Skip to main content

Advertisement

Log in

Inter-feature Relationship Certifies Robust Generalization of Adversarial Training

  • Published:
International Journal of Computer Vision Aims and scope Submit manuscript

Abstract

Whilst adversarial training has been shown as a promising wisdom to promote model robustness in computer vision and machine learning, adversarially trained models often suffer from poor robust generalization on unseen adversarial examples. Namely, there still remains a big gap between the performance on training and test adversarial examples. In this paper, we propose to tackle this issue from a new perspective of the inter-feature relationship. Specifically, we aim to generate adversarial examples which maximize the loss function while maintaining the inter-feature relationship of natural data as well as penalizing the correlation distance between natural features and adversarial counterparts. As a key contribution, we prove that training with such examples while penalizing the distance between correlations can help promote both the generalization on natural and adversarial examples theoretically. We empirically validate our method through extensive experiments over different vision datasets (CIFAR-10, CIFAR-100, and SVHN), against several competitive methods. Our method substantially outperforms the baseline adversarial training by a large margin, especially for PGD20 on CIFAR-10, CIFAR-100, and SVHN with around 20%, 15% and 29% improvements.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Algorithm 1
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

Availability of Data and Materials

Not applicable.

References

  • Bousquet, O., & Elisseeff, A. (2002). Stability and generalization. The Journal of Machine Learning Research, 2, 499–526.

    MathSciNet  Google Scholar 

  • Carlini, N. & Wagner, D. (2017). Towards evaluating the robustness of neural networks. In 2017 IEEE symposium on security and privacy (sp), pp. 39–57.

  • Carlini, N. & Wagner, D. (2018). Audio adversarial examples: Targeted attacks on speech-to-text. (2018) IEEE security and privacy workshops (spw) (1–7).

  • Chen, Y., Ren, Q. & Yan, J. (2022). Rethinking and improving robustness of convolutional neural networks: A shapley value-based approach in frequency domain. Advances in neural information processing systems.

  • Croce, F. & Hein, M. (2020). Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. ICML.

  • Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Tramer, F. & Song, D. (2018). Physical adversarial examples for object detectors. arxiv preprint arxiv:1807.07769.

  • Fischer, V., Kumar, M. C., Metzen, J. H. & Brox, T. (2017). Adversarial examples for semantic image segmentation. arxiv preprint arxiv:1703.01101.

  • He, K., Zhang, X., Ren, S. & Sun, J. (2016). Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 770–778.

  • Kannan, H., Kurakin, A. & Goodfellow, I. (2018). Adversarial logit pairing. arxiv:1803.06373.

  • Kawaguchi, K., Deng, Z., Luh, K. & Huang, J. (2022). Robustness implies generalization via data-dependent generalization bounds. In International conference on machine learning, 10866–10894.

  • Krizhevsky, A., Nair, V. & Hinton, G. (2014). The cifar-10 dataset. https://www.cs.toronto.edu/~kriz/cifar.html

  • Lamb, A., Binas, J., Goyal, A., Serdyuk, D., Subramanian, S., Mitliagkas, I. & Bengio, Y. (2018). Fortified networks: Improving the robustness of deep networks by modeling the manifold of hidden representations. arxiv:1804.02485.

  • LeCun, Y., Bengio, Y. & Hinton, G. (2015). Deep learning. Nature (521, 436). Nature Publishing Group.

  • Liao, F., Liang, M., Dong, Y., Pang, T., Hu, X. & Zhu, J. (2018). Defense against adversarial attacks using high-level representation guided denoiser. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 1778–1787.

  • Lyu, C., Huang, K. & Liang, H.-N. (2015). A unified gradient regularization family for adversarial examples. In 2015 IEEE international conference on data mining, pp. 301–309.

  • Madry, A., Makelov, A., Schmidt, L., Tsipras, D. & Vladu, A. (2017). Towards deep learning models resistant to adversarial attacks. arxiv:1706.06083.

  • Mao, C., Zhong, Z., Yang, J., Vondrick, C. & Ray, B. (2019). Metric learning for adversarial robustness. In Advances in neural information processing systems, pp. 478–489.

  • Miyato, T., Maeda, S-i., Koyama, M. & Ishii, S. (2017). Virtual adversarial training: a regularization method for supervised and semi-supervised learning. arxiv:1704.03976.

  • Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B. & Ng, A. Y. (2011). Reading digits in natural images with unsupervised feature learning..

  • Neyshabur, B., Bhojanapalli, S., McAllester, D. & Srebro, N. (2017). Exploring generalization in deep learning. arxiv preprint arxiv:1706.08947.

  • Otter, D. W., Medina, J. R., & Kalita, J. K. (2020). A survey of the usages of deep learning for natural language processing. IEEE Transactions on Neural Networks and Learning Systems.

  • Qian, Z., Huang, K., Wang, Q. & Zhang, X. (2022). A survey of robust adversarial training in pattern recognition: Fundamental, theory, and methodologies. 131, 108889.

  • Rice, L., Wong, E. & Kolter, J. Z. (2020). Overfitting in adversarially robust deep learning.

  • Roth, K., Kilcher, Y. & Hofmann, T. (2020). Adversarial training is a form of data-dependent operator norm regularization, (33).

  • Schmidt, L., Santurkar, S., Tsipras, D., Talwar, K. & Madry, A. (2018). Adversarially robust generalization requires more data. Advances in neural information processing systems, pp. 5014–5026.

  • Sinha, A., Singh, M., Kumari, N., Krishnamurthy, B., Machiraju, H. & Balasubramanian, V. (2019). Harnessing the vulnerability of latent layers in adversarially trained models. arxiv:1905.05186.

  • Song, C., He, K., Lin, J., Wang, L. & Hopcroft, J. E. (2019). Robust local features for improving the generalization of adversarial training.

  • Stutz, D., Hein, M., & Schiele, B. (2020). Confidence-calibrated adversarial training: Generalizing to unseen attacks. Proceedings of the International Conference on Machine Learning (ICML), 119, 9155–9166.

    Google Scholar 

  • Wang, J. & Zhang, H. (2019). Bilateral adversarial training: Towards fast training of more robust models against adversarial attacks. In Proceedings of the IEEE international conference on computer vision.

  • Wu, D., Xia, S-T. & Wang, Y. (2020). Adversarial weight perturbation helps robust generalization. Advances in neural information processing systems, 33.

  • Xu, H., & Mannor, S. (2012). Robustness and generalization. Machine learning, 86, 391–423.

  • Yang, Y.-Y., Rashtchian, C., Zhang, H., Salakhutdinov, R. & Chaudhuri, K. (2020). A closer look at accuracy vs. robustness. (33).

  • Yin, D., Kannan, R., Bartlett, P. (2019). Rademacher complexity for adversarially robust generalization. International conference on machine learning, 7085–7094.

  • You, Z., Ye, J., Li, K., Xu, Z. & Wang, P. (2019). Adversarial noise layer: Regularize neural network by adding noise. In 2019 IEEE international conference on image processing (ICIP), pp. 909–913.

  • Zagoruyko, S. & Komodakis, N. (2016). Wide residual networks. arxiv preprint arxiv:1605.07146

  • Zhai, R., Cai, T., He, D., Dan, C., He, K., Hopcroft, J. & Wang, L. (2019). Adversarially robust generalization just requires more unlabeled data. arxiv preprint arxiv:1906.00555

  • Zhang, B., Jiang, D., He, D. & Wang, L. (2022). Rethinking lipschitz neural networks and certified robustness: A boolean function perspective. Advances in neural information processing systems.

  • Zhang, H. & Wang, J. (2019). Defense against adversarial attacks using feature scattering-based adversarial training. Advances in neural information processing systems, pp. 1829–1839.

  • Zhang, H., Yu, Y., Jiao, J., Xing, E. P., Ghaoui, L. E. & Jordan, M. I. (2019). Theoretically principled trade-off between robustness and accuracy.

  • Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M. & Kankanhalli, M. (2020). Attacks which do not kill training make adversarial learning stronger. arxiv preprint arxiv:2002.11242.

  • Zhang, S., Qian, Z., Huang, K., Wang, Q., Zhang, R. & Yi, X. (2021). Towards better robust generalization with shift consistency regularization. International Conference on Machine Learning, pp. 12524–12534.

  • Zhao, Z.-Q., Zheng, P., Xu, S.-t, & Wu, X. (2019). Object detection with deep learning: A review. IEEE Transactions on Neural Networks and Learning Systems, 30, 3212–3232. IEEE.

    Article  Google Scholar 

  • Zimmermann, R. S., Brendel, W., Tramer, F. & Carlini, N. (2022). Increasing confidence in adversarial robustness evaluations. Advances in neural information processing systems.

Download references

Funding

The work was supported by the following: National Natural Science Foundation of China under No. 92370119, 62376113, and 62276258; Jiangsu Science and Technology Programme (Natural Science Foundation of Jiangsu Province) under No. BE2020006-4.

Author information

Authors and Affiliations

Authors

Contributions

All authors contributed to the study conception and design. Material preparation, data collection and analysis were performed by Zhuang Qian and Shufei Zhang. The first draft of the manuscript was written by Shufei Zhang and all authors commented on previous versions of the manuscript. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Kaizhu Huang.

Ethics declarations

Conflict of interest

The authors have no conflict of interest to declare that are relevant to the content of this article.

Ethics Approval

This article does not contain any studies with human participants performed by any of the authors.

Consent to Participate

Informed consent was obtained from all individual participants included in the study.

Consent for Publication

Consent for publication was obtained from the participants.

Code Availability

The code for this article will be open-sourced when the preparation is finished.

Additional information

Communicated by Oliver Zendel.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Proof for Theorem 1

Proof for Theorem 1

In this section, we provide the details to prove Theorem 1.

Theorem 1

Assume the DNN model is \((K,\epsilon (S))\) robust over natural examples and \((K,\epsilon '(S))\) robust on adversarial examples. Given the training set \(S_d=\{x_i\}_{i=1}^{n}\) that consists of n i.i.d samples drawn from a distribution S and the set of corresponding adversarial examples \(S^{adv}_d=\{x^{adv}_i\}_{i=1}^{n}\) drawn from the underlying distribution \(S^{adv}\), if the loss function \(l(\cdot )\) of DNN \(f_\theta \) is k-Lipschitz, then for any \(\delta >0\), with the probability at least \(1-\delta \), we have

$$\begin{aligned} \begin{aligned} \textrm{G}_{adv}&\le \textrm{G}_{std} + \epsilon _t + Q_1\sqrt{\frac{\ln (2K/\delta )}{n}} + 2Q_2\frac{\ln (2K/\delta )}{n} \\&\quad +\frac{L}{n}\sum _{i=1}^{K}\sum _{i\in I_k}\max _{j\in I_k}\Vert d_\theta (x^{adv}_i, x^{adv}_j)-d_\theta (x_i, x_j)\Vert _2^2 \qquad \\&where \epsilon _t = \epsilon '(s) - \epsilon (s) \\&\quad d_\theta (x^{adv}_i, x^{adv}_j)=f_\theta (x^{adv}_i)-f_\theta (x^{adv}_j) \\&\quad d_\theta (x_i, x_j)=f_\theta (x_i)-f_\theta (x_j) \\ \quad Q_1&=\sum _{i\in T_s}(\alpha _{T_s^c}(A_s)+\alpha '_{T_s^c}(A_s)\\&\quad +\sqrt{2}\alpha _{T_s^c(A_s)} +\sqrt{2}\alpha '_{T_s^c(A_s)})\sqrt{\frac{\vert I_k\vert }{n}} \\&\quad Q_2\!=\!\sum _{i\!\in \! T_s}(\alpha _{k}(A_s)\!+\!\alpha '_{k}(A_s))\!+\!(\alpha _{T_s^c}(A_s) \!+\!\alpha '_{T_s^c}(A_s))\vert T_s\vert \end{aligned} \end{aligned}$$
(A1)

with \(T_s=\{k\in [K]:\vert I_k\vert \ge 1\}\), \(\alpha _k(h)={\mathbb {E}}_z[l(h,z)\vert z\in C_k]\), \(\alpha _{T_s^c}(A_s)=\max _{k\in T_s^c}\) and \(T_s^c=[K]T_s\). \(C_i\) is the \(i^{th}\) subset of the whole set, z is data sampled from \(C_i\) with the corresponding adversarial example \(z^{adv}\). The proportion of subset \(C_i\) in the whole set is \(\mu (C_i)\).

Proof

Let \(I_k\) be the set of index of points of training set \(S_d=\{s_i\}_{i=1}^n\) that fall into the \(C_k\) and \((\vert I_1\vert ,..., \vert I_K\vert )\) is an i.i.d multinomial random variable with parameters n and \((p_1,..., p_K)\). We first provide Lemma 1: \(\square \)

Lemma 1

For any \(\delta \ge 0\), with probability at least \(1-\delta \), the following holds (Kawaguchi et al., 2022):

$$\begin{aligned} \small { \begin{aligned}&\sum _{i=1}^{K}\alpha _i(X)\left( p_i-\frac{X_i}{n}\right) \le \sqrt{\frac{ln(2K/\delta )}{n}}(\sum _{i\in T_s}(\alpha _{T_s^c}(X))\\ {}&+\sqrt{2}\alpha _i(X))\sqrt{\frac{X_i}{n}}+\frac{2ln(2K/\delta )}{n}(\alpha _{T_s^c}(X)\vert T_s\vert \\&\quad +\sum _{i\in T_s}\alpha _i(X)) \end{aligned}} \end{aligned}$$
(A2)

The upper bound of robust generalization can be formulated as:

$$\begin{aligned}&\vert l(f_\theta (S^{adv}), Y)-{\hat{l}}(f_\theta (S^{adv}_d), Y_d)\vert \\&\quad = \left| \sum _{k=1}^{K}{\mathbb {E}}_{C_k}l(A_s, z')\mu (C_k)-\frac{1}{n}\sum _{i=1}^{n}l(A_s, z'_i)\right| \\&\quad = \left| \sum _{k=1}^{K}({\mathbb {E}}_{C_k}l(A_s, z')-{\mathbb {E}}_{C_k}l(A_s, z)+{\mathbb {E}}_{C_k}(A_s, z))\mu (C_i)\right. \\&\qquad \left. -\frac{1}{n}\sum _{i=1}^{n}(l(A_s, z'_i)-l(A_s, z_i)+l(A_s, z_i)) \right| \\&\quad \le G_s + \frac{1}{n}\sum _{k=1}^K\vert I_k\vert (\alpha '_k(A_s)-\frac{1}{\vert I_k\vert }\sum _{i\in I_k}l(A_s,z'_i))\\&\qquad +\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\qquad -\left( \frac{1}{n}\sum _{k=1}^K\vert I_k\vert \left( \alpha _k(A_s)-\frac{1}{\vert I_k\vert }\sum _{i\in I_k}l(A_s,z_i)\right) \right) \\&\qquad -\sum _{k=1}^K\alpha _k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\quad \le G_s + \frac{1}{n}\sum _{k=1}^K\vert I_k\vert ({\mathbb {E}}_{C_k}\max _{j\in I_k}\vert l(A_s,z')-l(A_s,z'_j)\vert \\&\qquad +\frac{1}{n}\sum _{k=1}^K\vert I_k\vert \vert {\mathbb {E}}_{C_k}l(A_s,z'_j\vert j\\&\quad =\arg \max _{j\in I_k}\vert l(A_s,z')-l(A_s,z'_j)\vert )-\frac{1}{\vert I_k\vert }\sum _{i\in I_k}l(A_s,z'_i)\vert \\&\qquad +\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\qquad -\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\qquad -\frac{1}{n}\sum _{k=1}^K\vert I_k\vert ({\mathbb {E}}_{C_k}\min _{j\in I_k}\vert l(A_s,z)-l(A_s,z_j)\vert \\&\qquad -\frac{1}{n}\sum _{k=1}^K\vert I_k\vert \vert {\mathbb {E}}_{C_k}l(A_s,z_j\vert j=\arg \min _{j\in I_k}\vert l(A_s,z)-l(A_s,z_j)\vert )\\&\qquad -\frac{1}{\vert I_k\vert }\sum _{i\in I_k}l(A_s,z_i)\vert \end{aligned}$$
$$\begin{aligned}&\quad \le G_s - \epsilon (s) + \epsilon '(s) + \frac{1}{n}\sum _{k=1}^K\vert I_k\vert |{\mathbb {E}}_{C_k}l(A_s,z'_j\vert j\\&\quad =\arg \max _{j\in I_k}\vert l(A_s,z')-l(A_s,z'_j)\vert )\\&\qquad -\frac{1}{\vert I_k\vert }\sum _{i\in I_k}l(A_s,z'_i)\vert - \frac{1}{n}\sum _{k=1}^K\vert I_k\vert \vert {\mathbb {E}}_{C_k}l(A_s,z_j\vert j\\&\quad =\arg \min _{j\in I_k}\vert l(A_s,z)-l(A_s,z_j)\vert )\\&\qquad -\frac{1}{\vert I_k\vert }\sum _{i\in I_k}l(A_s,z_i)\vert +\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\qquad -\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\quad \le G_s + \epsilon _t + \frac{1}{n}\sum _{k=1}^K\vert I_k\vert \vert {\mathbb {E}}_{C_k}l(A_s,z'_j\vert j\\&\quad =\arg \max _{j\in I_k}\vert l(A_s,z')-l(A_s,z'_j)\vert )\\&\qquad -\frac{1}{\vert I_k\vert }\sum _{i\in I_k}l(A_s,z'_i)\vert - \frac{1}{n}\sum _{k=1}^K\vert I_k\vert \vert {\mathbb {E}}_{C_k}l(A_s,z_j\vert j\\&\quad =\arg \min _{j\in I_k}\vert l(A_s,z')-l(A_s,z'_j)\vert )\\&\qquad -\frac{1}{\vert I_k\vert }\sum _{i\in I_k}l(A_s,z_i)\vert +\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\qquad -\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\le G_s + \epsilon _t + \frac{1}{n}\sum _{k=1}^K\vert I_k\vert \vert {\mathbb {E}}_{C_k}l(A_s,z'_j)\\&\qquad -\frac{1}{\vert I_k\vert }\sum _{i\in I_k}l(A_s,z'_i)\vert -\vert {\mathbb {E}}_{C_k}l(A_s,z_j)\\&\qquad -\frac{1}{\vert I_k\vert }\sum _{i\in I_k}l(A_s,z_i)\vert \vert +\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)\right. \\&\qquad \left. -\frac{\vert I_k\vert }{n})-\sum _{k=1}^K\alpha '_k(A_s)(Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\quad \le G_s + \epsilon _t + \frac{1}{n}\sum _{k=1}^K\vert I_k\vert \vert \frac{1}{\vert I_k\vert }\sum _{i\in I_k}\max _{j\in I_k}\vert l(A_s,z'_j)-l(A_s,z'_i)\vert \\&\qquad -\frac{1}{\vert I_k\vert }\sum _{i\in I_k}\max _{j\in I_k}\vert l(A_s,z_j)-l(A_s,z_i)\vert \vert \end{aligned}$$
$$\begin{aligned}&\qquad +\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\qquad -\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\quad \le G_s + \epsilon _t + \frac{1}{n}\sum _{k=1}^K\sum _{i\in I_k}\max _{j\in I_k}\vert \vert l(A_s,z'_j)\\&\qquad -l(A_s,z'_i)\vert -\vert l(A_s,z_j)-l(A_s,z_i)\vert \vert \\&\qquad +\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\qquad -\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \end{aligned}$$

Here, there exists the ratio constant

$$\begin{aligned} L=\frac{\sum _{k=1}^K\sum _{i\in I_k}\max _{j\in I_k}\vert \vert l(A_s,z'_j)-l(A_s,z'_i)\vert -\vert l(A_s,z_j)-l(A_s,z_i)\vert \vert }{\sum _{i=1}^{K}\sum _{i\in I_k}\max _{j\in I_k}\Vert d_\theta (x^{adv}_i, x^{adv}_j)-d_\theta (x_i, x_j)\Vert _2^2} \end{aligned}$$

such that

$$\begin{aligned} \begin{aligned}&G_{adv}\triangleq \vert l(f_\theta (S^{adv}), Y)-{\hat{l}}(f_\theta (S^{adv}_d), Y_d)\vert \\&\le G_{std} + \epsilon _t + \frac{L}{n}\sum _{i=1}^{K}\sum _{i\in I_k}\max _{j\in I_k}\Vert d_\theta (x^{adv}_i, x^{adv}_j)\\&\quad -d_\theta (x_i, x_j)\Vert _2^2\\&+\sum _{k=1}^K\alpha '_k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \\&\quad -\sum _{k=1}^K\alpha _k(A_s)\left( Pr(z\in C_k)-\frac{\vert I_k\vert }{n}\right) \end{aligned} \end{aligned}$$
(A3)

According to Lemma 1, we have

$$\begin{aligned} G_{adv}\le & {} \textrm{G}_{std} + \epsilon _t + Q_1\sqrt{\frac{\ln (2K/\delta )}{n}} + 2Q_2\frac{\ln (2K/\delta )}{n} \\{} & {} +\frac{L}{n}\sum _{i=1}^{K}\sum _{i\in I_k}\max _{j\in I_k}\Vert d_\theta (x^{adv}_i, x^{adv}_j)-d_\theta (x_i, x_j)\Vert _2^2 \\{} & {} where \epsilon _t = \epsilon (s) + \epsilon '(s) \\{} & {} d_\theta (x^{adv}_i, x^{adv}_j)=f_\theta (x^{adv}_i)-f_\theta (x^{adv}_j) \\{} & {} d_\theta (x_i, x_j)=f_\theta (x_i)-f_\theta (x_j) \\ Q_1= & {} \sum _{i\in T_s}(\alpha '_{T_s^c}(A_s)-\alpha _{T_s^c}(A_s)\\{} & {} \quad +\sqrt{2}\alpha '_{T_s^c(A_s)} -\sqrt{2}\alpha _{T_s^c(A_s)})\sqrt{\frac{\vert I_k\vert }{n}} \\ Q_2= & {} \sum _{i\in T_s}(\alpha '_{k}(A_s)-\alpha _{k}(A_s))+(\alpha '_{T_s^c}(A_s)\\ {}{} & {} \quad -\alpha _{T_s^c}(A_s))\vert T_s\vert \end{aligned}$$

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhang, S., Qian, Z., Huang, K. et al. Inter-feature Relationship Certifies Robust Generalization of Adversarial Training. Int J Comput Vis 132, 5565–5581 (2024). https://doi.org/10.1007/s11263-024-02111-w

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11263-024-02111-w

Keywords

Navigation