Adversarial Robustness in Data Augmentation

Description

Data augmentation has become a standard technique in deep learning, as it has been shown to greatly improve the generalisation abilities of models. In addition to human-designed augmentation operations such as geometric transformations (e.g., on images), recently some methods were proposed that generate new samples from the training data (e.g. using Mixup or GANs). In this paper, we empirically assess the effect of these kinds of data augmentation, regarding both classification accuracy and adversarial vulnerability. We find that ‘classical’ augmentation improves performance and robustness the most. However, we also find that while GAN-based augmentation and Mixup can improve prediction, they cause significant adversarial vulnerabilities when applied alone. Analyzing the smoothness of the models’ decision boundaries, we can relate smoothness to robustness, and find that classical augmentation results in smoother boundaries than Mixup and GAN augmentation. Finally, using influence functions we show that, when asked to predict on adversarial test examples, vulnerable models rely more on augmented samples than on real ones. Taken together, our results suggest that general-purpose data augmentations that do not take into the account the characteristics of the data and the task, must be applied with care.

Period	26 Apr 2020
Event title	Proceedings of The International Conference on Learning Representations (ICLR), Towards Trustworthy ML: Rethinking Security and Privacy for ML Workshop, 2020
Event type	Other
Location	AustriaShow on map