Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
110 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

DAFA: Distance-Aware Fair Adversarial Training (2401.12532v1)

Published 23 Jan 2024 in cs.LG and cs.AI

Abstract: The disparity in accuracy between classes in standard training is amplified during adversarial training, a phenomenon termed the robust fairness problem. Existing methodologies aimed to enhance robust fairness by sacrificing the model's performance on easier classes in order to improve its performance on harder ones. However, we observe that under adversarial attacks, the majority of the model's predictions for samples from the worst class are biased towards classes similar to the worst class, rather than towards the easy classes. Through theoretical and empirical analysis, we demonstrate that robust fairness deteriorates as the distance between classes decreases. Motivated by these insights, we introduce the Distance-Aware Fair Adversarial training (DAFA) methodology, which addresses robust fairness by taking into account the similarities between classes. Specifically, our method assigns distinct loss weights and adversarial margins to each class and adjusts them to encourage a trade-off in robustness among similar classes. Experimental results across various datasets demonstrate that our method not only maintains average robust accuracy but also significantly improves the worst robust accuracy, indicating a marked improvement in robust fairness compared to existing methods.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (38)
  1. Robustness may be at odds with fairness: An empirical study on class-wise accuracy. In NeurIPS 2020 Workshop on Pre-registration in Machine Learning, pp.  325–342. PMLR, 2021.
  2. Learning imbalanced datasets with label-distribution-aware margin loss. Advances in neural information processing systems, 32, 2019.
  3. Unlabeled data improves adversarial robustness. In Advances in Neural Information Processing Systems, pp. 11190–11201, 2019.
  4. An analysis of single-layer networks in unsupervised feature learning. In Proceedings of the fourteenth international conference on artificial intelligence and statistics, pp.  215–223. JMLR Workshop and Conference Proceedings, 2011.
  5. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
  6. Improving robustness using generated data. Advances in Neural Information Processing Systems, 34:4218–4233, 2021.
  7. Learning from imbalanced data. IEEE Transactions on knowledge and data engineering, 21(9):1263–1284, 2009.
  8. Identity mappings in deep residual networks. In Computer Vision–ECCV 2016: 14th European Conference, Amsterdam, The Netherlands, October 11–14, 2016, Proceedings, Part IV 14, pp.  630–645. Springer, 2016a.
  9. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp.  770–778, 2016b.
  10. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531, 2(7), 2015.
  11. Understanding the impact of adversarial robustness on accuracy disparity. In International Conference on Machine Learning, pp. 13679–13709. PMLR, 2023.
  12. Averaging weights leads to wider optima and better generalization. arXiv preprint arXiv:1803.05407, 2018.
  13. Striking the right balance with uncertainty. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  103–112, 2019.
  14. Learning multiple layers of features from tiny images. Technical report, Citeseer, 2009.
  15. Inducing data amplification using auxiliary datasets in adversarial training. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, pp.  4551–4560, 2023.
  16. Adversarial vertex mixup: Toward better adversarially robust generalization. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  272–281, 2020.
  17. Removing undesirable feature contributions using out-of-distribution data. In International Conference on Learning Representations, 2021. URL https://openreview.net/forum?id=eIHYL6fpbkA.
  18. Wat: improve the worst-class robustness in adversarial training. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 37, pp.  14982–14990, 2023.
  19. Data augmentation alone can improve adversarial training. arXiv preprint arXiv:2301.09879, 2023.
  20. Practical evaluation of adversarial robustness via adaptive auto attack. arXiv preprint arXiv:2203.05154, 2022.
  21. On the tradeoff between robustness and fairness. Advances in Neural Information Processing Systems, 35:26230–26241, 2022.
  22. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
  23. Long-tail learning via logit adjustment. arXiv preprint arXiv:2007.07314, 2020.
  24. Bag of tricks for adversarial training. In International Conference on Learning Representations, 2021. URL https://openreview.net/forum?id=Xb8xvrtB8Ce.
  25. Data augmentation can improve robustness. Advances in Neural Information Processing Systems, 34:29935–29948, 2021.
  26. Improving robust fariness via balance adversarial training. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 37, pp.  15161–15169, 2023.
  27. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
  28. Analysis and applications of class-wise robustness in adversarial training. In Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining, pp.  1561–1570, 2021.
  29. 80 million tiny images: A large data set for nonparametric object and scene recognition. IEEE transactions on pattern analysis and machine intelligence, 30(11):1958–1970, 2008.
  30. Robustness may be at odds with accuracy. arXiv preprint arXiv:1805.12152, 2018.
  31. Improving adversarial robustness requires revisiting misclassified examples. In International Conference on Learning Representations, 2019.
  32. Cfa: Class-wise calibrated fair adversarial training. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  8193–8201, 2023.
  33. Adversarial weight perturbation helps robust generalization. Advances in Neural Information Processing Systems, 33:2958–2969, 2020.
  34. To be robust or to be fair: Towards fairness in adversarial training. In International Conference on Machine Learning, pp. 11492–11501. PMLR, 2021.
  35. Wide residual networks. arXiv preprint arXiv:1605.07146, 2016.
  36. Theoretically principled trade-off between robustness and accuracy. In Kamalika Chaudhuri and Ruslan Salakhutdinov (eds.), Proceedings of the 36th International Conference on Machine Learning, volume 97 of Proceedings of Machine Learning Research, pp. 7472–7482, Long Beach, California, USA, 09–15 Jun 2019. PMLR. URL http://proceedings.mlr.press/v97/zhang19p.html. https://github.com/yaodongyu/TRADES.
  37. Attacks which do not kill training make adversarial learning stronger. In International conference on machine learning, pp. 11278–11287. PMLR, 2020.
  38. Deep long-tailed learning: A survey. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Hyungyu Lee (12 papers)
  2. Saehyung Lee (15 papers)
  3. Hyemi Jang (7 papers)
  4. Junsung Park (10 papers)
  5. Ho Bae (11 papers)
  6. Sungroh Yoon (163 papers)
Citations (4)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets