Understanding (Non-)Robust Feature Disentanglement and the Relationship Between Low- and High-Dimensional Adversarial Attacks
This addresses adversarial robustness for machine learning models, offering an incremental improvement by modifying training data to enhance security against attacks.
The paper tackles the problem of adversarial vulnerabilities in neural networks by showing that networks rely on non-robust features to boost natural accuracy during training, and proposes a method of mixing robust features into batches to improve robust accuracy without substantially hurting natural accuracy, achieving improvements across architectures and attacks.
Recent work has put forth the hypothesis that adversarial vulnerabilities in neural networks are due to them overusing "non-robust features" inherent in the training data. We show empirically that for PGD-attacks, there is a training stage where neural networks start heavily relying on non-robust features to boost natural accuracy. We also propose a mechanism reducing vulnerability to PGD-style attacks consisting of mixing in a certain amount of images contain-ing mostly "robust features" into each training batch, and then show that robust accuracy is improved, while natural accuracy is not substantially hurt. We show that training on "robust features" provides boosts in robust accuracy across various architectures and for different attacks. Finally, we demonstrate empirically that these "robust features" do not induce spatial invariance.