude-phase recombination: Rethinking robustness of convolutional neural networks in frequency domain, in: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 458–467.
  6. The measure and mismeasure of fairness: A critical review of fair machine learning. arXiv preprint arXiv:1808.00023 .
  7. Autoaugment: Learning augmentation strategies from data, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 113–123.
  8. Randaugment: Practical automated data augmentation with a reduced search space, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, pp. 702–703.
  9. Shield: Fast, practical defense and vaccination for deep learning using jpeg compression, in: Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pp. 196–204.
  10. Ten lectures on wavelets.
  11. Improved regularization of convolutional neural networks with cutout. arXiv preprint arXiv:1708.04552 .
  12. An image is worth 16x16 words: Transformers for image recognition at scale. arXiv preprint arXiv:2010.11929 .
  13. Similarity and generalization: From noise to corruption. arXiv preprint arXiv:2201.12803 .
  14. Generalisation in humans and deep neural networks. arXiv preprint arXiv:1808.08750 .
  15. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 .
  16. Mixup as locally linear out-of-manifold regularization, in: Proceedings of the AAAI Conference on Artificial Intelligence, pp. 3714–3722.
  17. Masked autoencoders are scalable vision learners. arXiv preprint arXiv:2111.06377 .
  18. Deep residual learning for image recognition, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 770–778.
  19. The many faces of robustness: A critical analysis of out-of-distribution generalization, in: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 8340–8349.
  20. Benchmarking neural network robustness to common corruptions and perturbations. arXiv preprint arXiv:1903.12261 .
  21. Augmix: A simple data processing method to improve robustness and uncertainty. arXiv preprint arXiv:1912.02781 .
  22. Natural adversarial examples, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 15262–15271.
  23. Gans trained by a two time-scale update rule converge to a local nash equilibrium. Advances in neural information processing systems 30.
  24. Contrastive learning with adversarial examples. Advances in Neural Information Processing Systems 33, 17081–17093.
  25. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 .
  26. Auto-encoding variational bayes. arXiv preprint arXiv:1312.6114 .
  27. Adversarial attacks and defences competition, in: The NIPS’17 Competition: Building Intelligent Systems. Springer, Cham, pp. 195–231.
  28. Dual manifold adversarial robustness: Defense against lp and non-lp adversarial attacks. Advances in Neural Information Processing Systems 33, 3487–3498.
  29. Swin transformer: Hierarchical vision transformer using shifted windows. arXiv preprint arXiv:2103.14030 .
  30. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 .
  31. A wavelet tour of signal processing. Elsevier, Burlington.
  32. Deepfool: a simple and accurate method to fool deep neural networks, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2574–2582.
  33. Distillation as a defense to adversarial perturbations against deep neural networks, in: 2016 IEEE symposium on security and privacy (SP), IEEE. pp. 582–597.
  34. Jpeg2000: Image compression fundamentals, standards and practice. Journal of Electronic Imaging 11, 286.
  35. Generating diverse high-fidelity images with vq-vae-2. Advances in neural information processing systems 32.
  36. Do imagenet classifiers generalize to imagenet?, in: International Conference on Machine Learning, PMLR. pp. 5389–5400.
  37. Imagenet large scale visual recognition challenge. International journal of computer vision 115, 211–252.
  38. Improving robustness against common corruptions with frequency biased models. arXiv preprint arXiv:2103.16241 .
  39. Disentangling adversarial robustness and generalization, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 6976–6987.
  40. Rethinking the inception architecture for computer vision, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 2818–2826.
  41. Efficientnet: Rethinking model scaling for convolutional neural networks, in: International Conference on Machine Learning, PMLR. pp. 6105–6114.
  42. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 .
  43. Examining the impact of blur on recognition by convolutional networks. arXiv preprint arXiv:1611.05760 .
  44. Wavelet filter evaluation for image compression. IEEE Transactions on image processing 4, 1053–1060.
  45. High-dimensional statistics: A non-asymptotic viewpoint. volume 48. Cambridge University Press.
  46. Weak convergence and empirical processes: with applications to statistics. Springer Science & Business Media.
  47. Adversarial examples improve image recognition, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 819–828.
  48. Mitigating adversarial effects through randomization. arXiv preprint arXiv:1711.01991 .
  49. Improving transferability of adversarial examples with input diversity, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 2730–2739.
  50. Ood-bench: Quantifying and understanding two dimensions of out-of-distribution generalization, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 7947–7958.
  51. Improved ood generalization via adversarial training and pretraing, in: International Conference on Machine Learning, PMLR. pp. 11987–11997.
  52. A fourier perspective on model robustness in computer vision. arXiv preprint arXiv:1906.08988 .
  53. Cutmix: Regularization strategy to train strong classifiers with localizable features, in: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 6023–6032.
  54. mixup: Beyond empirical risk minimization. arXiv preprint arXiv:1710.09412 .
  55. The unreasonable effectiveness of deep features as a perceptual metric, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 586–595.
  56. Manifold projection for adversarial defense on face recognition, in: European Conference on Computer Vision, Springer. pp. 288–305.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Chang Liu (864 papers)
  2. Wenzhao Xiang (10 papers)
  3. Yuan He (156 papers)
  4. Hui Xue (109 papers)
  5. Shibao Zheng (21 papers)
  6. Hang Su (224 papers)
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now