Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Wasserstein distributional robustness of neural networks (2306.09844v1)

Published 16 Jun 2023 in cs.LG, cs.CV, math.OC, and math.PR

Abstract: Deep neural networks are known to be vulnerable to adversarial attacks (AA). For an image recognition task, this means that a small perturbation of the original can result in the image being misclassified. Design of such attacks as well as methods of adversarial training against them are subject of intense research. We re-cast the problem using techniques of Wasserstein distributionally robust optimization (DRO) and obtain novel contributions leveraging recent insights from DRO sensitivity analysis. We consider a set of distributional threat models. Unlike the traditional pointwise attacks, which assume a uniform bound on perturbation of each input data point, distributional threat models allow attackers to perturb inputs in a non-uniform way. We link these more general attacks with questions of out-of-sample performance and Knightian uncertainty. To evaluate the distributional robustness of neural networks, we propose a first-order AA algorithm and its multi-step version. Our attack algorithms include Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) as special cases. Furthermore, we provide a new asymptotic estimate of the adversarial accuracy against distributional threat models. The bound is fast to compute and first-order accurate, offering new insights even for the pointwise AA. It also naturally yields out-of-sample performance guarantees. We conduct numerical experiments on the CIFAR-10 dataset using DNNs on RobustBench to illustrate our theoretical results. Our code is available at https://github.com/JanObloj/W-DRO-Adversarial-Methods.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (56)
  1. Computational aspects of robust optimized certainty equivalents and option pricing. Mathematical Finance, 30(1):287–309, 2020.
  2. Sensitivity analysis of Wasserstein distributionally robust optimization problems. Proc. R. Soc. A., 477(2256):20210176, Dec. 2021.
  3. Measuring neural net robustness with constraint. In Advances in Neural Information Processing Systems, volume 29. Curran Associates, Inc., 2016.
  4. Evasion attacks against machine learning at test time. In Machine Learning and Knowledge Discovery in Databases, Lecture Notes in Computer Science, pages 387–402, Berlin, Heidelberg, 2013. Springer.
  5. J. Blanchet and K. Murthy. Quantifying distributional model risk via optimal transport. Mathematics of Operations Research, 44(2):565–600, May 2019.
  6. Decision–based adversarial attacks: reliable attacks against black-box machine learning models. In International Conference on Learning Representations, 2018.
  7. A unified Wasserstein distributional robustness framework for adversarial training. In International Conference on Learning Representations, Jan. 2022.
  8. N. Carlini and D. Wagner. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP), pages 39–57. IEEE, May 2017.
  9. ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pages 15–26. ACM, Nov. 2017.
  10. Certified adversarial robustness via randomized smoothing. In Proceedings of the 36th International Conference on Machine Learning, pages 1310–1320. PMLR, May 2019.
  11. F. Croce and M. Hein. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter–free attacks. In Proceedings of the 37th International Conference on Machine Learning, pages 2206–2216. PMLR, Nov. 2020.
  12. RobustBench: A standardized adversarial robustness benchmark, Oct. 2021.
  13. Enabling certification of verification–agnostic networks via memory–efficient semidefinite programming. In Advances in Neural Information Processing Systems, volume 33, pages 5318–5331. Curran Associates, Inc., 2020.
  14. Constructive quantization: approximation by empirical measures. In Annales de l’IHP Probabilités et statistiques, volume 49, pages 1183–1203, 2013.
  15. Adversarial distributional training for robust deep learning. In Advances in Neural Information Processing Systems, volume 33, pages 8270–8283. Curran Associates, Inc., 2020.
  16. H. Föllmer and S. Weber. The axiomatic approach to risk measures for capital determination. Annual Review of Financial Economics, 7(1):301–337, 2015.
  17. N. Fournier and A. Guillin. On the rate of convergence in wasserstein distance of the empirical measure. Probability Theory and Related Fields, 162(3-4):707–738, 2015.
  18. R. Gao. Finite-sample guarantees for wasserstein distributionally robust optimization: breaking the curse of dimensionality. Operations Research, 2022.
  19. R. Gao and A. Kleywegt. Distributionally robust stochastic optimization with Wasserstein distance. Mathematics of OR, Aug. 2022.
  20. Wasserstein distributionally robust optimization and variation regularization. Operations Research, 2022.
  21. C. A. García Trillos and N. García Trillos. On the regularized risk of distributionally robust learning over deep neural networks. Res Math Sci, 9(3):54, Aug. 2022.
  22. I. Gilboa and D. Schmeidler. Maxmin expected utility with non-unique prior. Journal of Mathematical Economics, 18(2):141–153, 1989.
  23. Explaining and harnessing adversarial examples. In International Conference on Learning Representations, 2015.
  24. Uncovering the limits of adversarial training against norm-bounded adversarial examples. arXiv preprint arXiv:2010.03593, 2020.
  25. Improving robustness using generated data. In Advances in Neural Information Processing Systems, volume 34, pages 4218–4233. Curran Associates, Inc., 2021.
  26. G. Guo and J. Obłój. Computational methods for martingale optimal transport problems. The Annals of Applied Probability, 29(6):3311 – 3347, 2019.
  27. L. P. Hansen and M. Marinacci. Ambiguity aversion and model misspecification: an economic perspective. Statistical Science, 31(4):511–515, 2016.
  28. M. Hein and M. Andriushchenko. Formal guarantees on the robustness of a classifier against adversarial manipulation. In Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc., 2017.
  29. Coresets for Wasserstein distributionally robust optimization problems. In Advances in Neural Information Processing Systems, Oct. 2022.
  30. Black-box adversarial attacks with limited queries and information. In Proceedings of the 35th International Conference on Machine Learning, pages 2137–2146. PMLR, July 2018.
  31. F. H. Knight. Risk, Uncertainty and Profit. Boston, New York, Houghton Mifflin Company, 1921.
  32. A. Krizhevsky. Learning multiple layers of features from tiny images. 2009.
  33. H. Lam. Robust sensitivity analysis for stochastic systems. Mathematics of OR, 41(4):1248–1275, Nov. 2016.
  34. On concentration of the empirical measure for general transport costs, 2023.
  35. J. Lee and M. Raginsky. Minimax statistical learning with Wasserstein distances. Advances in Neural Information Processing Systems, 31, 2018.
  36. SoK: Certified robustness for deep neural networks. In 44th IEEE Symposium on Security and Privacy. IEEE, 2023.
  37. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations, 2018.
  38. P. Mohajerin Esfahani and D. Kuhn. Data–driven distributionally robust optimization using the Wasserstein metric: Performance guarantees and tractable reformulations. Math. Program., 171(1):115–166, Sept. 2018.
  39. The out-of-sample prediction error of the square-root-lasso and related estimators, 2023.
  40. Robustness and accuracy could be reconcilable by (proper) definition. In Proceedings of the 39th International Conference on Machine Learning, pages 17258–17277. PMLR, June 2022.
  41. Semidefinite relaxations for certifying robustness to adversarial examples. In Advances in Neural Information Processing Systems, volume 31. Curran Associates, Inc., 2018.
  42. H. Rahimian and S. Mehrotra. Distributionally robust optimization: A review, Aug. 2019.
  43. HYDRA: pruning adversarially robust neural networks. In Advances in Neural Information Processing Systems, volume 33, pages 19655–19666. Curran Associates, Inc., 2020.
  44. Towards out-of-distribution generalization: a survey, Aug. 2021.
  45. Certifying some distributional robustness with principled adversarial training. In International Conference on Learning Representations, 2018.
  46. M. Staib and S. Jegelka. Distributionally robust deep learning as a generalization of adversarial training. In NIPS workshop on Machine Learning and Computer Security, volume 3, page 4, 2017.
  47. Evaluating robustness of neural networks with mixed integer programming. In International Conference on Learning Representations, 2019.
  48. Ensemble adversarial training: attacks and defenses. In International Conference on Learning Representations, 2018.
  49. Improving adversarial robustness requires revisiting misclassified examples. In International Conference on Learning Representations, 2020.
  50. Better diffusion models further improve adversarial training. In Proceedings of the 40th International Conference on Machine Learning, 2023.
  51. Towards fast computation of certified robustness for ReLU networks. In Proceedings of the 35th International Conference on Machine Learning, pages 5276–5285. PMLR, July 2018a.
  52. Evaluating the robustness of neural networks: an extreme value theory approach. In International Conference on Learning Representations. International Conference on Learning Representations, ICLR, 2018b.
  53. E. Wong and Z. Kolter. Provable defenses against adversarial examples via the convex outer adversarial polytope. In Proceedings of the 35th International Conference on Machine Learning, pages 5286–5295. PMLR, July 2018.
  54. Adversarial weight perturbation helps robust generalization. In Advances in Neural Information Processing Systems, volume 33, pages 2958–2969. Curran Associates, Inc., 2020.
  55. Why do artificially generated data help adversarial robustness. In Advances in Neural Information Processing Systems, Oct. 2022.
  56. Theoretically principled trade-off between robustness and accuracy. In Proceedings of the 36th International Conference on Machine Learning, pages 7472–7482. PMLR, May 2019.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Xingjian Bai (8 papers)
  2. Guangyi He (2 papers)
  3. Yifan Jiang (79 papers)
  4. Jan Obloj (26 papers)
Citations (5)
View on Semantic Scholar