Understanding and Mitigating the Tradeoff Between Robustness and Accuracy (2002.10716v2)

Abstract: Adversarial training augments the training set with perturbations to improve the robust error (over worst-case perturbations), but it often leads to an increase in the standard error (on unperturbed test inputs). Previous explanations for this tradeoff rely on the assumption that no predictor in the hypothesis class has low standard and robust error. In this work, we precisely characterize the effect of augmentation on the standard error in linear regression when the optimal linear predictor has zero standard and robust error. In particular, we show that the standard error could increase even when the augmented perturbations have noiseless observations from the optimal linear predictor. We then prove that the recently proposed robust self-training (RST) estimator improves robust error without sacrificing standard error for noiseless linear regression. Empirically, for neural networks, we find that RST with different adversarial training methods improves both standard and robust error for random and adversarial rotations and adversarial $\ell_\infty$ perturbations in CIFAR-10.

• The paper analytically characterizes how adversarial training and data augmentation can elevate standard error despite achieving zero robust error in ideal predictors.
• It introduces robust self-training (RST) that leverages unlabeled data to regularize estimators, effectively mitigating the tradeoff between robustness and accuracy.
• Empirical evaluations on CIFAR-10 with neural networks demonstrate that combining RST with adversarial training significantly improves performance under ℓ∞ perturbations.

Understanding and Mitigating the Tradeoff Between Robustness and Accuracy

The paper explores the nuanced relationship between robustness and accuracy within adversarial training paradigms in machine learning. Adversarial training dynamically augments training data with perturbations to bolster robust error but often incurs increased standard error on clean test inputs. Traditional frameworks attribute this tradeoff to hypothesis class limitations, positing no single model achieves low standard and robust error simultaneously. The authors challenge this notion by analytically characterizing the impact of data augmentation on standard error in linear regression when the optimal predictor features zero error on both metrics. They demonstrate conditions under which standard error amplifies despite augmentation with noiseless observations from the optimal predictor, particularly under overparameterization and inappropriate inductive biases, where standard error highly depends on the feature geometry and the norm being minimized.

The authors additionally present a solution through robust self-training (RST) to enhance robust error without detracting from standard error, specifically in noiseless linear contexts. RST operates by leveraging unlabeled data to offset the sample complexity barrier, effectively regularizing the augmented estimator towards the standard one and alleviating adverse generalization particularly under finite data. Empirically, for neural networks, RST combined with adversarial training methods advances both standard and robust errors on datasets such as CIFAR-10, noting significant improvements even amid adversarial rotations and $\ell_\infty$ perturbations.

Previous explanations of the robustness-accuracy tradeoff suggest its persistence with infinite data, particularly due to either incompatibility in accuracy among perturbations or an hypothesis class unable to encapsulate the true classifier. In contrast, the paper argues the tradeoff stems from finite generalization issues rather than such intrinsic incompatibility or capacity constraints and diminishes with large datasets.

Through exhaustive simulations and evaluations across varied perturbations and architectures, the paper suggests pragmatic pathways in aligning inductive biases with population data distributions to reduce tradeoffs. The theoretical and empirical exploration advances the understanding of adversarial training, suggesting RST could fundamentally enhance AI systems' robustness.

Future research directives could explore expanding RST application to broader learning paradigms or integrate it synergistically with other novel training approaches to further optimize robustness and accuracy harmonization in complex real-world datasets and tasks. Additionally, analyses could explore how intrinsic model properties, like expressiveness and architecture, interact dynamically with RST frameworks in diverse perturbative contexts.