Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Can overfitted deep neural networks in adversarial training generalize? -- An approximation viewpoint (2401.13624v1)

Published 24 Jan 2024 in stat.ML and cs.LG

Abstract: Adversarial training is a widely used method to improve the robustness of deep neural networks (DNNs) over adversarial perturbations. However, it is empirically observed that adversarial training on over-parameterized networks often suffers from the \textit{robust overfitting}: it can achieve almost zero adversarial training error while the robust generalization performance is not promising. In this paper, we provide a theoretical understanding of the question of whether overfitted DNNs in adversarial training can generalize from an approximation viewpoint. Specifically, our main results are summarized into three folds: i) For classification, we prove by construction the existence of infinitely many adversarial training classifiers on over-parameterized DNNs that obtain arbitrarily small adversarial training error (overfitting), whereas achieving good robust generalization error under certain conditions concerning the data quality, well separated, and perturbation level. ii) Linear over-parameterization (meaning that the number of parameters is only slightly larger than the sample size) is enough to ensure such existence if the target function is smooth enough. iii) For regression, our results demonstrate that there also exist infinitely many overfitted DNNs with linear over-parameterization in adversarial training that can achieve almost optimal rates of convergence for the standard generalization error. Overall, our analysis points out that robust overfitting can be avoided but the required model capacity will depend on the smoothness of the target function, while a robust generalization gap is inevitable. We hope our analysis will give a better understanding of the mathematical foundations of robustness in DNNs from an approximation view.

View on arXiv
Definition Search Book Streamline Icon: https://streamlinehq.com
References (53)
  1. Efficient global optimization of two-layer relu networks: Quadratic-time algorithms and adversarial training. SIAM Journal on Mathematics of Data Science, 5(2):446–474, 2023.
  2. Convexity, classification, and risk bounds. Journal of the American Statistical Association, 101(473):138–156, 2006.
  3. Benign overfitting in linear regression. Proceedings of the National Academy of Sciences, 117(48):30063–30070, 2020.
  4. Reconciling modern machine-learning practice and the classical bias–variance trade-off. Proceedings of the National Academy of Sciences, 116(32):15849–15854, 2019.
  5. Lower bounds on adversarial robustness from optimal transport. Advances in Neural Information Processing Systems, 32, 2019.
  6. Benign overfitting in two-layer convolutional neural networks. Advances in Neural Information Processing Systems, 35:25237–25250, 2022.
  7. Risk bounds for over-parameterized maximum margin classification on sub-gaussian mixtures. Advances in Neural Information Processing Systems, 34:8407–8418, 2021.
  8. Adversarial examples are not easily detected: Bypassing ten detection methods. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pages 3–14, 2017.
  9. Support vector machine soft margin classifiers: error analysis. Journal of Machine Learning Research, 5:1143–1175, 2004.
  10. Benign overfitting in adversarially robust linear classification. arXiv preprint arXiv:2112.15250, 2021.
  11. Neural networks for localized approximation. Mathematics of Computation, 63(208):607–623, 1994.
  12. Realization of spatial sparseness by deep ReLU nets with massive data. IEEE Transactions on Neural Networks and Learning Systems, 33(1):229–243, 2022.
  13. Learning Theory: An Approximation Theory Viewpoint, volume 24. Cambridge University Press, 2007.
  14. Sharp statistical guaratees for adversarially robust gaussian classification. In International Conference on Machine Learning, pages 2345–2355. PMLR, 2020.
  15. Robust classification under ℓ0subscriptℓ0\ell_{0}roman_ℓ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT attack for the gaussian mixture model. SIAM Journal on Mathematics of Data Science, 4(1):362–385, 2022.
  16. On the sensitivity of adversarial robustness to input data distributions. International Conference on Learning Representations, 4, 2019.
  17. Data quality matters for adversarial training: An empirical study. arXiv preprint arXiv:2102.07437, 2021.
  18. Label noise in adversarial training: A novel perspective to study robust overfitting. Advances in Neural Information Processing Systems, 35:17556–17567, 2022.
  19. Exploring memorization in adversarial training. In International Conference on Learning Representations, 2022.
  20. Deep Learning. MIT press, 2016.
  21. Explaining and harnessing adversarial examples. In International Conference on Learning Representations, 2014.
  22. Towards deep neural network architectures robust to adversarial examples. arXiv preprint arXiv:1412.5068, 2014.
  23. Error bounds for approximations with deep relu neural networks in Ws,psuperscript𝑊𝑠𝑝W^{s,p}italic_W start_POSTSUPERSCRIPT italic_s , italic_p end_POSTSUPERSCRIPT norms. Analysis and Applications, 18(05):803–859, 2020.
  24. Countering adversarial images using input transformations. arXiv preprint arXiv:1711.00117, 2017.
  25. A Distribution-Free Theory of Nonparametric Regression, volume 1. Springer, 2002.
  26. Depth selection for deep ReLU nets in feature extraction and generalization. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(4):1853–1868, 2022.
  27. Adversarial examples are not bugs, they are features. In Advances in neural information processing systems, 2019.
  28. Adversarial risk bounds via function transformation. arXiv preprint arXiv:1810.09519, 2018.
  29. Why robust generalization in deep learning is difficult: Perspective of expressive power. Advances in Neural Information Processing Systems, 35:4370–4384, 2022.
  30. Why clean generalization and robust overfitting both happen in adversarial training. arXiv preprint arXiv:2306.01271, 2023.
  31. Generalization performance of empirical risk minimization on over-parameterized deep relu nets. arXiv preprint arXiv:2111.14039, 2021.
  32. Benefits of overparameterized convolutional residual networks: Function approximation under smoothness constraint. In International Conference on Machine Learning, pages 13669–13703. PMLR, 2022.
  33. Towards deep learning models resistant to adversarial attacks. In International Conference on Machine Learning, 2018.
  34. Adversarial robustness of sparse local lipschitz predictors. SIAM Journal on Mathematics of Data Science, 5(4):920–948, 2023.
  35. Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032, 2019.
  36. Overfitting in adversarially robust deep learning. In International Conference on Machine Learning, pages 8093–8104. PMLR, 2020.
  37. Adversarially robust generalization requires more data. Advances in Neural Information Processing Systems, 31, 2018.
  38. Johannes Schmidt-Hieber. Nonparametric regression using deep neural networks with ReLU activation function. The Annals of Statistics, 48(4):1875–1897, 2020.
  39. Are adversarial examples inevitable? In International Conference on Learning Representations, 2019.
  40. Lei Shi. Learning theory estimates for coefficient-based regularized regression. Applied and Computational Harmonic Analysis, 34(2):252–265, 2013.
  41. Is robustness the cost of accuracy?–a comprehensive study on the robustness of 18 deep image classification models. In Proceedings of the European conference on computer vision (ECCV), pages 631–648, 2018.
  42. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
  43. Benign overfitting in ridge regression. Journal of Machine Learning Research, 24(123):1–76, 2023.
  44. Robustness may be at odds with accuracy. In International Conference on Learning Representations, 2019.
  45. Holger Wendland. Scattered Data Approximation, volume 17. Cambridge university press, 2004.
  46. Adversarial rademacher complexity of deep neural networks. arXiv preprint arXiv:2211.14966, 2022.
  47. A closer look at accuracy vs. robustness. Advances in neural information processing systems, 33:8588–8601, 2020.
  48. Dmitry Yarotsky. Error bounds for approximations with deep ReLU networks. Neural Networks, 94:103–114, 2017.
  49. Rademacher complexity for adversarially robust generalization. In International Conference on Machine Learning, pages 7085–7094. PMLR, 2019.
  50. Understanding deep learning (still) requires rethinking generalization. Communications of the ACM, 64(3):107–115, 2021.
  51. Theoretically principled trade-off between robustness and accuracy. In International Conference on Machine Learning, pages 7472–7482. PMLR, 2019.
  52. Tong Zhang. Statistical behavior and consistency of classification methods based on convex risk minimization. The Annals of Statistics, 32(1):56–85, 2004.
  53. Benign overfitting in deep neural networks under lazy training. In International Conference on Machine Learning, pages 43105–43128. PMLR, 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Zhongjie Shi (6 papers)
  2. Fanghui Liu (37 papers)
  3. Yuan Cao (201 papers)
  4. Johan A. K. Suykens (82 papers)

Summary

An Approximation View on Overfitted Deep Neural Networks in Adversarial Training

The paper entitled "Can overfitted deep neural networks in adversarial training generalize? - An approximation viewpoint" addresses the complex issue of robust overfitting in deep neural networks (DNNs), especially within adversarial training contexts. The research investigates whether overfitted models—those that achieve very low training error but may exhibit poor generalization—can still generalize effectively under certain conditions. The discussion is framed around a thorough theoretical analysis with insights drawn from an approximation perspective.

Key Contributions and Findings

  1. Existence of Robust Classifiers: The authors constructively prove the existence of infinitely many classifiers within over-parameterized DNNs which, despite achieving negligible adversarial training error, can deliver strong robust generalization error. This result holds under specific conditions concerning data quality, separation, and perturbation levels.
  2. Linear Over-parameterization: For smooth enough target functions, only linear over-parameterization—where the number of network parameters marginally exceeds the sample size—is required to achieve both low adversarial training error and robust generalization. This is particularly advantageous compared to expectations from empirical results which often suggest needing extensively larger models.
  3. Analyzing Regression Paradigms: Through their analysis, the authors demonstrate analogous results for regression tasks, showing that similar infinitely many overfitted networks exist, reaching optimal convergence rates under adversarial setups.
  4. Intricacies of Robust Overfitting: The work elucidates that while robust overfitting can be mitigated, the indispensable model capacity varies with the smoothness degree of the target function. Acknowledgeably, some robust generalization gap persists.

Theoretical and Practical Implications

Theoretical Insights

  • Improved Understanding of Robustness: This paper advances the theoretical understanding of robust overfitting by dissecting it through the lens of approximation theory, providing a nuanced comprehension of the conditions under which adversarial training might still generalize effectively.
  • Approximation Complexity: The analysis indicates the non-linear relationship between model complexity and robust generalization, offering a refined approximation perspective for judging model requirements.
  • Robust Generalization Gap: The dichotomy between robust and traditional generalization emerges clearer through the proof of inherent gaps, emphasizing the need for more sophisticated theoretical treatments.

Practical Implications

  • Guidance for Practitioners: Empirical practitioners can leverage these insights to better configure model architectures and adversarial training regimes, particularly focusing on data quality and perturbation limits.
  • Informing Adversarial Defense Strategies: This understanding helps refine strategies to design more resilient adversarial training algorithms that minimize robust overfitting.

Future Directions

The pathways to future advancements appear manifold. One direction could entail investigating optimization algorithms that naturally lead to the desired adversarial training minima. Moreover, extending this framework to other model architectures, such as convolutional neural networks, could yield broader applicability. Exploring more nuanced forms of data quality measurements and their interplay with model architecture presents another promising research domain.

In summary, this paper delivers substantial theoretical contributions to the field of adversarial training in DNNs by blending approximation theory with an analysis of overfitting. While addressing the robust overfitting conundrum under certain preconditions, it offers a blueprint for future research and practice, paving avenues toward overcoming robustness challenges in adversarially potent environments.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube