Robustness May Be at Odds with Accuracy
This work highlights a fundamental tension in machine learning that affects model design and evaluation, with implications for security and generalization in AI systems.
The paper demonstrates a provable trade-off between adversarial robustness and standard accuracy in a simple setting, showing that robust models may reduce standard accuracy and learn different feature representations that align better with human perception.
We show that there may exist an inherent tension between the goal of adversarial robustness and that of standard generalization. Specifically, training robust models may not only be more resource-consuming, but also lead to a reduction of standard accuracy. We demonstrate that this trade-off between the standard accuracy of a model and its robustness to adversarial perturbations provably exists in a fairly simple and natural setting. These findings also corroborate a similar phenomenon observed empirically in more complex settings. Further, we argue that this phenomenon is a consequence of robust classifiers learning fundamentally different feature representations than standard classifiers. These differences, in particular, seem to result in unexpected benefits: the representations learned by robust models tend to align better with salient data characteristics and human perception.