Andrew Ilyas
๐ค SpeakerAppearances Over Time
Podcast Appearances
generalized out of domain and things like that.
And I'm sure there are other notions of robustness as well.
And the interesting thing is each of these robustness problems is on its own like a huge challenge.
And what we actually want is like the union of all of these different notions of robustness.
So I think we're a bit away from that, but a really interesting problem.
Yeah, so in the paper, we studied a very common algorithm for trying to deal with adversarial examples, which is this adversarial training or robust optimization algorithm.
And the idea behind that algorithm is that as you're training your model at each stage, rather than training on clean inputs, you train on adversarial examples for the given model.
And so what that does is basically turn your original sort of like loss minimization problem that you're solving when you train a neural network, you turn it into this sort of robust optimization min-max style problem where you're now finding parameters that minimize the worst case, the loss on the worst case image rather than the loss on the average image.
And under this sort of robust, non-robust features view, I think you can sort of view this robust optimization or adversarial training algorithm as basically beating the non-robust features out of the neural network.
Because if at any point the neural network relies on a non-robust feature, that non-robust feature can be exploited by the adversary.
and, you know, forced to point the other way.
And the network will sort of learn, OK, I can't rely on that feature.
I can't rely on this feature.
I have to rely on these more robust features.
Absolutely.
I think the other two options are really interesting.
I would say that there's been significantly less progress along those other two options.
The first option I think is really compelling.
And we actually showed that it is, we showed in this sort of adversarial examples are not bugs, they're features paper.
We showed a way of pre-processing data to get you a very small amount of robustness using an existing robust network.