Can we have it all? On the Trade-off between Spatial and Adversarial Robustness of Neural Networks
This addresses a fundamental problem for machine learning practitioners and researchers in balancing robustness types, but it is incremental as it builds on existing methods like equivariant models and adversarial training.
The paper tackles the trade-off between spatial robustness (to transformations like translations and rotations) and adversarial robustness (to pixel-wise perturbations) in neural networks, proving a quantitative trade-off theoretically and empirically showing that improving one worsens the other, and proposes a curriculum learning method to achieve pareto-optimality.
(Non-)robustness of neural networks to small, adversarial pixel-wise perturbations, and as more recently shown, to even random spatial transformations (e.g., translations, rotations) entreats both theoretical and empirical understanding. Spatial robustness to random translations and rotations is commonly attained via equivariant models (e.g., StdCNNs, GCNNs) and training augmentation, whereas adversarial robustness is typically achieved by adversarial training. In this paper, we prove a quantitative trade-off between spatial and adversarial robustness in a simple statistical setting. We complement this empirically by showing that: (a) as the spatial robustness of equivariant models improves by training augmentation with progressively larger transformations, their adversarial robustness worsens progressively, and (b) as the state-of-the-art robust models are adversarially trained with progressively larger pixel-wise perturbations, their spatial robustness drops progressively. Towards achieving pareto-optimality in this trade-off, we propose a method based on curriculum learning that trains gradually on more difficult perturbations (both spatial and adversarial) to improve spatial and adversarial robustness simultaneously.