Rethinking Training Schedules for Verifiably Robust Networks
New and stronger adversarial attacks can threaten existing defenses. This possibility highlights the importance of certified defense methods that train deep neural networks with verifiably robust guarantees. A range of certified defense methods has been proposed to train neural networks with verifiably robustness guarantees, among which Interval Bound Propagation (IBP) and CROWN-IBP have been demonstrated to be the most effective. However, we observe that CROWN-IBP and IBP are suffering from Low Epsilon Overfitting (LEO), a problem arising from their training schedule that increases the input perturbation bound. We show that LEO can yield poor results even for a simple linear classifier. We also investigate the evidence of LEO from experiments under conditions of worsening LEO. Based on these observations, we propose a new training strategy, BatchMix, which mixes various input perturbation bounds in a mini-batch to alleviate the LEO problem. Experimental results on MNIST and CIFAR10 datasets show that BatchMix can make the performance of IBP and CROWN-IBP better by mitigating LEO.
- Publisher
- IEEE Signal Processing Society
- Issue Date
- 2021-09
- Language
- English
- Citation
IEEE International Conference on Image Processing (ICIP), pp.464 - 468
- ISSN
- 1522-4880
- Appears in Collection
- EE-Conference Papers(학술회의논문)
- Files in This Item
- There are no files associated with this item.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.