TY - GEN

T1 - Probabilistic Margins for Instance Reweighting in Adversarial Training

AU - WANG, Qizhou

AU - Liu, Feng

AU - HAN, Bo

AU - Liu, Tongliang

AU - Gong, Chen

AU - Niu, Gang

AU - Zhou, Mingyuan

AU - Sugiyama, Masashi

PY - 2021/12/6

Y1 - 2021/12/6

N2 - Reweighting adversarial data during training has been recently shown to improve adversarial robustness, where data closer to the current decision boundaries are regarded as more critical and given larger weights. However, existing methods measuring the closeness are not very reliable: they are discrete and can take only a few values, and they are path-dependent, i.e., they may change given the same start and end points with different attack paths. In this paper, we propose three types of probabilistic margin (PM), which are continuous and path-independent, for measuring the aforementioned closeness and reweighting adversarial data. Specifically, a PM is defined as the difference between two estimated class-posterior probabilities, e.g., such the probability of the true label minus the probability of the most confusing label given some natural data. Though different PMs capture different geometric properties, all three PMs share a negative correlation with the vulnerability of data: data with larger/smaller PMs are safer/riskier and should have smaller/larger weights. Experiments demonstrate that PMs are reliable measurements and PM-based reweighting methods outperform state-of-the-art methods.

AB - Reweighting adversarial data during training has been recently shown to improve adversarial robustness, where data closer to the current decision boundaries are regarded as more critical and given larger weights. However, existing methods measuring the closeness are not very reliable: they are discrete and can take only a few values, and they are path-dependent, i.e., they may change given the same start and end points with different attack paths. In this paper, we propose three types of probabilistic margin (PM), which are continuous and path-independent, for measuring the aforementioned closeness and reweighting adversarial data. Specifically, a PM is defined as the difference between two estimated class-posterior probabilities, e.g., such the probability of the true label minus the probability of the most confusing label given some natural data. Though different PMs capture different geometric properties, all three PMs share a negative correlation with the vulnerability of data: data with larger/smaller PMs are safer/riskier and should have smaller/larger weights. Experiments demonstrate that PMs are reliable measurements and PM-based reweighting methods outperform state-of-the-art methods.

UR - https://proceedings.neurips.cc/paper/2021/file/c3a690be93aa602ee2dc0ccab5b7b67e-Paper.pdf

UR - https://proceedings.neurips.cc/paper/2021/hash/c3a690be93aa602ee2dc0ccab5b7b67e-Abstract.html

M3 - Conference contribution

T3 - NeurIPS Proceedings

BT - Advances in Neural Information Processing Systems 34 (NeurIPS 2021)

A2 - Ranzato, M.

A2 - Beygelzimer, A.

A2 - Dauphin, Y.

A2 - Liang, P. S.

A2 - Wortman Vaughan, J.

PB - Neural Information Processing Systems Foundation

T2 - 35th Conference on Neural Information Processing Systems

Y2 - 6 December 2021 through 14 December 2021

ER -