Robust Learning and Prediction in Deep Learning

Join Zoom Meeting
https://nus-sg.zoom.us/j/84863318534?pwd=SVdTL2ptMXA2eTJ1SmhNSWtxTUpyQT09
Meeting ID: 848 6331 8534
Password: 476666

Abstract:
Robustness is the ability to withstand adverse conditions. When it is transposed into deep learning, it refers to the ability to tolerate perturbations that might affect the functionality of the deep model. Learning a deep model and deploying it for usage require robustness. In this thesis, we explore two types of robustness in deep learning, i.e., training robustness and adversarial robustness. Training robustness refers to successfully learning a deep neural network under slight perturbations of the training configurations. Adversarial robustness refers to maintaining faithful predictions of the deep neural network even if the input data are perturbed by the adversarially crafted noise.

Previous approaches to robustly learning a deep neural network require domain knowledge of data scientists to configure the training process, e.g., fine-tuning the hyperparameter settings. Otherwise, the training process probably fails. This thesis presents a simple yet principled approach to boosting the training robustness of the residual network (ResNet) that is motivated by a dynamical systems perspective. Namely, deep neural networks can be interpreted using partial differential equations, which naturally inspires us to characterize ResNet based on an explicit Euler method. This consequently allows us to exploit the step factor h in the Euler method to control the robustness of ResNet in both its training and generalization. Specifically, in this thesis training robustness refers to the stability of training; generalization robustness refers to how well the random noise in the input features is handled. We prove that a small step factor h can help its training and generalization robustness during backpropagation and forward propagation, respectively. Empirical evaluation on real-world datasets corroborates our analytical findings that a small h can indeed improve both its training and generalization robustness.

The standard-trained deep models are vulnerable to adversarial data, i.e., adversarially corrupted data could easily cause the deep models to make wrong predictions, while humans are immune to such data. For obtaining the adversarial robustness, the previous approaches employed adversarial training methods which are based on the minimax formulation. However, this formulation is conservative or even pessimistic so that it sometimes hurts the standard accuracy on natural data. This thesis raises a fundamental question -- do we have to trade off standard accuracy for adversarial robustness? We argue that adversarial training entails employing confident adversarial data for updating the current model. We propose a novel approach of friendly adversarial training (FAT): rather than employing the most adversarial data maximizing the loss, we search for the least adversarial (i.e., friendly adversarial) data minimizing the loss, among the adversarial data that are confidently misclassified. Our novel formulation is easy to implement by just stopping the most adversarial data searching algorithms such as PGD (projected gradient descent) early, which we call early-stopped PGD. Theoretically, FAT is justified by an upper bound of the adversarial risk. Empirically, FAT allows us to answer the earlier question negatively---adversarial robustness can indeed be achieved without compromising the standard accuracy.


The common belief that adversarial robustness and standard accuracy hurt each other, was challenged by our proposed FAT where we can maintain the robustness while improving the accuracy. However, the other direction, whether we can keep the accuracy while improving the robustness, is conceptually and practically more interesting, since robust accuracy on adversarial data should be always lower than standard accuracy on natural data for any models. This thesis shows this direction is also promising. Firstly, we find even over-parameterized deep models may still have insufficient model capacity, because adversarial training has an overwhelming smoothing effect. Secondly, given limited model capacity, we argue adversarial data should have unequal importance: geometrically speaking, a natural data point closer to/farther from the class boundary is less/more robust, and the corresponding adversarial data point should be assigned with larger/smaller weight. Finally, to implement the idea, we propose geometry-aware instance-reweighted adversarial training (GAIRAT), where the weights are based on how difficult it is to attack a natural data point. Empirically, we show that our GAIRAT boosts the robustness of the standard adversarial training; combining two directions (i.e., FAT and GAIRAT), we improve both robustness and accuracy of the standard adversarial training.