尽管他们能够代表高度表现力的功能，但深度学习模型似乎找到了简单的解决方案，这些解决方案令人惊讶地概括了。光谱偏见 - 神经网络优先学习低频功能的趋势 - 是对此现象的一种可能解释，但是到目前为止，在理论模型和简化实验中，主要观察到了光谱偏差。在这项工作中，我们提出了用于测量CIFAR-10和Imagenet上现代图像分类网络中光谱偏差的方法。我们发现这些网络确实表现出光谱偏差，并且提高CIFAR-10测试准确性的干预措施往往会产生学到的功能，这些功能总体上具有较高的频率，但在每个类别的示例附近频率较低。这种趋势在培训时间，模型架构，培训示例的数量，数据增强和自我介绍的变化之间存在。我们还探索了功能频率和图像频率之间的连接，并发现光谱偏置对自然图像中普遍存在的低频敏感。在Imagenet上，我们发现学习的功能频率也随内部类别的多样性而变化，并且在更多样化的类别上具有较高的频率。我们的工作使测量并最终影响用于图像分类的神经网络的光谱行为，并且是理解为什么深层模型良好概述的一步。

提高深神经网络（DNN）对分布（OOD）数据的准确性对于在现实世界应用中接受深度学习（DL）至关重要。已经观察到，分布（ID）与OOD数据的准确性遵循线性趋势和模型表现优于该基线非常罕见（并被称为“有效鲁棒”）。最近，已经开发出一些有前途的方法来提高OOD的鲁棒性：模型修剪，数据增强和结合或零射门评估大型预审预周化模型。但是，仍然对观察有效鲁棒性所需的OOD数据和模型属性的条件尚无清晰的了解。我们通过对多种方法进行全面的经验研究来解决这个问题，这些方法已知会影响OOD鲁棒性，对CIFAR-10和Imagenet的广泛自然和合成分布转移。特别是，我们通过傅立叶镜头观察“有效的鲁棒性难题”，并询问模型和OOD数据的光谱特性如何影响相应的有效鲁棒性。我们发现这个傅立叶镜头提供了一些深入的了解，为什么某些强大的模型，尤其是夹家族的模型，可以实现稳健性。但是，我们的分析还清楚地表明，没有已知的指标始终是对OOD鲁棒性的最佳解释（甚至是强烈的解释）。因此，为了帮助未来对OOD难题的研究，我们通过引入一组预处理的模型（固定的模型），以有效的稳健性（可公开可鲁棒）解决了差距，这些模型（固有的模型）以及不同级别的OOD稳健性。

Neural networks are known to be a class of highly expressive functions able to fit even random inputoutput mappings with 100% accuracy. In this work we present properties of neural networks that complement this aspect of expressivity. By using tools from Fourier analysis, we highlight a learning bias of deep networks towards low frequency functions -i.e. functions that vary globally without local fluctuations -which manifests itself as a frequency-dependent learning speed. Intuitively, this property is in line with the observation that over-parameterized networks prioritize learning simple patterns that generalize across data samples. We also investigate the role of the shape of the data manifold by presenting empirical and theoretical evidence that, somewhat counter-intuitively, learning higher frequencies gets easier with increasing manifold complexity.

众所周知，过度参数化的深网能够完全拟合训练数据，同时显示出良好的概括性能。从线性回归上的直觉中得出的常见范式表明，大型网络甚至可以插入嘈杂的数据，而不会显着偏离地面真相信号。目前，缺少这种现象的精确表征。在这项工作中，我们介绍了深网的损失景观清晰度的实证研究，因为我们系统地控制了模型参数和训练时期的数量。我们将研究扩展到培训数据的街区以及清洁和嘈杂标记的样本。我们的发现表明，输入空间中的损失清晰度均遵循模型和时期的双重下降，在嘈杂的标签周围观察到了较差的峰值。与现有直觉相比，小型插值模型尤其适合干净和嘈杂的数据，但大型模型表达了平稳而平坦的损失景观。

深度学习的最新进展依赖于大型标签的数据集来培训大容量模型。但是，以时间和成本效益的方式收集大型数据集通常会导致标签噪声。我们提出了一种从嘈杂的标签中学习的方法，该方法利用特征空间中的训练示例之间的相似性，鼓励每个示例的预测与其最近的邻居相似。与使用多个模型或不同阶段的训练算法相比，我们的方法采用了简单，附加的正规化项的形式。它可以被解释为经典的，偏置标签传播算法的归纳版本。我们在数据集上彻底评估我们的方法评估合成（CIFAR-10，CIFAR-100）和现实（迷你网络，网络vision，Clotsing1m，Mini-Imagenet-Red）噪声，并实现竞争性或最先进的精度，在所有人之间。

We show that a variety of modern deep learning tasks exhibit a "double-descent" phenomenon where, as we increase model size, performance first gets worse and then gets better. Moreover, we show that double descent occurs not just as a function of model size, but also as a function of the number of training epochs. We unify the above phenomena by defining a new complexity measure we call the effective model complexity and conjecture a generalized double descent with respect to this measure. Furthermore, our notion of model complexity allows us to identify certain regimes where increasing (even quadrupling) the number of train samples actually hurts test performance. * Work performed in part while Preetum Nakkiran was interning at OpenAI, with Ilya Sutskever. We especially thank Mikhail Belkin and Christopher Olah for helpful discussions throughout this work.

知识蒸馏是一种培训小型学生网络的流行技术，以模仿更大的教师模型，例如网络的集合。我们表明，虽然知识蒸馏可以改善学生泛化，但它通常不得如此普遍地工作：虽然在教师和学生的预测分布之间，甚至在学生容量的情况下，通常仍然存在令人惊讶的差异完美地匹配老师。我们认为优化的困难是为什么学生无法与老师匹配的关键原因。我们还展示了用于蒸馏的数据集的细节如何在学生与老师匹配的紧密关系中发挥作用 - 以及教师矛盾的教师并不总是导致更好的学生泛化。

表征过度参数化神经网络的显着概括性能仍然是一个开放的问题。在本文中，我们促进了将重点转移到初始化而不是神经结构或（随机）梯度下降的转变，以解释这种隐式的正则化。通过傅立叶镜头，我们得出了神经网络光谱偏置的一般结果，并表明神经网络的概括与它们的初始化密切相关。此外，我们在经验上使用实用的深层网络巩固了开发的理论见解。最后，我们反对有争议的平米尼猜想，并表明傅立叶分析为理解神经网络的概括提供了更可靠的框架。

Modern deep neural networks can achieve high accuracy when the training distribution and test distribution are identically distributed, but this assumption is frequently violated in practice. When the train and test distributions are mismatched, accuracy can plummet. Currently there are few techniques that improve robustness to unforeseen data shifts encountered during deployment. In this work, we propose a technique to improve the robustness and uncertainty estimates of image classifiers. We propose AUGMIX, a data processing technique that is simple to implement, adds limited computational overhead, and helps models withstand unforeseen corruptions. AUGMIX significantly improves robustness and uncertainty measures on challenging image classification benchmarks, closing the gap between previous methods and the best possible performance in some cases by more than half.

Mixup is a popular data augmentation technique based on creating new samples by linear interpolation between two given data samples, to improve both the generalization and robustness of the trained model. Knowledge distillation (KD), on the other hand, is widely used for model compression and transfer learning, which involves using a larger network's implicit knowledge to guide the learning of a smaller network. At first glance, these two techniques seem very different, however, we found that ``smoothness" is the connecting link between the two and is also a crucial attribute in understanding KD's interplay with mixup. Although many mixup variants and distillation methods have been proposed, much remains to be understood regarding the role of a mixup in knowledge distillation. In this paper, we present a detailed empirical study on various important dimensions of compatibility between mixup and knowledge distillation. We also scrutinize the behavior of the networks trained with a mixup in the light of knowledge distillation through extensive analysis, visualizations, and comprehensive experiments on image classification. Finally, based on our findings, we suggest improved strategies to guide the student network to enhance its effectiveness. Additionally, the findings of this study provide insightful suggestions to researchers and practitioners that commonly use techniques from KD. Our code is available at https://github.com/hchoi71/MIX-KD.

CNN表现出与人类不同的许多行为，其中之一是采用高频组件的能力。本文讨论了图像分类任务中的频率偏差现象：高频组件实际上比低频和中频组件的利用要少得多。我们首先通过提出有关特征歧视和学习优先级的两个观察结果来研究频率偏差现象。此外，我们假设（i）光谱密度，（ii）类一致性直接影响频率偏差。具体而言，我们的研究验证数据集的光谱密度主要影响学习优先级，而课程一致性主要影响特征歧视。

Deep neural networks may easily memorize noisy labels present in real-world data, which degrades their ability to generalize. It is therefore important to track and evaluate the robustness of models against noisy label memorization. We propose a metric, called susceptibility, to gauge such memorization for neural networks. Susceptibility is simple and easy to compute during training. Moreover, it does not require access to ground-truth labels and it only uses unlabeled data. We empirically show the effectiveness of our metric in tracking memorization on various architectures and datasets and provide theoretical insights into the design of the susceptibility metric. Finally, we show through extensive experiments on datasets with synthetic and real-world label noise that one can utilize susceptibility and the overall training accuracy to distinguish models that maintain a low memorization on the training set and generalize well to unseen clean data.

经过认证的稳健性保证衡量模型对测试时间攻击的稳健性，并且可以评估模型对现实世界中部署的准备情况。在这项工作中，我们批判性地研究了对基于随机平滑的认证方法的对抗鲁棒性如何在遇到配送外（OOD）数据的最先进的鲁棒模型时改变。我们的分析显示了这些模型的先前未知的漏洞，以低频OOD数据，例如与天气相关的损坏，使这些模型不适合在野外部署。为了缓解这个问题，我们提出了一种新的数据增强方案，Fourimix，产生增强以改善训练数据的光谱覆盖范围。此外，我们提出了一种新规范器，鼓励增强数据的噪声扰动的一致预测，以提高平滑模型的质量。我们发现Fouriermix增强有助于消除可认真强大的模型的频谱偏差，使其能够在一系列ood基准上实现明显更好的稳健性保证。我们的评估还在突出模型的光谱偏差时揭示了当前的OOD基准。为此，我们提出了一个全面的基准套件，其中包含来自光谱域中不同区域的损坏。对拟议套件上流行的增强方法培训的模型的评估突出了它们的光谱偏差，并建立了富硫克斯训练型模型在实现整个频谱上变化下的更好认证的鲁棒性担保的优势。

It is common practice in deep learning to use overparameterized networks and train for as long as possible; there are numerous studies that show, both theoretically and empirically, that such practices surprisingly do not unduly harm the generalization performance of the classifier. In this paper, we empirically study this phenomenon in the setting of adversarially trained deep networks, which are trained to minimize the loss under worst-case adversarial perturbations. We find that overfitting to the training set does in fact harm robust performance to a very large degree in adversarially robust training across multiple datasets (SVHN, CIFAR-10, CIFAR-100, and ImageNet) and perturbation models ( ∞ and 2 ). Based upon this observed effect, we show that the performance gains of virtually all recent algorithmic improvements upon adversarial training can be matched by simply using early stopping. We also show that effects such as the double descent curve do still occur in adversarially trained models, yet fail to explain the observed overfitting. Finally, we study several classical and modern deep learning remedies for overfitting, including regularization and data augmentation, and find that no approach in isolation improves significantly upon the gains achieved by early stopping. All code for reproducing the experiments as well as pretrained model weights and training logs can be found at https://github.com/ locuslab/robust_overfitting.

Modern neural networks are over-parameterized and thus rely on strong regularization such as data augmentation and weight decay to reduce overfitting and improve generalization. The dominant form of data augmentation applies invariant transforms, where the learning target of a sample is invariant to the transform applied to that sample. We draw inspiration from human visual classification studies and propose generalizing augmentation with invariant transforms to soft augmentation where the learning target softens non-linearly as a function of the degree of the transform applied to the sample: e.g., more aggressive image crop augmentations produce less confident learning targets. We demonstrate that soft targets allow for more aggressive data augmentation, offer more robust performance boosts, work with other augmentation policies, and interestingly, produce better calibrated models (since they are trained to be less confident on aggressively cropped/occluded examples). Combined with existing aggressive augmentation strategies, soft target 1) doubles the top-1 accuracy boost across Cifar-10, Cifar-100, ImageNet-1K, and ImageNet-V2, 2) improves model occlusion performance by up to $4\times$, and 3) halves the expected calibration error (ECE). Finally, we show that soft augmentation generalizes to self-supervised classification tasks.

在最近的几项研究中已经显示了过度参数化在实现卓越概括性能方面的好处，证明了在实践中使用较大模型的趋势。然而，在强大的学习背景下，神经网络大小的影响尚未得到很好的研究。在这项工作中，我们发现，在大量错误标记的示例的存在下，将网络大小的增加超出某个点可能是有害的。特别是，当标签噪声增加时，最初是单调或“双重下降”测试损失曲线（W.R.T.网络宽度）变成U形或双U形曲线，这表明某些模型具有中等大小的模型实现了最佳的概括。我们观察到，当通过随机修剪通过密度控制网络大小时，观察到相似的测试损失行为。我们还通过偏置变化分解和理论上表征标签噪声塑造方差项的方式来仔细研究现象。即使采用最新的鲁棒方法，也可以观察到测试损失的类似行为，这表明限制网络大小可以进一步提高现有方法。最后，我们从经验上检查网络大小对学习函数平稳性的影响，并发现最初的大小和平滑度之间的负相关性是由标签噪声翻转的。

随机平滑是目前是最先进的方法，用于构建来自Neural Networks的可认真稳健的分类器，以防止$ \ ell_2 $ - vitersarial扰动。在范例下，分类器的稳健性与预测置信度对齐，即，对平滑分类器的较高的置信性意味着更好的鲁棒性。这使我们能够在校准平滑分类器的信仰方面重新思考准确性和鲁棒性之间的基本权衡。在本文中，我们提出了一种简单的训练方案，Coined Spiremix，通过自我混合来控制平滑分类器的鲁棒性：它沿着每个输入对逆势扰动方向进行样品的凸起组合。该提出的程序有效地识别过度自信，在平滑分类器的情况下，作为有限的稳健性的原因，并提供了一种直观的方法来自适应地在这些样本之间设置新的决策边界，以实现更好的鲁棒性。我们的实验结果表明，与现有的最先进的强大培训方法相比，该方法可以显着提高平滑分类器的认证$ \ ell_2 $ -toSpustness。

The recently proposed Temporal Ensembling has achieved state-of-the-art results in several semi-supervised learning benchmarks. It maintains an exponential moving average of label predictions on each training example, and penalizes predictions that are inconsistent with this target. However, because the targets change only once per epoch, Temporal Ensembling becomes unwieldy when learning large datasets. To overcome this problem, we propose Mean Teacher, a method that averages model weights instead of label predictions. As an additional benefit, Mean Teacher improves test accuracy and enables training with fewer labels than Temporal Ensembling. Without changing the network architecture, Mean Teacher achieves an error rate of 4.35% on SVHN with 250 labels, outperforming Temporal Ensembling trained with 1000 labels. We also show that a good network architecture is crucial to performance. Combining Mean Teacher and Residual Networks, we improve the state of the art on CIFAR-10 with 4000 labels from 10.55% to 6.28%, and on ImageNet 2012 with 10% of the labels from 35.24% to 9.11%.

Large deep neural networks are powerful, but exhibit undesirable behaviors such as memorization and sensitivity to adversarial examples. In this work, we propose mixup, a simple learning principle to alleviate these issues. In essence, mixup trains a neural network on convex combinations of pairs of examples and their labels. By doing so, mixup regularizes the neural network to favor simple linear behavior in-between training examples. Our experiments on the ImageNet-2012, CIFAR-10, CIFAR-100, Google commands and UCI datasets show that mixup improves the generalization of state-of-the-art neural network architectures. We also find that mixup reduces the memorization of corrupt labels, increases the robustness to adversarial examples, and stabilizes the training of generative adversarial networks.

We examine the role of memorization in deep learning, drawing connections to capacity, generalization, and adversarial robustness. While deep networks are capable of memorizing noise data, our results suggest that they tend to prioritize learning simple patterns first. In our experiments, we expose qualitative differences in gradient-based optimization of deep neural networks (DNNs) on noise vs. real data. We also demonstrate that for appropriately tuned explicit regularization (e.g., dropout) we can degrade DNN training performance on noise datasets without compromising generalization on real data. Our analysis suggests that the notions of effective capacity which are dataset independent are unlikely to explain the generalization performance of deep networks when trained with gradient based methods because training data itself plays an important role in determining the degree of memorization.