Can we have it all? On the Trade-off between Spatial and Adversarial Robustness of Neural Networks

Kamath, Sandesh and Deshpande, Amit and Balasubramanian, Vineeth N and et al, . (2021) Can we have it all? On the Trade-off between Spatial and Adversarial Robustness of Neural Networks. In: 35th Conference on Neural Information Processing Systems, NeurIPS 2021, 6 December 2021 through 14 December 2021, Virtual, Online.

Full text not available from this repository. (Request a copy)

Abstract

(Non-)robustness of neural networks to small, adversarial pixel-wise perturbations, and as more recently shown, to even random spatial transformations (e.g., translations, rotations) entreats both theoretical and empirical understanding. Spatial robustness to random translations and rotations is commonly attained via equivariant models (e.g., StdCNNs, GCNNs) and training augmentation, whereas adversarial robustness is typically achieved by adversarial training. In this paper, we prove a quantitative trade-off between spatial and adversarial robustness in a simple statistical setting. We complement this empirically by showing that: (a) as the spatial robustness of equivariant models improves by training augmentation with progressively larger transformations, their adversarial robustness worsens progressively, and (b) as the state-of-the-art robust models are adversarially trained with progressively larger pixel-wise perturbations, their spatial robustness drops progressively. Towards achieving Pareto-optimality in this trade-off, we propose a method based on curriculum learning that trains gradually on more difficult perturbations (both spatial and adversarial) to improve spatial and adversarial robustness simultaneously. © 2021 Neural information processing systems foundation. All rights reserved.

[error in script]

IITH Creators: