Probabilistic Margins for Instance Reweighting in Adversarial Training

Qizhou Wang, Feng Liu, Bo Han*, Tongliang Liu, Chen Gong, Gang Niu, Mingyuan Zhou, Masashi Sugiyama

*Corresponding author for this work

Research output: Chapter in book/report/conference proceedingConference proceedingpeer-review

29 Citations (Scopus)

Abstract

Reweighting adversarial data during training has been recently shown to improve adversarial robustness, where data closer to the current decision boundaries are regarded as more critical and given larger weights. However, existing methods measuring the closeness are not very reliable: they are discrete and can take only a few values, and they are path-dependent, i.e., they may change given the same start and end points with different attack paths. In this paper, we propose three types of probabilistic margin (PM), which are continuous and path-independent, for measuring the aforementioned closeness and reweighting adversarial data. Specifically, a PM is defined as the difference between two estimated class-posterior probabilities, e.g., such the probability of the true label minus the probability of the most confusing label given some natural data. Though different PMs capture different geometric properties, all three PMs share a negative correlation with the vulnerability of data: data with larger/smaller PMs are safer/riskier and should have smaller/larger weights. Experiments demonstrate that PMs are reliable measurements and PM-based reweighting methods outperform state-of-the-art methods.
Original languageEnglish
Title of host publication35th Conference on Neural Information Processing Systems (NeurIPS 2021)
EditorsMarc'Aurelio Ranzato, Alina Beygelzimer, Yann Dauphin, Percy S. Liang, Jenn Wortman Vaughan
PublisherNeural Information Processing Systems Foundation
Pages23258-23269
Number of pages12
Volume28
ISBN (Print)9781713845393
Publication statusPublished - 6 Dec 2021
Event35th Conference on Neural Information Processing Systems, NeurIPS 2021 - Virtual
Duration: 6 Dec 202114 Dec 2021
https://nips.cc/Conferences/2021 (Conference website)
https://neurips.cc/Conferences/2021 (Conference website)
https://papers.nips.cc/paper_files/paper/2021 (Conference proceedings)
https://proceedings.neurips.cc/paper/2021 (Conference proceedings)

Publication series

NameAdvances in Neural Information Processing Systems
Volume34
ISSN (Print)1049-5258
NameNeurIPS Proceedings

Conference

Conference35th Conference on Neural Information Processing Systems, NeurIPS 2021
Period6/12/2114/12/21
Internet address

Scopus Subject Areas

  • Computer Networks and Communications
  • Information Systems
  • Signal Processing

Fingerprint

Dive into the research topics of 'Probabilistic Margins for Instance Reweighting in Adversarial Training'. Together they form a unique fingerprint.

Cite this