Daily Arxiv

This is a page that curates AI-related papers published worldwide.
All content here is summarized using Google Gemini and operated on a non-profit basis.
Copyright for each paper belongs to the authors and their institutions; please make sure to credit the source when sharing.

Rethinking Invariance Regularization in Adversarial Training to Improve Robustness-Accuracy Trade-off

Created by
  • Haebom

Author

Futa Waseda, Ching-Chun Chang, Isao Echizen

Outline

This paper analyzes how invariant regularization can be used to resolve the tradeoff between robustness and accuracy in adversarial learning, and proposes a novel method, Asymmetric Representation-regularized Adversarial Training (ARAT), to overcome this tradeoff. We identify problems with existing invariant regularization methods, such as gradient conflicts between the invariant and classification objectives, and mixed distribution problems caused by distributional differences between clean and adversarial inputs. ARAT addresses the gradient conflict problem using an asymmetric invariant loss, stop-gradient operation, and predictors, and addresses the mixed distribution problem through a split-batch norm architecture. Experimental results show that ARAT outperforms existing methods, offering a new perspective on knowledge distillation-based defense.

Takeaways, Limitations

Takeaways:
A novel approach to mitigating the trade-off between robustness and accuracy in adversarial learning is presented.
Clarify the gradient conflict and mixed distribution problems of the existing invariant regularization Limitations.
Proposal of ARAT algorithm to effectively solve gradient collision and mixed distribution problems.
Provides new insights into knowledge distillation-based defense.
Experimental validation of ARAT, demonstrating superior performance over existing methods in various settings.
Limitations:
The performance improvements of ARAT may be limited to specific datasets or model architectures.
Further research is needed on the generalization performance of the proposed method.
Additional performance evaluation in actual application environments is required.
👍