Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
41 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
41 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Revisiting Adversarial Training under Long-Tailed Distributions (2403.10073v1)

Published 15 Mar 2024 in cs.CV

Abstract: Deep neural networks are vulnerable to adversarial attacks, often leading to erroneous outputs. Adversarial training has been recognized as one of the most effective methods to counter such attacks. However, existing adversarial training techniques have predominantly been tested on balanced datasets, whereas real-world data often exhibit a long-tailed distribution, casting doubt on the efficacy of these methods in practical scenarios. In this paper, we delve into adversarial training under long-tailed distributions. Through an analysis of the previous work "RoBal", we discover that utilizing Balanced Softmax Loss alone can achieve performance comparable to the complete RoBal approach while significantly reducing training overheads. Additionally, we reveal that, similar to uniform distributions, adversarial training under long-tailed distributions also suffers from robust overfitting. To address this, we explore data augmentation as a solution and unexpectedly discover that, unlike results obtained with balanced data, data augmentation not only effectively alleviates robust overfitting but also significantly improves robustness. We further investigate the reasons behind the improvement of robustness through data augmentation and identify that it is attributable to the increased diversity of examples. Extensive experiments further corroborate that data augmentation alone can significantly improve robustness. Finally, building on these findings, we demonstrate that compared to RoBal, the combination of BSL and data augmentation leads to a +6.66% improvement in model robustness under AutoAttack on CIFAR-10-LT. Our code is available at https://github.com/NISPLab/AT-BSL .

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (57)
  1. Efficient and effective augmentation strategy for adversarial training. In NeurIPS, 2022.
  2. CUDA: Curriculum of data augmentation for long-tailed recognition. In ICLR, 2023.
  3. Towards evaluating the robustness of neural networks. In S&P, 2017.
  4. Unlabeled data improves adversarial robustness. In NeurIPS, 2019.
  5. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In ICML, 2020.
  6. Autoaugment: Learning augmentation strategies from data. In CVPR, 2019.
  7. Randaugment: Practical automated data augmentation with a reduced search space. In NeurIPS, 2020.
  8. Class-balanced loss based on effective number of samples. In CVPR, 2019.
  9. Improved regularization of convolutional neural networks with cutout. arXiv preprint arXiv:1708.04552, 2017.
  10. Global and local mixture consistency cumulative learning for long-tailed visual recognitions. In CVPR, 2023.
  11. Better diffusion models further improve adversarial training. In ICML, 2023.
  12. Explaining and harnessing adversarial examples. In ICLR, 2015.
  13. Uncovering the limits of adversarial training against norm-bounded adversarial examples. arXiv preprint arXiv:2010.03593, 2020.
  14. Lvis: A dataset for large vocabulary instance segmentation. In CVPR, 2019.
  15. Deep residual learning for image recognition. In CVPR, 2016a.
  16. Identity mappings in deep residual networks. In ECCV, 2016b.
  17. Augmix: A simple data processing method to improve robustness and uncertainty. In ICLR, 2020.
  18. Evaluating the robustness of geometry-aware instance-reweighted adversarial training. arXiv preprint arXiv:2103.01914, 2021.
  19. Ockham’s razor and bayesian analysis. American scientist, 1992.
  20. Las-at: adversarial training with learnable attack strategy. In CVPR, 2022.
  21. Decoupling representation and classifier for long-tailed recognition. In ICLR, 2020.
  22. Elucidating the design space of diffusion-based generative models. In NeurIPS, 2022.
  23. Learning multiple layers of features from tiny images. Technical report, 2009.
  24. Tiny imagenet visual recognition challenge. CS 231N, 2015.
  25. Adversarial vertex mixup: Toward better adversarially robust generalization. In CVPR, 2020.
  26. Adversarial training over long-tailed distribution. arXiv preprint arXiv:2307.10205, 2023a.
  27. Fcc: Feature clusters compression for long-tailed visual recognition. In CVPR, 2023b.
  28. Data augmentation alone can improve adversarial training. In ICLR, 2023.
  29. Focal loss for dense object detection. In ICCV, 2017.
  30. On the tradeoff between robustness and fairness. In NeurIPS, 2022.
  31. Towards deep learning models resistant to adversarial attacks. In ICLR, 2018.
  32. Long-tail learning via logit adjustment. In ICLR, 2021.
  33. Trivialaugment: Tuning-free yet state-of-the-art data augmentation. In CVPR, 2021.
  34. Boosting adversarial training with hypersphere embedding. In NeurIPS, 2020.
  35. Data augmentation can improve robustness. In NeurIPS, 2021.
  36. Balanced meta-softmax for long-tailed visual recognition. In NeurIPS, 2020.
  37. Overfitting in adversarially robust deep learning. In ICML, 2020.
  38. Relay backpropagation for effective learning of deep convolutional neural networks. In ECCV, 2016.
  39. Intriguing properties of neural networks. In ICLR, 2014.
  40. The inaturalist species classification and detection dataset. In CVPR, 2018.
  41. The devil is in classification: A simple framework for long-tail instance segmentation. In ECCV, 2020a.
  42. Improving adversarial robustness requires revisiting misclassified examples. In ICLR, 2020b.
  43. Learning to model the tail. In NeurIPS, 2017.
  44. Cfa: Class-wise calibrated fair adversarial training. In CVPR, 2023.
  45. Adversarial weight perturbation helps robust generalization. In NeurIPS, 2020.
  46. Adversarial robustness under long-tailed distribution. In CVPR, 2021.
  47. To be robust or to be fair: Towards fairness in adversarial training. In ICML, 2021a.
  48. Towards calibrated model for long-tailed visual recognition from prior perspective. In NeurIPS, 2021b.
  49. Revisiting adversarial robustness distillation from the perspective of robust fairness. In NeurIPS, 2023.
  50. Cutmix: Regularization strategy to train strong classifiers with localizable features. In ICCV, 2019.
  51. Wide residual networks. In BMVC, 2016.
  52. mixup: Beyond empirical risk minimization. In ICLR, 2018.
  53. Theoretically principled trade-off between robustness and accuracy. In ICML, 2019.
  54. Geometry-aware instance-reweighted adversarial training. In ICLR, 2021a.
  55. Bag of tricks for long-tailed visual recognition with deep convolutional neural networks. In AAAI, 2021b.
  56. Learning fast sample re-weighting without reward data. In ICCV, 2021.
  57. Class-conditional sharpness-aware minimization for deep long-tailed recognition. In CVPR, 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Xinli Yue (5 papers)
  2. Ningping Mou (1 paper)
  3. Qian Wang (453 papers)
  4. Lingchen Zhao (13 papers)
Citations (2)
View on Semantic Scholar
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets