Skip to main content
SpringerLink
Log in

Comparing Complexities of Decision Boundaries for Robust Training: A Universal Approach

  • Conference paper
  • First Online:
Computer Vision – ACCV 2022 (ACCV 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13846))

Included in the following conference series:

  • 293 Accesses

Abstract

We investigate the geometric complexity of decision boundaries for robust training compared to standard training. By considering the local geometry of nearest neighbour sets, we study them in a model-agnostic way and theoretically derive a lower-bound \(R^*\in \mathbb {R}\) on the perturbation magnitude \(\delta \in \mathbb {R}\) for which robust training provably requires a geometrically more complex decision boundary than accurate training. We show that state-of-the-art robust models learn more complex decision boundaries than their non-robust counterparts, confirming previous hypotheses. Then, we compute \(R^*\) for common image benchmarks and find that it also empirically serves as an upper bound over which label noise is introduced. We demonstrate for deep neural network classifiers that perturbation magnitudes \(\delta \ge R^*\) lead to reduced robustness and generalization performance. Therefore, \(R^*\) bounds the maximum feasible perturbation magnitude for norm-bounded robust training and data augmentation. Finally, we show that \(R^*< 0.5R\) for common benchmarks, where R is a distribution’s minimum nearest neighbour distance. Thus, we improve previous work on determining a distribution’s maximum robust radius.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We assume that samples do not lie on a flat manifold, so are not perfectly collinear.

  2. 2.

    Note that enclosing just the point \(\bar{x}_j'\) requires d hyperplanes arranged as a simplex.

References

  1. He, W., Li, B., Song, D.: Decision boundary analysis of adversarial examples. In: International Conference on Learning Representations (2018)

    Google Scholar 

  2. Fawzi, A., Moosavi-Dezfooli, S.M., Frossard, P., Soatto, S.: Classification regions of deep neural networks. arXiv preprint arXiv:1705.09552 (2017)

  3. Ortiz-Jimenez, G., Modas, A., Moosavi, S.M., Frossard, P.: Hold me tight! influence of discriminative features on deep network boundaries. Adv. Neural. Inf. Process. Syst. 33, 2935–2946 (2020)

    Google Scholar 

  4. Narayanan, H., Mitter, S.: Sample complexity of testing the manifold hypothesis. In: Advances in Neural Information Processing Systems, pp. 1786–1794 (2010)

    Google Scholar 

  5. Narayanan, H., Niyogi, P.: On the sample complexity of learning smooth cuts on a manifold. In: COLT (2009)

    Google Scholar 

  6. Kienitz, D., Komendantskaya, E., Lones, M.: The effect of manifold entanglement and intrinsic dimensionality on learning. In: 36th AAAI Conference on Artificial Intelligence 2022, AAAI Press (2021)

    Google Scholar 

  7. Ding, G.W., Sharma, Y., Lui, K.Y.C., Huang, R.: Mma training: direct input space margin maximization through adversarial training. In: International Conference on Learning Representations. (2019)

    Google Scholar 

  8. Ribeiro, M.T., Singh, S., Guestrin, C.: “Why should i trust you?” explaining the predictions of any classifier. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1135–1144 (2016)

    Google Scholar 

  9. Krizhevsky, A., Sutskever, I., Hinton, G.E.: Imagenet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, pp. 1097–1105 (2012)

    Google Scholar 

  10. Radford, A., Metz, L., Chintala, S.: Unsupervised representation learning with deep convolutional generative adversarial networks. arXiv preprint arXiv:1511.06434 (2015)

  11. Geirhos, R., et al.: Partial success in closing the gap between human and machine vision. Adv. Neural. Inf. Process. Syst. 34, 23885–23899 (2021)

    Google Scholar 

  12. Szegedy, C., et al.: Intriguing properties of neural networks. In: 2nd International Conference on Learning Representations, ICLR 2014 (2014)

    Google Scholar 

  13. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)

  14. Hendrycks, D., Dietterich, T.: Benchmarking neural network robustness to common corruptions and perturbations. In: International Conference on Learning Representations (2018)

    Google Scholar 

  15. Taori, R., Dave, A., Shankar, V., Carlini, N., Recht, B., Schmidt, L.: Measuring robustness to natural distribution shifts in image classification. Adv. Neural. Inf. Process. Syst. 33, 18583–18599 (2020)

    Google Scholar 

  16. Recht, B., Roelofs, R., Schmidt, L., Shankar, V.: Do imagenet classifiers generalize to imagenet? In: International Conference on Machine Learning, PMLR, pp. 5389–5400 (2019)

    Google Scholar 

  17. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: International Conference on Learning Representations (2018)

    Google Scholar 

  18. Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)

  19. Zhang, X., Chen, J., Gu, Q., Evans, D.: Understanding the intrinsic robustness of image distributions using conditional generative models. In: International Conference on Artificial Intelligence and Statistics, PMLR, pp. 3883–3893(2020)

    Google Scholar 

  20. Tsipras, D., Santurkar, S., Engstrom, L., Turner, A., Madry, A.: Robustness may be at odds with accuracy. arXiv preprint arXiv:1805.12152 (2018)

  21. Stutz, D., Hein, M., Schiele, B.: Disentangling adversarial robustness and generalization. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 6976–6987 (2019)

    Google Scholar 

  22. Yang, Y.Y., Rashtchian, C., Wang, Y., Chaudhuri, K.: Robustness for non-parametric classification: a generic attack and defense. In: International Conference on Artificial Intelligence and Statistics, PMLR, pp. 941–951 (2020)

    Google Scholar 

  23. Shah, H., Tamuly, K., Raghunathan, A., Jain, P., Netrapalli, P.: The pitfalls of simplicity bias in neural networks. Adv. Neural. Inf. Process. Syst. 33, 9573–9585 (2020)

    Google Scholar 

  24. Schmidt, L., Santurkar, S., Tsipras, D., Talwar, K., Madry, A.: Adversarially robust generalization requires more data. In: Proceedings of the 32nd International Conference on Neural Information Processing Systems, pp. 15019–503 (2018)

    Google Scholar 

  25. Yin, D., Kannan, R., Bartlett, P.: Rademacher complexity for adversarially robust generalization. In: International Conference on Machine Learning, PMLR, pp. 7085–7094 (2019)

    Google Scholar 

  26. Nakkiran, P.: Adversarial robustness may be at odds with simplicity. arXiv preprint arXiv:1901.00532 (2019)

  27. Sanyal, A., Dokania, P.K., Kanade, V., Torr, P.: How benign is benign overfitting? In: International Conference on Learning Representations (2020)

    Google Scholar 

  28. Nguyen, Q., Mukkamala, M.C., Hein, M.: Neural networks should be wide enough to learn disconnected decision regions. In: International Conference on Machine Learning, PMLR, pp. 3740–3749 (2018)

    Google Scholar 

  29. Yang, Y.Y., Rashtchian, C., Zhang, H., Salakhutdinov, R.R., Chaudhuri, K.: A closer look at accuracy vs. robustness. In: Advances in Neural Information Processing Systems 33, pp. 8588–8601 (2020)

    Google Scholar 

  30. Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., Madry, A.: Adversarial examples are not bugs, they are features. In: Advances in Neural Information Processing Systems 32 (2019)

    Google Scholar 

  31. Joe, B., Hwang, S.J., Shin, I.: Learning to disentangle robust and vulnerable features for adversarial detection. arXiv preprint arXiv:1909.04311 (2019)

  32. Singla, S., Feizi, S.: Salient imagenet: How to discover spurious features in deep learning? In: International Conference on Learning Representations (2021)

    Google Scholar 

  33. Nguyen, A., Yosinski, J., Clune, J.: Deep neural networks are easily fooled: High confidence predictions for unrecognizable images. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 427–436 (2015)

    Google Scholar 

  34. Arpit, D., et al.: A closer look at memorization in deep networks. In: Proceedings of the 34th International Conference on Machine Learning-Volume 70, JMLR. org, pp. 233–242(2017)

    Google Scholar 

  35. Hermann, K., Lampinen, A.: What shapes feature representations? exploring datasets, architectures, and training. Adv. Neural. Inf. Process. Syst. 33, 9995–10006 (2020)

    Google Scholar 

  36. Ahmed, F., Bengio, Y., van Seijen, H., Courville, A.: Systematic generalisation with group invariant predictions. In: International Conference on Learning Representations (2020)

    Google Scholar 

  37. Valle-Perez, G., Camargo, C.Q., Louis, A.A.: Deep learning generalizes because the parameter-function map is biased towards simple functions. In: International Conference on Learning Representations. (2018)

    Google Scholar 

  38. Jo, J., Bengio, Y.: Measuring the tendency of CNNs to learn surface statistical regularities. arXiv preprint arXiv:1711.11561 (2017)

  39. Beery, S., Van Horn, G., Perona, P.: Recognition in terra incognita. In: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (eds.) ECCV 2018. LNCS, vol. 11220, pp. 472–489. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01270-0_28

    Chapter  Google Scholar 

  40. Geirhos, R., Rubisch, P., Michaelis, C., Bethge, M., Wichmann, F.A., Brendel, W.: Imagenet-trained CNNs are biased towards texture; increasing shape bias improves accuracy and robustness. In: International Conference on Learning Representations (2018)

    Google Scholar 

  41. Geirhos, R., Medina Temme, C., Rauber, J., Schütt, H., Bethge, M., Wichmann, F.: Generalisation in humans and deep neural networks. In: Thirty-second Annual Conference on Neural Information Processing Systems 2018 (NeurIPS 2018), Curran, pp. 7549–7561 (2019)

    Google Scholar 

  42. Hermann, K., Chen, T., Kornblith, S.: The origins and prevalence of texture bias in convolutional neural networks. Adv. Neural. Inf. Process. Syst. 33, 19000–19015 (2020)

    Google Scholar 

  43. Carter, B., Jain, S., Mueller, J.W., Gifford, D.: Overinterpretation reveals image classification model pathologies. In: Advances in Neural Information Processing Systems 34 (2021)

    Google Scholar 

  44. Singla, S., Nushi, B., Shah, S., Kamar, E., Horvitz, E.: Understanding failures of deep networks via robust feature extraction. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 12853–12862 (2021)

    Google Scholar 

  45. Bengio, Y., Courville, A., Vincent, P.: Representation learning: a review and new perspectives. IEEE Trans. Pattern Anal. Mach. Intell. 35, 1798–1828 (2013)

    Article  Google Scholar 

  46. Bhagoji, A.N., Cullina, D., Mittal, P.: Lower bounds on adversarial robustness from optimal transport. Adv. Neural. Inf. Process. Syst. 32, 7498–7510 (2019)

    Google Scholar 

  47. Dobriban, E., Hassani, H., Hong, D., Robey, A.: Provable tradeoffs in adversarially robust classification. arXiv preprint arXiv:2006.05161 (2020)

  48. Dan, C., Wei, Y., Ravikumar, P.: Sharp statistical guaratees for adversarially robust gaussian classification. In: International Conference on Machine Learning, PMLR, pp. 2345–2355(2020)

    Google Scholar 

  49. Bhattacharjee, R., Jha, S., Chaudhuri, K.: Sample complexity of robust linear classification on separated data. In: International Conference on Machine Learning, PMLR, pp. 884–893 (2021)

    Google Scholar 

  50. Khim, J., Loh, P.L.: Adversarial risk bounds via function transformation. arXiv preprint arXiv:1810.09519 (2018)

  51. Attias, I., Kontorovich, A., Mansour, Y.: Improved generalization bounds for robust learning. In: Algorithmic Learning Theory, PMLR, pp. 162–183 (2019)

    Google Scholar 

  52. Montasser, O., Hanneke, S., Srebro, N.: Vc classes are adversarially robustly learnable, but only improperly. In: Conference on Learning Theory, PMLR, pp. 2512–2530(2019)

    Google Scholar 

  53. Ashtiani, H., Pathak, V., Urner, R.: Black-box certification and learning under adversarial perturbations. In: International Conference on Machine Learning, PMLR, pp. 388–398 (2020)

    Google Scholar 

  54. Hendrycks, D., et al.: The many faces of robustness: a critical analysis of out-of-distribution generalization. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 8340–8349 (2021)

    Google Scholar 

  55. Hendrycks, D., Mu, N., Cubuk, E.D., Zoph, B., Gilmer, J., Lakshminarayanan, B.: Augmix: a simple data processing method to improve robustness and uncertainty. In: International Conference on Learning Representations (2019)

    Google Scholar 

  56. Rebuffi, S.A., Gowal, S., Calian, D.A., Stimberg, F., Wiles, O., Mann, T.A.: Data augmentation can improve robustness. In: Advances in Neural Information Processing Systems 34 (2021)

    Google Scholar 

  57. Hendrycks, D., Lee, K., Mazeika, M.: Using pre-training can improve model robustness and uncertainty. arXiv preprint arXiv:1901.09960 (2019)

  58. Carmon, Y., Raghunathan, A., Schmidt, L., Liang, P., Duchi, J.C.: Unlabeled data improves adversarial robustness. In: Proceedings of the 33rd International Conference on Neural Information Processing Systems, pp. 11192–11203(2019)

    Google Scholar 

  59. Alayrac, J.B., Uesato, J., Huang, P.S., Fawzi, A., Stanforth, R., Kohli, P.: Are labels required for improving adversarial robustness? Adv. Neural. Inf. Process. Syst. 32, 12214–12223 (2019)

    Google Scholar 

  60. Qin, C., et al.: Adversarial robustness through local linearization. In: Advances in Neural Information Processing Systems 32 (2019)

    Google Scholar 

  61. Ross, A., Doshi-Velez, F.: Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 32 (2018)

    Google Scholar 

  62. Chan, A., Tay, Y., Ong, Y.S., Fu, J.: Jacobian adversarially regularized networks for robustness. In: International Conference on Learning Representations (2020)

    Google Scholar 

  63. Etmann, C., Lunz, S., Maass, P., Schönlieb, C.: On the connection between adversarial robustness and saliency map interpretability. In: ICML (2019)

    Google Scholar 

  64. Simpson, B., Dutil, F., Bengio, Y., Cohen, J.P.: Gradmask: reduce overfitting by regularizing saliency. In: International Conference on Medical Imaging with Deep Learning-Extended Abstract Track (2019)

    Google Scholar 

  65. Fawzi, A., Moosavi-Dezfooli, S.M., Frossard, P., Soatto, S.: Empirical study of the topology and geometry of deep networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 3762–3770(2018)

    Google Scholar 

  66. Andriushchenko, M., Flammarion, N.: Understanding and improving fast adversarial training. Adv. Neural. Inf. Process. Syst. 33, 16048–16059 (2020)

    Google Scholar 

  67. Rice, L., Wong, E., Kolter, Z.: Overfitting in adversarially robust deep learning. In: International Conference on Machine Learning, PMLR, pp. 8093–8104 (2020)

    Google Scholar 

  68. LeCun, Y., Boser, B.E., Denker, J.S., Henderson, D., Howard, R.E., Hubbard, W.E., Jackel, L.D.: Handwritten digit recognition with a back-propagation network. In: Advances in Neural Information Processing Systems, pp. 396–404(1990)

    Google Scholar 

  69. Xiao, H., Rasul, K., Vollgraf, R.: Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017)

  70. Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning 2011 (2011)

    Google Scholar 

  71. Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Technical report, University of Toronto (2009)

    Google Scholar 

  72. Croce, F., et al.: Robustbench: a standardized adversarial robustness benchmark. In: Thirty-Fifth Conference on Neural Information Processing Systems Datasets and Benchmarks Track (2021)

    Google Scholar 

  73. Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. In: ICLR (Poster) (2015)

    Google Scholar 

  74. Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420 (2018)

  75. Boser, B.E., Guyon, I.M., Vapnik, V.N.: A training algorithm for optimal margin classifiers. In: Proceedings of the Fifth Annual Workshop on Computational Learning Theory, pp. 144–152 (1992)

    Google Scholar 

  76. Moosavi-Dezfooli, S.M., Fawzi, A., Frossard, P.: Deepfool: a simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2574–2582(2016)

    Google Scholar 

  77. Addepalli, S., Jain, S., Sriramanan, G., Khare, S., Radhakrishnan, V.B.: Towards achieving adversarial robustness beyond perceptual limits. In: ICML 2021 Workshop on Adversarial Machine Learning (2021)

    Google Scholar 

  78. Augustin, M., Meinke, A., Hein, M.: Adversarial robustness on in- and out-distribution improves explainability. In: Vedaldi, A., Bischof, H., Brox, T., Frahm, J.-M. (eds.) ECCV 2020. LNCS, vol. 12371, pp. 228–245. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58574-7_14

    Chapter  Google Scholar 

  79. Engstrom, L., Ilyas, A., Salman, H., Santurkar, S., Tsipras, D.: Robustness (python library) (2019)

    Google Scholar 

  80. Kireev, K., Andriushchenko, M., Flammarion, N.: On the effectiveness of adversarial training against common corruptions. In: Uncertainty in Artificial Intelligence, PMLR, pp. 1012–1021 (2022)

    Google Scholar 

  81. Modas, A., Rade, R., Ortiz-Jiménez, G., Moosavi-Dezfooli, S.M., Frossard, P.: Prime: A few primitives can boost robustness to common corruptions. arXiv preprint arXiv:2112.13547 (2021)

  82. Rade: Helper-based adversarial training: Reducing excessive margin to achieve a better accuracy vs. robustness trade-off. In: ICML 2021 Workshop on Adversarial Machine Learning (2021)

    Google Scholar 

  83. Wong, E., Rice, L., Kolter, J.Z.: Fast is better than free: Revisiting adversarial training. In: International Conference on Learning Representations (2019)

    Google Scholar 

  84. Ioffe, S., Szegedy, C.: Batch normalization: accelerating deep network training by reducing internal covariate shift. In: International conference on machine learning, PMLR, pp. 448–456 (2015)

    Google Scholar 

  85. Fukushima, K.: Visual feature extraction by a multilayered network of analog threshold elements. IEEE Trans. Syst. Sci. Cybern. 5, 322–333 (1969)

    Article  MATH  Google Scholar 

  86. Fukushima, K., Miyake, S.: Neocognitron: a self-organizing neural network model for a mechanism of visual pattern recognition. In: Competition and Cooperation in Neural Nets, pp. 267–285. Springer (1982). https://doi.org/10.1007/978-3-642-46466-9_18

  87. Glorot, X., Bordes, A., Bengio, Y.: Deep sparse rectifier neural networks. In: Proceedings of the Fourteenth International Conference on Artificial Intelligence and Statistics, JMLR Workshop and Conference Proceedings, pp. 315–323 (2011)

    Google Scholar 

  88. Paszke, A., et al.: Pytorch: an imperative style, high-performance deep learning library. In: Advances in Neural Information Processing Systems 32, pp. 8024–8035. Curran Associates, Inc. (2019)

    Google Scholar 

Download references

Acknowledgements

D. Kienitz and E. Komendantskaya acknowledge support of EPSRC grant EP/T026952/1: AI Secure and Explainable by Construction (AISEC).

Author information

Authors and Affiliations

  1. Heriot-Watt University, Edinburgh, UK

    Daniel Kienitz, Ekaterina Komendantskaya & Michael Lones

Authors
  1. Daniel Kienitz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ekaterina Komendantskaya
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Lones
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Kienitz .

Editor information

Editors and Affiliations

  1. University of Wollongong, Wollongong, NSW, Australia

    Lei Wang

  2. University of Bonn, Bonn, Germany

    Juergen Gall

  3. University of Adelaide, Adelaide, SA, Australia

    Tat-Jun Chin

  4. National Institute of Informatics, Tokyo, Japan

    Imari Sato

  5. Johns Hopkins University, Baltimore, MD, USA

    Rama Chellappa

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 6073 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kienitz, D., Komendantskaya, E., Lones, M. (2023). Comparing Complexities of Decision Boundaries for Robust Training: A Universal Approach. In: Wang, L., Gall, J., Chin, TJ., Sato, I., Chellappa, R. (eds) Computer Vision – ACCV 2022. ACCV 2022. Lecture Notes in Computer Science, vol 13846. Springer, Cham. https://doi.org/10.1007/978-3-031-26351-4_38

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-26351-4_38

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-26350-7

  • Online ISBN: 978-3-031-26351-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation