Three-Dimensional Reconstruction Pre-Training as a Prior to Improve Robustness to Adversarial Attacks and Spurious Correlation-Reference-Cited by-同舟云学术

Three-Dimensional Reconstruction Pre-Training as a Prior to Improve Robustness to Adversarial Attacks and Spurious Correlation

Published:2024-03-14 Issue:3 Volume:26 Page:258
ISSN:1099-4300
Container-title:Entropy
language:en
Short-container-title:Entropy

Author:

Yamada Yutaro¹,Zhang Fred Weiying¹,Kluger Yuval²³⁴,Yildirim Ilker¹⁴⁵⁶^ORCID

Affiliation:

1. Department of Statistics & Data Science, Yale University, New Haven, CT 06511, USA

2. Department of Pathology, Yale University School of Medicine, New Haven, CT 06511, USA

3. Department of Applied Mathematics, Yale University, New Haven, CT 06511, USA

4. Foundations of Data Science Institute, Yale University, New Haven, CT 06511, USA

5. Department of Psychology, Yale University, New Haven, CT 06511, USA

6. Wu-Tsai Institute, Yale University, New Haven, CT 06511, USA

Abstract

Ensuring robustness of image classifiers against adversarial attacks and spurious correlation has been challenging. One of the most effective methods for adversarial robustness is a type of data augmentation that uses adversarial examples during training. Here, inspired by computational models of human vision, we explore a synthesis of this approach by leveraging a structured prior over image formation: the 3D geometry of objects and how it projects to images. We combine adversarial training with a weight initialization that implicitly encodes such a prior about 3D objects via 3D reconstruction pre-training. We evaluate our approach using two different datasets and compare it to alternative pre-training protocols that do not encode a prior about 3D shape. To systematically explore the effect of 3D pre-training, we introduce a novel dataset called Geon3D, which consists of simple shapes that nevertheless capture variation in multiple distinct dimensions of geometry. We find that while 3D reconstruction pre-training does not improve robustness for the simplest dataset setting, we consider (Geon3D on a clean background) that it improves upon adversarial training in more realistic (Geon3D with textured background and ShapeNet) conditions. We also find that 3D pre-training coupled with adversarial training improves the robustness to spurious correlations between shape and background textures. Furthermore, we show that the benefit of using 3D-based pre-training outperforms 2D-based pre-training on ShapeNet. We hope that these results encourage further investigation of the benefits of structured, 3D-based models of vision for adversarial robustness.

Funder

Masason Foundation

Yale Faculty Fund

Publisher

MDPI AG

Link

https://www.mdpi.com/1099-4300/26/3/258/pdf

Reference47 articles.

1. Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. (2014, January 14–16). Intriguing Properties of Neural Networks. Proceedings of the International Conference on Learning Representations (ICLR), Banff, AB, Canada.

2. Athalye, A., Carlini, N., and Wagner, D. (2018, January 10–15). Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. Proceedings of the International Conference on Machine Learning, PMLR, Stockholm, Sweden.

3. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. (May, January 30). Towards Deep Learning Models Resistant to Adversarial Attacks. Proceedings of the International Conference on Learning Representations (ICLR), Vancouver, BC, Canada.

4. Zhang, H., Yu, Y., Jiao, J., Xing, E., Ghaoui, L.E., and Jordan, M. (2019, January 9–15). Theoretically Principled Trade-off between Robustness and Accuracy. Proceedings of the 36th International Conference on Machine Learning, PMLR, Long Beach, CA, USA.

5. Carmon, Y., Raghunathan, A., Schmidt, L., Duchi, J.C., and Liang, P.S. (2019). Advances in Neural Information Processing Systems, Proceedings of the 33rd International Conference on Neural Information Processing Systems, Vancouver, BC, Canada, 8–14 December 2019, Curran Associates, Inc.