现有的一些作品分别研究深神经网络的对抗或自然分布鲁棒性。但是，实际上，模型需要享受两种类型的鲁棒性，以确保可靠性。在这项工作中，我们弥合了这一差距，并表明实际上，对抗性和自然分配鲁棒性之间存在明确的权衡。我们首先考虑具有与核心和虚假功能不相交的高斯数据上的简单线性回归设置。在这种情况下，通过理论和经验分析，我们表明（i）使用$ \ ell_1 $和$ \ ell_2 $规范的对抗性培训增加了对虚假功能的模型依赖； （ii）对于$ \ ell_ \ infty $ versarial训练，仅在伪造功能的比例大于核心功能的范围时才会出现伪造的依赖； （iii）对抗训练可能会在降低分布鲁棒性方面具有意外的后果，特别是当新的测试域中更改虚假相关性时。接下来，我们使用二十个经过对抗训练的模型的测试套件提出了广泛的经验证据受过训练的对应物，验证了我们的理论结果。我们还表明，训练数据中的虚假相关性（保留在测试域中）可以改善对抗性的鲁棒性，表明先前的主张表明对抗性脆弱性植根于虚假相关性是不完整的。

We present a framework for ranking images within their class based on the strength of spurious cues present. By measuring the gap in accuracy on the highest and lowest ranked images (we call this spurious gap), we assess spurious feature reliance for $89$ diverse ImageNet models, finding that even the best models underperform in images with weak spurious presence. However, the effect of spurious cues varies far more dramatically across classes, emphasizing the crucial, often overlooked, class-dependence of the spurious correlation problem. While most spurious features we observe are clarifying (i.e. improving test-time accuracy when present, as is typically expected), we surprisingly find many cases of confusing spurious features, where models perform better when they are absent. We then close the spurious gap by training new classification heads on lowly ranked (i.e. without common spurious cues) images, resulting in improved effective robustness to distribution shifts (ObjectNet, ImageNet-R, ImageNet-Sketch). We also propose a second metric to assess feature reliability, finding that spurious features are generally less reliable than non-spurious (core) ones, though again, spurious features can be more reliable for certain classes. To enable our analysis, we annotated $5,000$ feature-class dependencies over {\it all} of ImageNet as core or spurious using minimal human supervision. Finally, we show the feature discovery and spuriosity ranking framework can be extended to other datasets like CelebA and WaterBirds in a lightweight fashion with only linear layer training, leading to discovering a previously unknown racial bias in the Celeb-A hair classification.

Adversarial examples have attracted significant attention in machine learning, but the reasons for their existence and pervasiveness remain unclear. We demonstrate that adversarial examples can be directly attributed to the presence of non-robust features: features (derived from patterns in the data distribution) that are highly predictive, yet brittle and (thus) incomprehensible to humans. After capturing these features within a theoretical framework, we establish their widespread existence in standard datasets. Finally, we present a simple setting where we can rigorously tie the phenomena we observe in practice to a misalignment between the (human-specified) notion of robustness and the inherent geometry of the data.

We show that there may exist an inherent tension between the goal of adversarial robustness and that of standard generalization. Specifically, training robust models may not only be more resource-consuming, but also lead to a reduction of standard accuracy. We demonstrate that this trade-off between the standard accuracy of a model and its robustness to adversarial perturbations provably exists in a fairly simple and natural setting. These findings also corroborate a similar phenomenon observed empirically in more complex settings. Further, we argue that this phenomenon is a consequence of robust classifiers learning fundamentally different feature representations than standard classifiers. These differences, in particular, seem to result in unexpected benefits: the representations learned by robust models tend to align better with salient data characteristics and human perception.

We study how robust current ImageNet models are to distribution shifts arising from natural variations in datasets. Most research on robustness focuses on synthetic image perturbations (noise, simulated weather artifacts, adversarial examples, etc.), which leaves open how robustness on synthetic distribution shift relates to distribution shift arising in real data. Informed by an evaluation of 204 ImageNet models in 213 different test conditions, we find that there is often little to no transfer of robustness from current synthetic to natural distribution shift. Moreover, most current techniques provide no robustness to the natural distribution shifts in our testbed. The main exception is training on larger and more diverse datasets, which in multiple cases increases robustness, but is still far from closing the performance gaps. Our results indicate that distribution shifts arising in real data are currently an open research problem. We provide our testbed and data as a resource for future work at https://modestyachts.github.io/imagenet-testbed/.

我们表明，将人类的先验知识与端到端学习相结合可以通过引入基于零件的对象分类模型来改善深神经网络的鲁棒性。我们认为，更丰富的注释形式有助于指导神经网络学习更多可靠的功能，而无需更多的样本或更大的模型。我们的模型将零件分割模型与一个微小的分类器结合在一起，并经过训练的端到端，以同时将对象分割为各个部分，然后对分段对象进行分类。从经验上讲，与所有三个数据集的Resnet-50基线相比，我们的基于部分的模型既具有更高的精度和更高的对抗性鲁棒性。例如，鉴于相同的鲁棒性，我们部分模型的清洁准确性高达15个百分点。我们的实验表明，这些模型还减少了纹理偏见，并对共同的腐败和虚假相关性产生更好的鲁棒性。该代码可在https://github.com/chawins/adv-part-model上公开获得。

删除攻击旨在通过略微扰动正确标记的训练示例的特征来大幅恶化学习模型的测试准确性。通过将这种恶意攻击正式地找到特定$ \ infty $ -wassersein球中的最坏情况培训数据，我们表明最小化扰动数据的对抗性风险相当于优化原始数据上的自然风险的上限。这意味着对抗性培训可以作为防止妄想攻击的原则防御。因此，通过普遍训练可以很大程度地回收测试精度。为了进一步了解国防的内部机制，我们披露了对抗性培训可以通过防止学习者过于依赖于自然环境中的非鲁棒特征来抵制妄想扰动。最后，我们将我们的理论调查结果与一系列关于流行的基准数据集进行了补充，这表明防御能够承受六种不同的实际攻击。在面对令人难以闻名的对手时，理论和经验结果投票给逆势训练。

While it has long been empirically observed that adversarial robustness may be at odds with standard accuracy and may have further disparate impacts on different classes, it remains an open question to what extent such observations hold and how the class imbalance plays a role within. In this paper, we attempt to understand this question of accuracy disparity by taking a closer look at linear classifiers under a Gaussian mixture model. We decompose the impact of adversarial robustness into two parts: an inherent effect that will degrade the standard accuracy on all classes, and the other caused by the class imbalance ratio, which will increase the accuracy disparity compared to standard training. Furthermore, we also extend our model to the general family of stable distributions. We demonstrate that while the constraint of adversarial robustness consistently degrades the standard accuracy in the balanced class setting, the class imbalance ratio plays a fundamentally different role in accuracy disparity compared to the Gaussian case, due to the heavy tail of the stable distribution. We additionally perform experiments on both synthetic and real-world datasets. The empirical results not only corroborate our theoretical findings, but also suggest that the implications may extend to nonlinear models over real-world datasets.

我们识别普遍对抗扰动（UAP）的性质，将它们与标准的对抗性扰动区分开来。具体而言，我们表明，由投影梯度下降产生的靶向UAPS表现出两种人对齐的特性：语义局部性和空间不变性，标准的靶向对抗扰动缺乏。我们还证明，除标准对抗扰动之外，UAPS含有明显较低的泛化信号 - 即，UAPS在比标准的对抗的扰动的较小程度上利用非鲁棒特征。

现代神经网络Excel在图像分类中，但它们仍然容易受到常见图像损坏，如模糊，斑点噪音或雾。最近的方法关注这个问题，例如Augmix和Deepaulment，引入了在预期运行的防御，以期望图像损坏分布。相比之下，$ \ ell_p $ -norm界限扰动的文献侧重于针对最坏情况损坏的防御。在这项工作中，我们通过提出防范内人来调和两种方法，这是一种优化图像到图像模型的参数来产生对外损坏的增强图像的技术。我们理论上激发了我们的方法，并为其理想化版本的一致性以及大纲领提供了足够的条件。我们的分类机器在预期对CiFar-10-C进行的常见图像腐败基准上提高了最先进的，并改善了CIFAR-10和ImageNet上的$ \ ell_p $ -norm有界扰动的最坏情况性能。

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

深度卷积神经网络（CNN）很容易被输入图像的细微，不可察觉的变化所欺骗。为了解决此漏洞，对抗训练会创建扰动模式，并将其包括在培训设置中以鲁棒性化模型。与仅使用阶级有限信息的现有对抗训练方法（例如，使用交叉渗透损失）相反，我们建议利用功能空间中的其他信息来促进更强的对手，这些信息又用于学习强大的模型。具体来说，我们将使用另一类的目标样本的样式和内容信息以及其班级边界信息来创建对抗性扰动。我们以深入监督的方式应用了我们提出的多任务目标，从而提取了多尺度特征知识，以创建最大程度地分开对手。随后，我们提出了一种最大边缘对抗训练方法，该方法可最大程度地减少源图像与其对手之间的距离，并最大程度地提高对手和目标图像之间的距离。与最先进的防御能力相比，我们的对抗训练方法表明了强大的鲁棒性，可以很好地推广到自然发生的损坏和数据分配变化，并保留了清洁示例的模型准确性。

积极的数据增强是视觉变压器（VIT）的强大泛化能力的关键组成部分。一种这样的数据增强技术是对抗性培训;然而，许多先前的作品表明，这通常会导致清洁的准确性差。在这项工作中，我们展示了金字塔对抗训练，这是一种简单有效的技术来提高韦维尔的整体性能。我们将其与“匹配”辍学和随机深度正则化配对，这采用了干净和对抗样品的相同辍学和随机深度配置。类似于Advprop的CNNS的改进（不直接适用于VIT），我们的金字塔对抗性训练会破坏分销准确性和vit和相关架构的分配鲁棒性之间的权衡。当Imagenet-1K数据训练时，它导致ImageNet清洁准确性的182美元的vit-B模型的精确度，同时由7美元的稳健性指标同时提高性能，从$ 1.76 \％$至11.45 \％$。我们为Imagenet-C（41.4 MCE），Imagenet-R（$ 53.92 \％$），以及Imagenet-Sketch（41.04美元\％$）的新的最先进，只使用vit-b / 16骨干和我们的金字塔对抗训练。我们的代码将在接受时公开提供。

几项研究在经验上比较了各种模型的分布（ID）和分布（OOD）性能。他们报告了计算机视觉和NLP中基准的频繁正相关。令人惊讶的是，他们从未观察到反相关性表明必要的权衡。这重要的是确定ID性能是否可以作为OOD概括的代理。这篇简短的论文表明，ID和OOD性能之间的逆相关性确实在现实基准中发生。由于模型的选择有偏见，因此在过去的研究中可能被错过。我们使用来自多个训练时期和随机种子的模型展示了Wilds-Amelyon17数据集上模式的示例。我们的观察结果尤其引人注目，对经过正规化器训练的模型，将解决方案多样化为ERM目标。我们在过去的研究中得出了细微的建议和结论。 （1）高OOD性能有时确实需要交易ID性能。 （2）仅专注于ID性能可能不会导致最佳OOD性能：它可能导致OOD性能的减少并最终带来负面回报。 （3）我们的示例提醒人们，实证研究仅按照现有方法来制定制度：在提出规定的建议时有必要进行护理。

我们理论上和经验地证明，对抗性鲁棒性可以显着受益于半体验学习。从理论上讲，我们重新审视了Schmidt等人的简单高斯模型。这显示了标准和稳健分类之间的示例复杂性差距。我们证明了未标记的数据桥接这种差距：简单的半体验学习程序（自我训练）使用相同数量的达到高标准精度所需的标签实现高的强大精度。经验上，我们增强了CiFar-10，使用50万微小的图像，使用了8000万微小的图像，并使用强大的自我训练来优于最先进的鲁棒精度（i）$ \ ell_ infty $鲁棒性通过对抗培训和（ii）认证$ \ ell_2 $和$ \ ell_ \ infty $鲁棒性通过随机平滑的几个强大的攻击。在SVHN上，添加DataSet自己的额外训练集，删除的标签提供了4到10个点的增益，在使用额外标签的1点之内。

A distribution inference attack aims to infer statistical properties of data used to train machine learning models. These attacks are sometimes surprisingly potent, but the factors that impact distribution inference risk are not well understood and demonstrated attacks often rely on strong and unrealistic assumptions such as full knowledge of training environments even in supposedly black-box threat scenarios. To improve understanding of distribution inference risks, we develop a new black-box attack that even outperforms the best known white-box attack in most settings. Using this new attack, we evaluate distribution inference risk while relaxing a variety of assumptions about the adversary's knowledge under black-box access, like known model architectures and label-only access. Finally, we evaluate the effectiveness of previously proposed defenses and introduce new defenses. We find that although noise-based defenses appear to be ineffective, a simple re-sampling defense can be highly effective. Code is available at https://github.com/iamgroot42/dissecting_distribution_inference

Machine learning models are often susceptible to adversarial perturbations of their inputs. Even small perturbations can cause state-of-the-art classifiers with high "standard" accuracy to produce an incorrect prediction with high confidence. To better understand this phenomenon, we study adversarially robust learning from the viewpoint of generalization. We show that already in a simple natural data model, the sample complexity of robust learning can be significantly larger than that of "standard" learning. This gap is information theoretic and holds irrespective of the training algorithm or the model family. We complement our theoretical results with experiments on popular image classification datasets and show that a similar gap exists here as well. We postulate that the difficulty of training robust classifiers stems, at least partially, from this inherently larger sample complexity.

用于计算机视觉任务的深度神经网络在越来越安全 - 严重和社会影响的应用中部署，激励需要在各种，天然存在的成像条件下关闭模型性能的差距。在包括对抗机器学习的多种上下文中尤为色难地使用的鲁棒性，然后指在自然诱导的图像损坏或改变下保持模型性能。我们进行系统审查，以识别，分析和总结当前定义以及对计算机愿景深度学习中的非对抗鲁棒性的进展。我们发现，该研究领域已经收到了相对于对抗机器学习的不成比例地注意力，但存在显着的稳健性差距，这些差距通常表现在性能下降中与对抗条件相似。为了在上下文中提供更透明的稳健性定义，我们引入了数据生成过程的结构因果模型，并将非对抗性鲁棒性解释为模型在损坏的图像上的行为，其对应于来自未纳入数据分布的低概率样本。然后，我们确定提高神经网络鲁棒性的关键架构，数据增强和优化策略。这种稳健性的这种因果观察表明，目前文献中的常见做法，关于鲁棒性策略和评估，对应于因果概念，例如软干预导致成像条件的决定性分布。通过我们的调查结果和分析，我们提供了对未来研究如何可能介意这种明显和显着的非对抗的鲁棒性差距的观点。

分发班次的稳健性对于部署现实世界中的机器学习模型至关重要。尽管如此必要的，但在定义导致这些变化的潜在机制以及评估跨多个不同的分发班次的稳健性的潜在机制很少。为此，我们介绍了一种框架，可实现各种分布换档的细粒度分析。我们通过评估在合成和现实世界数据集中分为五个类别的19个不同的方法来提供对当前最先进的方法的整体分析。总的来说，我们训练超过85架模型。我们的实验框架可以很容易地扩展到包括新方法，班次和数据集。我们发现，与以前的工作〜\ citep {gulrajani20}不同，该进度已经通过标准的ERM基线进行;特别是，在许多情况下，预先训练和增强（学习或启发式）提供了大的收益。但是，最好的方法在不同的数据集和班次上不一致。

Despite impressive success in many tasks, deep learning models are shown to rely on spurious features, which will catastrophically fail when generalized to out-of-distribution (OOD) data. Invariant Risk Minimization (IRM) is proposed to alleviate this issue by extracting domain-invariant features for OOD generalization. Nevertheless, recent work shows that IRM is only effective for a certain type of distribution shift (e.g., correlation shift) while it fails for other cases (e.g., diversity shift). Meanwhile, another thread of method, Adversarial Training (AT), has shown better domain transfer performance, suggesting that it has the potential to be an effective candidate for extracting domain-invariant features. This paper investigates this possibility by exploring the similarity between the IRM and AT objectives. Inspired by this connection, we propose Domainwise Adversarial Training (DAT), an AT-inspired method for alleviating distribution shift by domain-specific perturbations. Extensive experiments show that our proposed DAT can effectively remove domain-varying features and improve OOD generalization under both correlation shift and diversity shift.