Understanding and Mitigating the Tradeoff Between Robustness and Accuracy

Aditi Raghunathan, Sang Michael Xie, Fanny Yang, John Duchi, Percy Liang

Introduction

Adversarial training methods (Goodfellow et al., 2015; Madry et al., 2017) attempt to improve the robustness of neural networks against adversarial examples (Szegedy et al., 2014) by augmenting the training set (on-the-fly) with perturbed examples that preserve the label but that fool the current model. While such methods decrease the robust error, the error on worst-case perturbed inputs, they have been observed to cause an undesirable increase in the standard error, the error on unperturbed inputs (Madry et al., 2018; Zhang et al., 2019; Tsipras et al., 2019).

In this work, we provide a different explanation for the tradeoff between standard and robust error that takes generalization from finite data into account. We first consider a linear model where the true linear function has zero standard and robust error. Adversarial training augments the original training set with extra data, consisting of samples (xext,y)(x_{\text{ext}},y) where the perturbations xextx_{\text{ext}} are consistent, meaning that the conditional distribution stays constant Py(xext)=Py(x)P_{\mathsf{y}}(\cdot\mid x_{\text{ext}})=P_{\mathsf{y}}(\cdot\mid x). We show that even in this simple setting, the augmented estimator, i.e. the minimum norm interpolant of the augmented data (standard + extra data), could have a larger standard error than that of the standard estimator, which is the minimum norm interpolant of the standard data alone. We found this surprising given that adding consistent perturbations enforces the predictor to satisfy invariances that the true model exhibits. One might think adding this information would only restrict the hypothesis class and thus enable better generalization, not worse.

We show that this tradeoff stems from overparameterization. If the restricted hypothesis class (by enforcing invariances) is still overparameterized, the inductive bias of the estimation procedure (e.g., the norm being minimized) plays a key role in determining the generalization of a model.

Figure 2 shows an illustrative example of this phenomenon with cubic smoothing splines. The predictor obtained via standard training (dashed blue) is a line that captures the global structure and obtains low error. Training on augmented data with locally consistent perturbations of the training data (crosses) restricts the hypothesis class by encouraging the predictor to fit the local structure of the high density points. Within this set, the cubic splines predictor (solid orange) minimizes the second derivative on the augmented data, compromising the global structure and performing badly on the tails (Figure 2(b)). More generally, as we characterize in Section 3, the tradeoff stems from the inductive bias of the minimum norm interpolant, which minimizes a fixed norm independent of the data, while the standard error depends on the geometry of the covariates.

Recent works (Carmon et al., 2019; Najafi et al., 2019; Uesato et al., 2019) introduced robust self-training (RST), a robust variant of self-training that overcomes the sample complexity barrier of learning a model with low robust error by leveraging extra unlabeled data. In this paper, our theoretical understanding of the tradeoff between standard and robust error in linear regression motivates RST as a method to improve robust error without sacrificing standard error. In Section 4.2, we prove that RST eliminates the tradeoff for linear regression—RST does not increase standard error compared to the standard estimator while simultaneously achieving the best possible robust error, matching the standard error (see Figure 2(c) for the effect of RST on the spline problem). Intuitively, RST regularizes the predictions of the robust estimator towards that of the standard estimator on the unlabeled data thereby eliminating the tradeoff.

As previous works only focus on the empirical evaluation of the gains in robustness via RST, we systematically evaluate the effect of RST on both the standard and robust error on Cifar-10 when using unlabeled data from Tiny Images as sourced in Carmon et al. (2019). We expand upon empirical results in two ways. First, we study the effect of the labeled training set sizes and and find that the RST improves both robust and standard error over vanilla adversarial training across all sample sizes. RST offers maximum gains at smaller sample sizes where vanilla adversarial training increases the standard error the most. Second, we consider an additional family of perturbations over random and adversarial rotation/translations and find that RST offers gains in both robust and standard error.

Setup

for consistent perturbations T(x)T(x) that satisfy

In this work, we focus on interpolating estimators in highly overparameterized models, motivated by modern machine learning models that achieve near zero training loss (on both standard and extra data). Interpolating estimators for linear regression have been studied in many recent works such as (Ma et al., 2018; Belkin et al., 2018; Hastie et al., 2019; Liang & Rakhlin, 2018; Bartlett et al., 2019). We present our results for interpolating estimators with minimum Euclidean norm, but our analysis directly applies to more general Mahalanobis norms via suitable reparameterization (see Appendix A).

Analysis in the linear regression setting

In this section, we compare the standard errors of the standard estimator and the augmented estimator in noiseless linear regression. We begin with a simple toy example that describes the intuition behind our results (Section 3.1) and provide a more complete characterization in Section 3.2. This section focuses only on the standard error of both estimators; we revisit the robust error together with the standard error in Section 4.

Suppose we augment with an extra data point Xext==e1+e2X_{\text{ext}}==e_{1}+e_{2} which lies in Null(Xstd)\text{Null}(X_{\text{std}}) (black dashed line in Figure 3). The augmented estimator θ^aug\hat{\theta}_{\text{aug}} still fits the standard data XstdX_{\text{std}} and thus (θ^aug)3=θ3=(θ^std)3(\hat{\theta}_{\text{aug}})_{3}=\theta^{\star}_{3}=(\hat{\theta}_{\text{std}})_{3}. Due to fitting the extra data XextX_{\text{ext}}, θ^aug\hat{\theta}_{\text{aug}} (orange vector in Figure 3) must also satisfy an additional constraint Xextθ^aug=XextθX_{\text{ext}}\hat{\theta}_{\text{aug}}=X_{\text{ext}}\theta^{\star}. The crucial observation is that additional constraints along one direction (e1+e2e_{1}+e_{2} in this case) could actually increase parameter error along other directions. For example, let’s consider the direction e2e_{2} in Figure 3. Note that fitting XextX_{\text{ext}} makes θ^aug\hat{\theta}_{\text{aug}} have a large component along e2e_{2}. Now if θ2\theta^{\star}_{2} is small (precisely, θ2<θ1/3\theta^{\star}_{2}<\theta^{\star}_{1}/3), θ^aug\hat{\theta}_{\text{aug}} has a larger parameter error along e2e_{2} than θ^std\hat{\theta}_{\text{std}}, which was simply zero (Figure 3 (a)). Conversely, if the true component θ2\theta^{\star}_{2} is large enough (precisely, θ2>θ1/3\theta^{\star}_{2}>\theta^{\star}_{1}/3), the parameter error of θ^aug\hat{\theta}_{\text{aug}} along e2e_{2} is smaller than that of θ^std\hat{\theta}_{\text{std}}.

The contribution of different components of the parameter error to the standard error is scaled by the population covariance Σ\Sigma (see Equation 4). For simplicity, let Σ=diag([λ1,λ2,λ3])\Sigma=\operatorname*{diag}([\lambda_{1},\lambda_{2},\lambda_{3}]). In our example, the parameter error along e3e_{3} is zero since both estimators interpolate the standard training point Xstd=e1=3X_{\text{std}}=e_{1}=3. Then, the ratio between λ1\lambda_{1} and λ2\lambda_{2} determines which component of the parameter error contributes more to the standard error.

Putting the two effects together, we see that when θ2\theta^{\star}_{2} is small as in Fig 3(a), θ^aug\hat{\theta}_{\text{aug}} has larger parameter error than θ^std\hat{\theta}_{\text{std}} in the direction e2e_{2}. If λ2λ1\lambda_{2}\gg\lambda_{1}, error in e2e_{2} is weighted much more heavily in the standard error and consequently θ^aug\hat{\theta}_{\text{aug}} would have a larger standard error. Precisely, we have

We present a formal characterization of this tradeoff in general in the next section.

2 General characterizations

In this section, we precisely characterize when the augmented estimator θ^aug\hat{\theta}_{\text{aug}} that fits extra training data points XextX_{\text{ext}} in addition to the standard points XstdX_{\text{std}} has higher standard error than the standard estimator θ^std\hat{\theta}_{\text{std}} that only fits XstdX_{\text{std}}. In particular, this enables us to understand when there is a “tradeoff” where the augmented estimator θ^aug\hat{\theta}_{\text{aug}} has lower robust error than θ^std\hat{\theta}_{\text{std}} by virtue of fitting perturbations, but has higher standard error. In Section 3.1, we illustrated how the parameter error of θ^aug\hat{\theta}_{\text{aug}} could be larger than θ^std\hat{\theta}_{\text{std}} in some directions, and if these directions are weighted heavily in the population covariance Σ\Sigma, the standard error of θ^aug\hat{\theta}_{\text{aug}} would be larger.

Formally, let us define the parameter errors Δstd=defθ^stdθ\Delta_{\text{std}}\stackrel{{\scriptstyle\rm def}}{{=}}\hat{\theta}_{\text{std}}-\theta^{\star} and Δaug=defθ^augθ\Delta_{\text{aug}}\stackrel{{\scriptstyle\rm def}}{{=}}\hat{\theta}_{\text{aug}}-\theta^{\star}. Recall that the standard errors are

where Σ\Sigma is the population covariance of the underlying inputs drawn from PxP_{\mathsf{x}}.

To characterize the effect of the inductive bias of minimum norm interpolation on the standard errors, we define the following projection operators: Πstd\Pi_{\text{std}}^{\perp}, the projection matrix onto Null(Xstd)\text{Null}(X_{\text{std}}) and Πaug\Pi_{\text{aug}}^{\perp}, the projection matrix onto Null([Xext;Xstd])\text{Null}([X_{\text{ext}};X_{\text{std}}]) (see formal definition in Appendix B). Since θ^aug\hat{\theta}_{\text{aug}} and θ^std\hat{\theta}_{\text{std}} are minimum norm interpolants, Πstdθ^std=0\Pi_{\text{std}}^{\perp}\hat{\theta}_{\text{std}}=0 and Πaugθ^aug=0\Pi_{\text{aug}}^{\perp}\hat{\theta}_{\text{aug}}=0. Further, in noiseless linear regression, θ^std\hat{\theta}_{\text{std}} and θ^aug\hat{\theta}_{\text{aug}} have no error in the span of XstdX_{\text{std}} and [Xstd;Xext][X_{\text{std}};X_{\text{ext}}] respectively. Hence,

Our main result relies on the key observation that for any vector uu, Πstdu\Pi_{\text{std}}^{\perp}u can be decomposed into a sum of two orthogonal components vv and ww such that Πstdu=v+w\Pi_{\text{std}}^{\perp}u=v+w with w=Πauguw=\Pi_{\text{aug}}^{\perp}u and v=ΠstdΠauguv=\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}u. This is because Null([Xstd;Xext])Null(Xstd)\text{Null}([X_{\text{std}};X_{\text{ext}}])\subseteq\text{Null}(X_{\text{std}}) and thus ΠstdΠaug=Πaug\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}^{\perp}=\Pi_{\text{aug}}^{\perp}. Now setting u=θu=\theta^{\star} and using the error expressions in Equation 6 and Equation 7 gives a precise characterization of the difference in the standard errors of θ^std\hat{\theta}_{\text{std}} and θ^aug\hat{\theta}_{\text{aug}}.

The difference in the standard errors of the standard estimator θ^std\hat{\theta}_{\text{std}} and augmented estimator θ^aug\hat{\theta}_{\text{aug}} can be written as follows.

where v=ΠstdΠaugθv=\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}\theta^{\star} and w=Πaugθw=\Pi_{\text{aug}}^{\perp}\theta^{\star}.

The proof of Theorem 1 is in Appendix B.3. The increase in standard error of the augmented estimator can be understood in terms of the vectors ww and vv defined in Theorem 1. The first term vΣvv^{\top}\Sigma v is always positive, and corresponds to the decrease in the standard error of the augmented estimator θ^aug\hat{\theta}_{\text{aug}} by virtue of fitting extra training points in some directions. However, the second term 2wΣv2w^{\top}\Sigma v can be negative and intuitively measures the cost of a possible increase in the parameter error along other directions (similar to the increase along e2e_{2} in the simple setting of Figure 3(a)). When the cost outweighs the benefit, the standard error of θ^aug\hat{\theta}_{\text{aug}} is larger. Note that both the cost and benefit is determined by Σ\Sigma which governs how the parameter error affects the standard error.

We can use the above expression (Theorem 1) for the difference in standard errors of θ^aug\hat{\theta}_{\text{aug}} and θ^std\hat{\theta}_{\text{std}} to characterize different “safe” conditions under which augmentation with extra data does not increase the standard error. See Appendix B.7 for a proof.

The following conditions are sufficient for Lstd(θ^aug)Lstd(θ^std)L_{\text{std}}(\hat{\theta}_{\text{aug}})\leq L_{\text{std}}(\hat{\theta}_{\text{std}}), i.e. the standard error does not increase when fitting augmented data.

The population covariance Σ\Sigma is identity.

The augmented data [Xstd;Xext][X_{\text{std}};X_{\text{ext}}] spans the entire space, or equivalently Πaug=0\Pi_{\text{aug}}^{\perp}=0.

We would like to draw special attention to the first condition. When Σ=I\Sigma=I, notice that the norm that governs the standard error (Equation 6) matches the norm that is minimized by the interpolants (Equation 5). Intuitively, the estimators have the “right” inductive bias; under this condition, the augmented estimator θ^aug\hat{\theta}_{\text{aug}} does not have higher standard error. In other words, the observed increase in the standard error of θ^aug\hat{\theta}_{\text{aug}} can be attributed to the “wrong” inductive bias. In Section 4, we will use this understanding to propose a method of robust training which does not increase standard error over standard training.

Finally, we relate the magnitude of increase in standard error of the augmented estimator to the complexity of the true model.

For a given Xstd,Xext,ΣX_{\text{std}},X_{\text{ext}},\Sigma,

for some scalar γ>0\gamma>0 that depends on Xstd,Xext,ΣX_{\text{std}},X_{\text{ext}},\Sigma.

Robust self-training

We now use insights from Section 3 to construct estimators with low robust error without increasing the standard error. While Section 3 characterized the effect of adding extra data XextX_{\text{ext}} in general, in this section we consider robust training which augments the dataset with extra data XextX_{\text{ext}} that are consistent perturbations of the standard training data XstdX_{\text{std}}.

Since the standard estimator has small standard error, a natural strategy to mitigate the tradeoff is to regularize the augmented estimator to be closer to the standard estimator. The choice of distance between the estimators we regularize is very important. Recall from Section 3.1 that the population covariance Σ\Sigma determines how the parameter error affects the standard error. This suggests using a regularizer that incorporates information about Σ\Sigma.

We first revisit the recently proposed robust self-training (RST) (Carmon et al., 2019; Najafi et al., 2019; Uesato et al., 2019) that incorporates additional unlabeled data via pseudo-labels from a standard estimator. Previous work only focused on the effectiveness of RST in improving the robust error. In Section 4.2, we prove that in linear regression, RST eliminates the tradeoff between standard and robust error (Theorem 2). The proof hinges on the connection between RST and the idea of regularizing towards the standard estimator discussed above. In particular, we show that the RST objective can be rewritten as minimizing a suitable Σ\Sigma-induced distance to the standard estimator.

We first describe the general two-step robust self-training (RST) procedure (Carmon et al., 2019; Uesato et al., 2019) for a parameteric model fθf_{\theta}:

It is convenient to summarize the robust self-training estimator θ^rst\hat{\theta}_{\text{rst}} as the minimizer of a weighted combination of four separate losses as follows. We define the losses on the labeled dataset {(xi,yi)}i=1n\{(x_{i},y_{i})\}_{i=1}^{n} as

for fixed scalars α,β,γ,λ0\alpha,\beta,\gamma,\lambda\geq 0.

2 Robust self-training for linear regression

We now return to the noiseless linear regression as described in Section 2 and specialize the general RST estimator described in Equation (10) to this setting. We prove that RST eliminates the decrease in standard error in this setting while achieving low robust error by showing that RST appropriately regularizes the augmented estimator towards the standard estimator.

Figure 5 shows the four losses of RST in this special case of linear regression.

Obtaining this specialized estimator from the general RST estimator in Equation (10) involves the following steps. First, for convenience of analysis, we assume access to the population covariance Σ\Sigma via infinite unlabeled data and thus replace the finite sample losses on the unlabeled data L^std-unlab(θ),L^rob-unlab(θ)\hat{L}_{\text{std-unlab}}(\theta),\hat{L}_{\text{rob-unlab}}(\theta) by their population losses Lstd-unlab(θ),Lrob-unlab(θ)L_{\text{std-unlab}}(\theta),L_{\text{rob-unlab}}(\theta). Second, the general RST objective minimizes some weighted combination of four losses. When specializing to the case of noiseless linear regression, since L^std, lab(θ)=0\hat{L}_{\text{std, lab}}(\theta^{\star})=0, rather than minimizing αL^std-lab(θ)\alpha\hat{L}_{\text{std-lab}}(\theta^{\star}), we set the coefficients on the losses such that the estimator satisfies a hard constraint L^std-lab(θ)=0\hat{L}_{\text{std-lab}}(\theta^{\star})=0. This constraint which enforces interpolation on the labeled dataset yi=xiθ i=1,ny_{i}=x_{i}^{\top}\theta~{}\forall i=1,\ldots n allows us to rewrite the robust loss (Equation 9) on the labeled examples equivalently as a self-consistency loss defined independent of labels.

Since θ\theta^{\star} is invariant on perturbations T(x)T(x) by definition, we have L^rob-lab(θ)=0\hat{L}_{\text{rob-lab}}(\theta^{\star})=0 and thus we introduce a constraint L^rob-lab(θ)=0\hat{L}_{\text{rob-lab}}(\theta)=0 in the estimator.

For the losses on the unlabeled data, since the pseudo-labels are not perfect, we minimize Lstd-unlabL_{\text{std-unlab}} in the objective instead of enforcing a hard constraint on Lstd-unlabL_{\text{std-unlab}}. However, similarly to the robust loss on labeled data, we can reformulate the robust loss on unlabeled samples Lrob-unlabL_{\text{rob-unlab}} as a self-consistency loss that does not use pseudo-labels. By definition, Lrob-unlab(θ)=0L_{\text{rob-unlab}}(\theta^{\star})=0 and thus we enforce Lrob-unlab(θ)=0L_{\text{rob-unlab}}(\theta)=0 in the specialized estimator.

We now study the standard and robust error of the linear regression RST estimator defined above in Equation (4.2).

Assume the noiseless linear model y=xθy=x^{\top}\theta^{\star}. Let θint-std\theta_{\textup{int-std}} be an arbitrary interpolant of the standard data, i.e. Xstdθint-std=ystdX_{\text{std}}\theta_{\textup{int-std}}=y_{\text{std}}. Then

Simultaneously, Lrob(θ^rst)=Lstd(θ^rst)L_{\text{rob}}(\hat{\theta}_{\text{rst}})=L_{\text{std}}(\hat{\theta}_{\text{rst}}).

The crux of the proof is that the optimization objective of RST is an inductive bias that regularizes the estimator to be close to the standard estimator, weighing directions by their contribution to the standard error via Σ\Sigma. To see this, we rewrite

By incorporating an appropriate Σ\Sigma-induced regularizer while satisfying constraints on the robust losses, RST ensures that the standard error of the estimator never exceeds the standard error of θ^std\hat{\theta}_{\text{std}}. The robust error of any estimator is lower bounded by its standard error, and this gap can be arbitrarily large for the standard estimator. However, the robust error of the RST estimator matches the lower bound of its standard error which in turn is bounded by the standard error of the standard estimator and hence is small. To provide some graphical intuition for the result, see Figure 2 that visualizes the RST estimator on the cubic splines interpolation problem that exemplifies the increase in standard error upon augmentation. RST captures the global structure and obtains low standard error by matching θ^std\hat{\theta}_{\text{std}} (straight line) on unlabeled inputs. Simultaneously, RST enforces invariance on local transformations on both labeled and unlabeled inputs, and obtains low robust error by capturing the local structure across the domain.

The constraint on the standard loss on labeled data simply corresponds to interpolation on the standard labeled data. The constraints on the robust self-consistency losses involve a maximization over a set of transformations. In the case of linear regression, such constraints can be equivalently represented by a set of at most dd linear constraints, where dd is the dimension of the covariates. Further, with this finite set of constraints, we only require access to the covariance Σ\Sigma in order to constrain the population robust loss. Appendix D gives a practical iterative algorithm that computes the RST estimator for linear regression reminiscent of adversarial training in the semi-supervised setting.

3 Empirical evaluation of RST

Both RST+AT and RST+TRADES have lower robust and standard error than their supervised counterparts AT and TRADES across all perturbation types. This mirrors the theoretical analysis of RST in linear regression (Theorem 2) where the RST estimator has small robust error while provably not sacrificing standard error, and never obtaining larger standard error than the standard estimator.

Recall that our work motivates studying the tradeoff between robust and standard error while taking generalization from finite data into account. We showed that the gap in the standard error of a standard estimator and that of a robust estimator is large for small training set sizes and decreases as the labeled dataset is larger (Figure 1). We now study the effect of RST as we vary the training set size in Figure 6. We find that RST+AT has lower standard error than standard training across all sample sizes for small ϵ\epsilon, while simultaneously achieving lower robust error than AT (see Appendix E.2.1). In the small data regime where vanilla adversarial training hurts the standard error the most, we find that RST+AT gives about 3x more absolute improvement than in the large data regime. We note that this set of experiments are complementary to the experiments in (Schmidt et al., 2018) which study the effect of the training set size only on robust error.

We also test the effect of RST on perturbations where robust training slightly improves standard error rather than hurting it. Since RST regularizes towards the standard estimator, one might suspect that the improvements from robust training disappear with RST. In particular, we consider spatial transformations T(x)T(x) that consist of simultaneous rotations and translations. We use two common forms of robust training for spatial perturbations, where we approximately maximize over T(x)T(x) with either adversarial (worst-of-10) or random augmentations (Yang et al., 2019; Engstrom et al., 2019). Table 1 (right) presents the results. In the regime where vanilla robust training does not hurt standard error, RST in fact further improves the standard error by almost 1% and the robust error by 2-3% over the standard and robust estimators for both forms of robust training. Thus in settings where vanilla robust training improves standard error, RST seems to further amplify the gains while in settings where vanilla robust training hurts standard error, RST mitigates the harmful effect.

The RST estimator minimizes both a robust loss and a standard loss on the unlabeled data with pseudo-labels (bottom row, Figure 5). Both of these losses are necessary to simultaneously the standard and robust error over vanilla supervised robust training. Standard self-training, which only uses standard loss on unlabeled data, has very high robust error (100%\approx 100\%). Similarly, Robust Consistency Training, an extension of Virtual Adversarial Training (Miyato et al., 2018) that only minimizes a robust self-consistency loss on unlabeled data, marginally improves the robust error but actually hurts standard error (Table 1).

Related Work

In concurrent and independent work, Min et al. (2020) also study the effect of dataset size on the tradeoff. They prove that in a “strong adversary” regime, there is a tradeoff even with infinite data, as the perturbations are large enough to change the ground truth target. They also identify a “weak adversary” regime (smaller perturbations) where the gap in standard error between robust and standard estimators first increases and then decreases, with no tradeoff in the infinite data limit. Similar to our work, this provides an example of a tradeoff due to generalization from finite data. However, their experimental validation of the tradeoff trends is restricted to simulated settings and they do not study how to mitigate the tradeoff.

To the best of our knowledge, ours is the first work that theoretically studies how to mitigate the tradeoff between standard and robust error. While robust self-training (RST) was proposed in recent works (Carmon et al., 2019; Najafi et al., 2019; Uesato et al., 2019) as a way to improve robust error, we prove that RST eliminates the tradeoff between standard and robust error in noiseless linear regression and systematically study the effect on RST on the tradeoff with several different perturbations and adversarial training algorithms on Cifar-10.

Interpolated Adversarial Training (IAT) (Lamb et al., 2019) and Neural Architecture Search (NAS) (Cubuk et al., 2017) were proposed to mitigate the tradeoff bbetween standard and robust error empirically. IAS considers a different training algorithm based on Mixup, NAS (Cubuk et al., 2017) uses RL to search for more robust architectures. In Table 1, we also report the standard and robust errors of these methods. RST, IAT and NAS are incomparable as they find different tradeoffs between standard and robust error. Recently, Xie et al. (2020) showed that adversarial training with appropriate batch normalization (AdvProp) with small perturbations can actually improve standard error. However, since they only aim to improve and evaluate the standard error, it is unclear if the robust error improves. We believe that since RST provides a complementary statistical perspective on the tradeoff, it can be combined with methods like IAT, NAS or AdvProp to see further gains in standard and robust errors. We leave this to future work.

Conclusion

We study the commonly observed increase in standard error upon adversarial training due to generalization from finite data in a well-specified setting with consistent perturbations. Surprisingly, we show that methods that augment the training data with consistent perturbations, such as adversarial training, can increase the standard error even in the simple setting of noiseless linear regression where the true linear function has zero standard and robust error. Our analysis reveals that the mismatch between the inductive bias of models and the underlying distribution of the inputs causes the standard error to increase even when the augmented data is perfectly labeled. This insight motivates a method that provably eliminates the tradeoff in linear regression by incorporating an appropriate regularizer that utilizes the distribution of the inputs. While not immediately apparent, we show that this is a special case of the recently proposed robust self-training (RST) procedure that uses additional unlabeled data to estimate the distribution of the inputs. Previous works view RST as a method to improve the robust error by increasing the sample size. Our work provides some theoretical justification for why RST improves both the standard and robust error, thereby mitigating the tradeoff between accuracy and robustness. How to best utilize unlabeled data, and whether sufficient unlabeled data can completely eliminate the tradeoff remain open questions.

We are grateful to Tengyu Ma, Yair Carmon, Ananya Kumar, Pang Wei Koh, Fereshte Khani, Shiori Sagawa and Karan Goel for valuable discussions and comments. This work was funded by an Open Philanthropy Project Award and NSF Frontier Award as part of the Center for Trustworthy Machine Learning (CTML). AR was supported by Google Fellowship and Open Philanthropy AI Fellowship. SMX was supported by an NDSEG Fellowship. FY was supported by the Institute for Theoretical Studies ETH Zurich and the Dr. Max Rossler and the Walter Haefner Foundation. FY and JCD were supported by the Office of Naval Research Young Investigator Awards.

References

Appendix A Transformations to handle arbitrary matrix norms

Consider a more general minimum norm estimator of the following form. Given inputs XX and corresponding targets yy as training data, we study the interpolation estimator,

Appendix B Standard error of minimum norm interpolants

The projection operators Πstd\Pi_{\text{std}}^{\perp} and Πaug\Pi_{\text{aug}}^{\perp} are formally defined as follows.

B.2 Invariant transformations may have arbitrary nullspace components

B.3 Proof of Theorem 1

by decomposition of Πstdθ=v+w\Pi_{\text{std}}^{\perp}\theta^{\star}=v+w where v=ΠstdΠaugθv=\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}\theta^{\star} and w=ΠstdΠaugθw=\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}^{\perp}\theta^{\star}. Note that the error difference does scale with θ2\|\theta^{\star}\|^{2}, although the sign of the difference does not.

B.4 Proof of Corollary 1

Corollary 1 presents three sufficient conditions under which the standard error of the augmented estimator Lstd(θ^aug)L_{\text{std}}(\hat{\theta}_{\text{aug}}) is never larger than the standard error of the standard estimator Lstd(θ^std)L_{\text{std}}(\hat{\theta}_{\text{std}}).

When the population covariance Σ=I\Sigma=I, from Theorem 1, we see that

since v=ΠstdΠaugθv=\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}\theta^{\star} and w=Πaugθw=\Pi_{\text{aug}}^{\perp}\theta^{\star} are orthogonal.

When Πaug=0\Pi_{\text{aug}}^{\perp}=0, the vector ww in Theorem 1 is , and hence we get

We prove the eigenvector condition in Section B.7 which studies the effect of augmenting with a single extra point in general.

B.5 Proof of Proposition 1

The proof of Proposition 1 is based on the following two lemmas that are also useful for characterization purposes in Corollary 2.

If a PSD matrix Σ\Sigma has non-equal eigenvalues, one can find two unit vectors w,vw,v for which the following holds

Hence, there exists a combination of original and augmentation dataset Xstd,XextX_{\text{std}},X_{\text{ext}} such that condition (19) holds for two directions vCol(ΠstdΠaug)v\in\text{Col}(\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}) and wCol(ΠstdΠaug)=Col(Πaug)w\in\text{Col}(\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}^{\perp})=\text{Col}(\Pi_{\text{aug}}^{\perp}).

Note that neither ww nor vv can be eigenvectors of Σ\Sigma in order for both conditions in equation (19) to hold. Given a population covariance, fixed original and augmentation data for which condition (19) holds, we can now explicitly construct θ\theta^{\star} for which augmentation increases standard error.

where βi\beta_{i} are constants that depend on Xstd,Xext,ΣX_{\text{std}},X_{\text{ext}},\Sigma.

Proposition 1 follows directly from the second statement of Lemma 2 by minimizing the bound (20) with respect to c1c_{1} which is a free parameter to be chosen during construction of θ\theta^{\star} (see proof of Lemma (2). The minimum is attained for c1=2(β1+1)(β2c2)c_{1}=2\sqrt{(\beta_{1}+1)(\beta_{2}c^{2})}. We hence conclude that θ\theta^{\star} needs to be sufficiently more complex than a good standard solution, i.e. θ22θ^std22>γc\|\theta^{\star}\|^{2}_{2}-\|\hat{\theta}_{\text{std}}\|^{2}_{2}>\gamma c where γ>0\gamma>0 is a constant that depends on the Xstd,XextX_{\text{std}},X_{\text{ext}}.

B.6 Proof of technical lemmas

In this section we prove the technical lemmas that are used to prove Theorem 1.

Any vector ΠstdθNull(Σstd)\Pi_{\text{std}}^{\perp}\theta\in\text{Null}(\Sigma_{\text{std}}) can be decomposed into orthogonal components Πstdθ=ΠstdΠaugθ+ΠstdΠaugθ\Pi_{\text{std}}^{\perp}\theta=\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}^{\perp}\theta+\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}\theta. Using the minimum-norm property, we can then always decompose the (rotated) augmented estimator θ^augCol(Πaug)=Col(ΠstdΠaug)\hat{\theta}_{\text{aug}}\in\text{Col}(\Pi_{\text{aug}}^{\perp})=\text{Col}(\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}^{\perp}) and true parameter θ\theta^{\star} by

where we define “ext” as the set of basis vectors which span Col(ΠstdΠaug)\text{Col}(\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}) and respectively “rest” for Null(Σaug)\text{Null}(\Sigma_{\text{aug}}). Requiring the standard error increase to be some constant c>0c>0 can be rewritten using identity (16) as follows

The left hand side of equation (21) is always positive, hence it is necessary for this equality to hold with any c>0c>0, that there exists at least one pair i,ji,j such that wjΣvi0w_{j}^{\top}\Sigma v_{i}\neq 0 and one direction of the iff statement is proved.

For the other direction, we show that if there exist vCol(ΠstdΠaug)v\in\text{Col}(\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}) and wCol(ΠstdΠaug)w\in\text{Col}(\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}^{\perp}) for which condition (19) holds (wlog we assume that the wΣv<0w^{\top}\Sigma v<0) we can construct a θ\theta^{\star} for which the inequality (8) in Theorem 1 holds as follows:

It is then necessary by our assumption that ξjζiwjΣvi>0\xi_{j}\zeta_{i}w_{j}^{\top}\Sigma v_{i}>0 for at least some i,ji,j. We can then set ζi>0\zeta_{i}>0 such that θ^augθ^std2=ζ2=c1>0\|\hat{\theta}_{\text{aug}}-\hat{\theta}_{\text{std}}\|^{2}=\|\zeta\|^{2}=c_{1}>0, i.e. that the augmented estimator is not equal to the standard estimator (else obviously there can be no difference in error and equality (21) cannot be satisfied for any desired error increase c>0c>0).

The choice of ξ\xi minimizing θθ^aug2=jξj2\|\theta^{\star}-\hat{\theta}_{\text{aug}}\|^{2}=\sum_{j}\xi_{j}^{2} that also satisfies equation (21) is an appropriately scaled vector in the direction of x=WΣVζx=W^{\top}\Sigma V\zeta where we define W:=[w1,,wrest]W:=[w_{1},\dots,w_{|\text{rest}|}] and V:=[v1,,vext]V:=[v_{1},\dots,v_{|\text{ext}|}]. Defining c0=ζVΣVζc_{0}=\zeta^{\top}V^{\top}\Sigma V\zeta for convenience and then setting

which is well-defined since x0x\neq 0, yields a θ\theta^{\star} such that augmentation increases standard error. It is thus necessary for Lstd(θ^aug)Lstd(θ^std)=cL_{\text{std}}(\hat{\theta}_{\text{aug}})-L_{\text{std}}(\hat{\theta}_{\text{std}})=c that

By assuming existence of i,ji,j such that ξjζiwjΣvi0\xi_{j}\zeta_{i}w_{j}^{\top}\Sigma v_{i}\neq 0, we are guaranteed that λmax2(WΣV)>0\lambda^{2}_{\max}(W^{\top}\Sigma V)>0.

Note due to construction we have θ22=θ^std22+iζi2+jξj2\|\theta^{\star}\|_{2}^{2}=\|\hat{\theta}_{\text{std}}\|_{2}^{2}+\sum_{i}\zeta_{i}^{2}+\sum_{j}\xi_{j}^{2} and plugging in the choice of ξj\xi_{j} in equation (22) we have

Setting β1=[1+λmin2(VΣV)4λmax2(WΣV)]\beta_{1}=\left[1+\frac{\lambda_{\min}^{2}(V^{\top}\Sigma V)}{4\lambda^{2}_{\max}(W^{\top}\Sigma V)}\right], β2=14λmax2(WΣV)\beta_{2}=\frac{1}{4\lambda^{2}_{\max}(W^{\top}\Sigma V)} yields the result.

B.6.2 Proof of Lemma 1

Let λ1,,λm\lambda_{1},\dots,\lambda_{m} be the mm non-zero eigenvalues of Σ\Sigma and uiu_{i} be the corresponding eigenvectors. Then choose vv to be any combination of the eigenvectors v=Uβv=U\beta where U=[u1,,um]U=[u_{1},\dots,u_{m}] where at least βi,βj0\beta_{i},\beta_{j}\neq 0 for λiλj\lambda_{i}\neq\lambda_{j}. We next construct w=Uαw=U\alpha by choosing α\alpha as follows such that the inequality in (19) holds:

and αk=0\alpha_{k}=0 for ki,jk\neq i,j. Then we have that αβ=0\alpha^{\top}\beta=0 and hence wv=0w^{\top}v=0. Simultaneously

which concludes the proof of the first statement.

We now prove the second statement by constructing Σstd=XstdXstd,Σext=XextXext\Sigma_{\text{std}}=X_{\text{std}}^{\top}X_{\text{std}},\Sigma_{\text{ext}}=X_{\text{ext}}^{\top}X_{\text{ext}} using w,vw,v. We can then obtain Xstd,XextX_{\text{std}},X_{\text{ext}} using any standard decomposition method to obtain Xstd,XextX_{\text{std}},X_{\text{ext}}. We construct Σstd,Σext\Sigma_{\text{std}},\Sigma_{\text{ext}} using w,vw,v. Without loss of generality, we can make them simultaneously diagonalizable. We construct a set of eigenvectors that is the same for both matrices paired with different eigenvalues. Let the shared eigenvectors include w,vw,v. Then if we set the corresponding eigenvalues λw(Σext)=0,λv(Σext)>0\lambda_{w}(\Sigma_{\text{ext}})=0,\lambda_{v}(\Sigma_{\text{ext}})>0 and λw(Σstd)=0,λv(Σstd)=0\lambda_{w}(\Sigma_{\text{std}})=0,\lambda_{v}(\Sigma_{\text{std}})=0, then λw(Σaug)=0\lambda_{w}(\Sigma_{\text{aug}})=0 such that wCol(ΠstdΠaug)w\in\text{Col}(\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}^{\perp}) and vCol(ΠstdΠaug)v\in\text{Col}(\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}). This shows the second statement. With this, we can design a θ\theta^{\star} for which augmentation increases standard error as in Lemma 2.

B.7 Characterization Corollary 2

A simpler case to analyze is when we only augment with one extra data point. The following corollary characterizes which single augmentation directions lead to higher prediction error for the augmented estimator.

The following characterizations hold for augmentation directions that do not cause the standard error of the augmented estimator to be higher than the original estimator.

(in terms of ratios of inner products) For a given θ\theta^{\star}, data augmentation does not increase the standard error of the augmented estimator for a single augmentation direction xextx_{\text{ext}} if

(in terms of eigenvectors) Data augmentation does not increase standard error for any θ\theta^{\star} if Πstdxext\Pi_{\text{std}}^{\perp}x_{\text{ext}} is an eigenvector of Σ\Sigma. However if one augments in the direction of a mixture of eigenvectors of Σ\Sigma with different eigenvalues, there exists θ\theta^{\star} such that augmentation increases standard error.

(depending on well-conditioning of Σ\Sigma) If λmax(Σ)λmin(Σ)2\frac{\lambda_{\max}(\Sigma)}{\lambda_{\min}(\Sigma)}\leq 2 and Πstdθ\Pi_{\text{std}}^{\perp}\theta^{\star} is an eigenvector of Σ\Sigma, then no augmentations xextx_{\text{ext}} increase standard error.

The form in Equation (23) compares ratios of inner products of Πstdxext\Pi_{\text{std}}^{\perp}x_{\text{ext}} and Πstdθ\Pi_{\text{std}}^{\perp}\theta^{\star} in two spaces: the one in the numerator is weighted by Σ\Sigma whereas the denominator is the standard inner product. Thus, if Σ\Sigma scales and rotates rather inhomogeneously, then augmenting with xextx_{\text{ext}} may hurt standard error. Here again, if Σ=γI\Sigma=\gamma I for γ>0\gamma>0, then the condition must hold.

Note that for a single augmentation point Xext=xextX_{\text{ext}}=x_{\text{ext}}^{\top}, the orthogonal decomposition of Πstdθ\Pi_{\text{std}}^{\perp}\theta^{\star} into Col(Πaug)\text{Col}(\Pi_{\text{aug}}^{\perp}) and Col(ΠstdΠaug)\text{Col}(\Pi_{\text{std}}^{\perp}\Pi_{\text{aug}}) is defined by v=ΠstdxextθΠstdxext2Πstdxextv=\frac{{\Pi_{\text{std}}^{\perp}x_{\text{ext}}}^{\top}\theta^{\star}}{\|{\Pi_{\text{std}}^{\perp}x_{\text{ext}}}\|^{2}}{\Pi_{\text{std}}^{\perp}x_{\text{ext}}} and w=Πstdθvw=\Pi_{\text{std}}^{\perp}\theta^{\star}-v respectively. Plugging back into into identity (16) then yields the following condition for safe augmentations:

Rearranging the terms yields inequality (23).

Safe augmentation directions for specific choices of θ\theta^{\star} and Σ\Sigma are illustrated in Figure 3.

B.7.2 Proof of Corollary 2 (b)

Assume that Πstdxext\Pi_{\text{std}}^{\perp}x_{\text{ext}} is an eigevector of Σ\Sigma with eigenvalue λ>0\lambda>0. We have

for any θ\theta^{\star}. Hence by Corollary 2 (a), the standard error doesn’t increase by augmenting with eigenvectors of Σ\Sigma for any θ\theta^{\star}.

When the single augmentation direction vv is not an eigenvector of Σ\Sigma, by Lemma 1 one can find ww such that wΣv0w^{\top}\Sigma v\neq 0. The proof in Lemma 1 gives an explicit construction for ww such that condition (19) holds and the result then follows directly by Lemma 2.

B.7.3 Proof of Corollary 2 (c)

Suppose ΣΠstdθ=λΠstdθ\Sigma\Pi_{\text{std}}^{\perp}\theta^{\star}=\lambda\Pi_{\text{std}}^{\perp}\theta^{\star} for some λmin(Σ)λλmax(Σ)\lambda_{\min}(\Sigma)\leq\lambda\leq\lambda_{\max}(\Sigma). Then starting with the expression (23),

by applying λmax(Σ)λmin(Σ)2\frac{\lambda_{\max}(\Sigma)}{\lambda_{\min}(\Sigma)}\leq 2. Thus when Πstdθ\Pi_{\text{std}}^{\perp}\theta^{\star} is an eigenvector of Σ\Sigma, there are no augmentations xextx_{\text{ext}} that increase the standard error.

Appendix C Details for spline staircase

We describe the data distribution, augmentations, and model details for the spline experiment in Figure 1 and toy scenario in Figure 2. Finally, we show that we can construct a simplified family of spline problems where the ratio between standard errors of the augmented and standard estimators increases unboundedly as the number of stairs.

We describe the data distribution in terms of the one-dimensional input tt, and by the one-to-one correspondence with spline basis features x=X(t)x=X(t), this also defines the distribution of spline features xXx\in\mathcal{X}. Let wΔsw\in\Delta_{s} define a distribution over Tline\mathcal{T}_{\text{line}} where Δs\Delta_{s} is the probability simplex of dimension ss. We define the data distribution with the following generative process for one sample tt. First, sample a point ii from Tline\mathcal{T}_{\text{line}} according to the categorical distribution described by ww, such that iCategorical(w)i\sim\text{Categorical}(w). Second, sample tt by perturbing ii with probability δ\delta such that

The sampled tt is in Tline\mathcal{T}_{\text{line}} with probability 1δ1-\delta and Tlinec\mathcal{T}_{\text{line}}^{c} with probability δ\delta, where we choose δ\delta to be small.

C.2 Spline model

Our hypothesis class is the family of cubic B-splines as defined in (Friedman et al., 2001). Cubic B-splines are piecewise cubic functions, where the endpoints of each cubic function are called the knots. In our example, we fix the knots to be [0,ϵ,1,,s1,s1+ϵ][0,\epsilon,1,\dots,s-1,s-1+\epsilon], which places a knot on every point in T\mathcal{T}. This ensures that the function class contains an interpolating function on all tTt\in\mathcal{T}, i.e. for some θ\theta^{\star},

for the standard estimator and the corresponding augmented problem to obtain the augmented estimator.

C.3 Evaluating Corollary 2 (a) for splines

In the spline staircase, the local perturbations can be thought of as fitting high frequency noise in the function space, where fitting them causes a global change in the function.

Suppose the original training set consists of two points, Xstd=[XM(0),XM(1)]X_{\text{std}}=[X_{M}(0),X_{M}(1)]^{\top}. We study the effect of augmenting point xextx_{\text{ext}} in terms of qiq_{i} above. First, we find that the first two eigenvectors corresponding to linear functions satisfy Πstdq1=Πstdq2=0\Pi_{\text{std}}^{\perp}q_{1}=\Pi_{\text{std}}^{\perp}q_{2}=0. Intuitively, this is because the standard estimator is linear. For ease of visualization, we consider the 2D space in Null(Σ)\text{Null}(\Sigma) spanned by Πstdq3\Pi_{\text{std}}^{\perp}q_{3} (global direction, low frequency) and Πstdq2s\Pi_{\text{std}}^{\perp}q_{2s} (local direction, high frequency). The matrix Πlg=[Πstdq3, Πstdq2s]\Pi_{\text{lg}}=[\Pi_{\text{std}}^{\perp}q_{3},~{}\Pi_{\text{std}}^{\perp}q_{2s}]^{\top} projects onto this space. Note that the same results hold when projecting onto all Πstdqi\Pi_{\text{std}}^{\perp}q_{i} in Null(Σ)\text{Null}(\Sigma).

In terms of the simple 3-D example in Section 3.1, the global direction corresponds to the costly direction with large eigenvalue, as changes in global structure heavily affect the standard error. Figure 8 plots the projections Πlgθ\Pi_{\text{lg}}\theta^{\star} and ΠlgXext\Pi_{\text{lg}}X_{\text{ext}} for different XextX_{\text{ext}}. When θ\theta^{\star} has high frequency variations and is complex, Πlgθ=(θθ^std)\Pi_{\text{lg}}\theta^{\star}=(\theta^{\star}-\hat{\theta}_{\text{std}}) is aligned with the local dimension. For xextx_{\text{ext}} immediately local to training points, the projection Πlgxext\Pi_{\text{lg}}x_{\text{ext}} (orange vector in Figure 8) has both local and global components. Augmenting these local perturbations introduces error in the global component. For other xextx_{\text{ext}} farther from training points, Πlgxext\Pi_{\text{lg}}x_{\text{ext}} (blue vector in Figure 8) is almost entirely global and perpendicular to θθ^std\theta^{\star}-\hat{\theta}_{\text{std}}, leaving bias unchanged. Thus, augmenting data close to original data cause estimators to fit local components at the cost of the costly global component which changes overall structure of the predictor like in Figure 2(middle). The choice of inductive bias in the MM–norm being minimized results in eigenvectors of Σ\Sigma that correspond to local and global components, dictating this tradeoff.

C.4 Data augmentation can be quite painful for splines

We construct a family of spline problems such that as the number the augmented estimator has much higher error than the standard estimator. We assume that our predictors are from the full family of cubic splines.

We define a modified domain with continuous intervals T=t=0s1[t,t+ϵ]\mathcal{T}=\cup_{t=0}^{s-1}[t,t+\epsilon]. Considering only ss which is a multiple of 2, we sample the original data set as described in Section C.1 with the following probability mass ww:

for γ[0,1)\gamma\in[0,1). We define a probability distribution PTP_{\mathcal{T}} on T\mathcal{T} for a random variable TT by setting T=Z+S(Z)T=Z+S(Z) where ZCategorical(w)Z\sim\text{Categorical}(w) and the ZZ-dependent perturbation S(z)S(z) is defined as

We obtain the training dataset Xstd={X(t1),,X(tn)}X_{\text{std}}=\{X(t_{1}),\dots,X(t_{n})\} by sampling tiPTt_{i}\sim P_{\mathcal{T}}.

Consider a modified augmented estimator for the splines problem, where for each point tit_{i} we augment with the entire interval [ti,ti+ϵ][\lfloor t_{i}\rfloor,\lfloor t_{i}\rfloor+\epsilon] with ϵ[0,1/2)\epsilon\in[0,1/2) and the estimator is enforced to output fθ^(x)=yi=tif_{\hat{\theta}}(x)=y_{i}=\lfloor t_{i}\rfloor for all xx in the interval [ti,ti+ϵ][\lfloor t_{i}\rfloor,\lfloor t_{i}\rfloor+\epsilon]. Additionally, suppose that the ratio s/n=O(1)s/n=O(1) between the number of stairs ss and the number of samples nn is constant.

In this simplified setting, we can show that the standard error of the augmented estimator grows while the standard error of the standard estimator decays to 0.

Let the setting be defined as above. Then with the choice of δ=log(s7)log(s71)s\delta=\frac{\log(s^{7})-\log(s^{7}-1)}{s} and γ=c/s\gamma=c/s for a constant c[0,1)c\in[0,1), the ratio between standard errors is lower bounded as

which goes to infinity as ss\rightarrow\infty. Furthermore, R(θ^std)0R(\hat{\theta}_{\text{std}})\rightarrow 0 as ss\rightarrow\infty.

We first lower bound the standard error of the augmented estimator. Define E1E_{1} as the event that only the lower half of the stairs is sampled, i.e. {t:t<s/2}\{t:t<s/2\}, which occurs with probability (1γ)n(1-\gamma)^{n}. Let t=maxitit^{\star}=\max_{i}\lfloor t_{i}\rfloor be the largest “stair” value seen in the training set. Note that the min-norm augmented estimator will extrapolate with zero derivative for tmaxitit\geq\max_{i}\lfloor t_{i}\rfloor. This is because on the interval [t,t+ϵ][t^{\star},t^{\star}+\epsilon], the augmented estimator is forced to have zero derivative, and the solution minimizing the second derivative of the prediction continues with zero derivative for all ttt\geq t^{\star}. In the event E1E_{1}, ts/21t^{\star}\leq s/2-1, where t=s/21t^{*}=s/2-1 achieves the lowest error in this event. As a result, on the points in the second half of the staircase, i.e. t={tT:t>s21}t=\{t\in\mathcal{T}:t>\frac{s}{2}-1\}, the augmented estimator incurs large error:

Therefore the standard error of the augmented estimator is bounded by

where in the first line, we note that the error on each interval is the same and the probability of each interval is (1δ)γs/2+ϵδϵγs/2=γs/2(1-\delta)\frac{\gamma}{s/2}+\epsilon\frac{\delta}{\epsilon}\cdot\frac{\gamma}{s/2}=\frac{\gamma}{s/2}.

Next we upper bound the standard error of the standard estimator. Define E2E_{2} to be the event where all points are sampled from Tline\mathcal{T}_{\text{line}}, which occurs with probability (1δ)n(1-\delta)^{n}. In this case, the standard estimator is linear and fits the points on Tline\mathcal{T}_{\text{line}} with zero error, while incurring error for all points not in Tline\mathcal{T}_{\text{line}}. Note that the probability density of sampling a point not in Tline\mathcal{T}_{\text{line}} is either δϵ1γs/2\frac{\delta}{\epsilon}\cdot\frac{1-\gamma}{s/2} or δϵγs/2\frac{\delta}{\epsilon}\cdot\frac{\gamma}{s/2}, which we upper bound as δϵ1s/2\frac{\delta}{\epsilon}\cdot\frac{1}{s/2}.

Therefore for event E2E_{2}, the standard error is bounded as

since log(s7)log(s71)1\log(s^{7})-\log(s^{7}-1)\leq 1 for s2s\geq 2. For the complementary event E2cE_{2}^{c}, note that cubic spline predictors can grow only as O(t3)O(t^{3}), with error at most O(t6)O(t^{6}). Therefore the standard error for case E2cE_{2}^{c} is bounded as

Thus overall, R(θ^std)=O(1/s)R(\hat{\theta}_{\text{std}})=O(1/s) and combining the bounds yields the result. ∎

Appendix D Robust Self-Training

We define the linear robust self-training estimator from Equation (4.2) and expand all the terms.

Notice that for unlabeled components of the estimator, we assume access to the data distribution PxP_{\mathsf{x}} and thus optimize the population quantities.

As we show in the next subsection, we can rewrite the robust self-training estimator into the following reduced form, more directly connecting to the general analysis of adding extra data XextX_{\text{ext}} in min-norm linear regression.

for the appropriate choice of XextX_{\text{ext}}, as shown in Section D.1. Here, we can interpret XextX_{\text{ext}} as the difference between the perturbed inputs and original inputs. These are perturbations which we want the model to be invariant to, and hence output zero.

We give an algorithm for constructing XextX_{\text{ext}} which enforces the population robustness constraints. Suppose we are given Σ\Sigma, the population covariance of PxP_{\mathsf{x}}. In robust self-training, we enforce that the model is consistent over perturbations of the labeled data XstdX_{\text{std}} and (infinite) unlabeled data. To do this, we add linear constraints of the form xadvθxθ=0x_{\text{adv}}^{\top}\theta-x^{\top}\theta=0, where xadvT(x)x_{\text{adv}}\in T(x) for all xx. We can view these linear constraints as augmenting the dataset with input-target pairs (xext,0)(x_{\text{ext}},0) where xext=xadvxx_{\text{ext}}=x_{\text{adv}}-x. By assumption, xextθ=0x_{\text{ext}}^{\top}\theta^{\star}=0 so these augmentations fit into our data augmentation framework.

However, when we enforce these constraints over the entire population PxP_{\mathsf{x}} or when there are an infinite number of transformations in T(x)T(x), a naive implementation requires augmenting with infinitely many points. Noting that the space of augmentations xextx_{\text{ext}} satisfying xextθ=0x_{\text{ext}}^{\top}\theta^{\star}=0 is a linear subspace, we can instead summarize the augmentations with a basis that spans the transformations. Let the space of perturbations be T=xsupp(Px),xadvT(x)xadvx\mathcal{T}=\cup_{x\in\text{supp}(P_{\mathsf{x}}),x_{\text{adv}}\in T(x)}x_{\text{adv}}-x. Note that this space of perturbations also contains perturbations of the original data XstdX_{\text{std}} if XstdX_{\text{std}} is in the support of PxP_{\mathsf{x}}. If XstdX_{\text{std}} is not in the support of PxP_{\mathsf{x}}, the behavior of the estimator on these points do not affect standard or robust error. Assuming that we can efficiently optimize over T\mathcal{T}, we construct the basis by an iterative procedure reminiscent of adversarial training.

Set t=0t=0. Initialize θt=θint-std\theta^{t}=\theta_{\textup{int-std}} and (Xext)0(X_{\text{ext}})_{0} as an empty matrix.

At iteration tt, solve for xextt=arg maxxextT(xextθt)2x_{\text{ext}}^{t}=\operatorname*{arg\,max}_{x_{\text{ext}}\in\mathcal{T}}(x_{\text{ext}}^{\top}\theta^{t})^{2}. If the objective is unbounded, choose any xexttx_{\text{ext}}^{t} such that xextθt0x_{\text{ext}}^{\top}\theta^{t}\neq 0.

If θtxextt=0{\theta^{t}}^{\top}x_{\text{ext}}^{t}=0, stop and return (Xext)t(X_{\text{ext}})_{t}.

Otherwise, add xexttx_{\text{ext}}^{t} as a row in (Xext)t(X_{\text{ext}})_{t}. Increment tt and let θt\theta^{t} solve (31) with Xext=(Xext)tX_{\text{ext}}=(X_{\text{ext}})_{t}.

In each iteration, we search for a perturbation that the current θt\theta^{t} is not invariant to. If we can find such a perturbation, we add it to the constraint set in (Xext)t(X_{\text{ext}})_{t}. We stop when we cannot find such a perturbation, implying that the rows of (Xext)t(X_{\text{ext}})_{t} and XstdX_{\text{std}} span T\mathcal{T}. The final RST estimator solves (31) using XextX_{\text{ext}} returned from this procedure.

This procedure terminates within O(d)O(d) iterations. To see this, note that θt\theta^{t} is orthogonal to all rows of (Xext)t(X_{\text{ext}})_{t}. Any vector in the span of (Xext)t(X_{\text{ext}})_{t} is orthogonal to θt\theta^{t}. Thus, if θtxextt0{\theta^{t}}^{\top}x_{\text{ext}}^{t}\neq 0, then xexttx_{\text{ext}}^{t} must not be in the span of (Xext)t(X_{\text{ext}})_{t}. At most drank(Xstd)d-\text{rank}(X_{\text{std}}) such new directions can be added until (Xext)t(X_{\text{ext}})_{t} is full rank. When (Xext)t(X_{\text{ext}})_{t} is full rank, θtxextt=0{\theta^{t}}^{\top}x_{\text{ext}}^{t}=0 must hold and the algorithm terminates.

D.2 Proof of Theorem 2

In this section, we prove Theorem 2, which we reproduce here. See 2

We work with the RST estimator in the form from Equation (31). We note that our result applies generally to any extra data Xext,yextX_{\text{ext}},y_{\text{ext}}. We define Σstd=XstdXstd\Sigma_{\text{std}}=X_{\text{std}}^{\top}X_{\text{std}}. Let {ui}\{u_{i}\} be an orthonormal basis of the kernel Null(Σstd+XextXext)\text{Null}(\Sigma_{\text{std}}+X_{\text{ext}}^{\top}X_{\text{ext}}) and {vi}\{v_{i}\} be an orthonormal basis for Null(Σstd)span({ui})\text{Null}(\Sigma_{\text{std}})\setminus\mathop{\rm span}(\{u_{i}\}). Let UU and VV be the linear operators defined by Uw=iuiwiUw=\sum_{i}u_{i}w_{i} and Vw=iviwiVw=\sum_{i}v_{i}w_{i}, respectively, noting that UV=0U^{\top}V=0. Defining Πstd:=(IΣstdΣstd)\Pi_{\text{std}}^{\perp}:=(I-\Sigma_{\text{std}}^{\dagger}\Sigma_{\text{std}}) to be the projection onto the null space of XstdX_{\text{std}}, we see that there are unique vectors ρ,α\rho,\alpha such that

Using the representations (32) we may provide an alternative formulation for the augmented estimator (D), using this to prove the theorem. Indeed, writing θint-stdθ^rst=U(wρ)+V(zλ)\theta_{\textup{int-std}}-\hat{\theta}_{\text{rst}}=U(w-\rho)+V(z-\lambda), we immediately have that the estimator has the form (32c), with the choice

The optimality conditions for this quadratic imply that

Now, recall that the standard error of a vector θ\theta is R(θ)=(θθ)Σ(θθ)=θθΣ2R(\theta)=(\theta-\theta^{\star})^{\top}\Sigma(\theta-\theta^{\star})=\left\|{\theta-\theta^{\star}}\right\|^{2}_{\Sigma}, using Mahalanobis norm notation. In particular, a few quadratic expansions yield

where step (i)(i) used that (U(wρ))ΣV=(V(λz))ΣV(U(w-\rho))^{\top}\Sigma V=(V(\lambda-z))^{\top}\Sigma V from the optimality conditions (33).

Finally, we consider the rightmost term in equality (34). Again using the optimality conditions (33), we have

by Cauchy-Schwarz. Revisiting equality (34), we obtain

where we used that xadvθ=xθx_{\text{adv}}^{\top}\theta^{\star}=x^{\top}\theta^{\star} by assumption. Since Lrob(θ^rst)Lstd(θ^rst)L_{\text{rob}}(\hat{\theta}_{\text{rst}})\geq L_{\text{std}}(\hat{\theta}_{\text{rst}}), θ^rst\hat{\theta}_{\text{rst}} has perfect consistency, achieving the lowest possible robust error (matching the standard error). ∎

D.3 Different instantiations of the general RST procedure

In the first variant, RST + PG-AT, we use multiclass logistic loss (cross-entropy) as the standard loss. The robust loss is the maximum cross-entropy loss between any perturbed input (within the set of tranformations T()T(\cdot)) and the label (pseudo-label in the case of unlabeled data). We set the weights such that the estimator can be written as follows.

D.3.2 TRADES

Appendix E Experimental Details

For spline simulations in Figure 2 and Figure 1, we implement the optimization of the standard and robust objectives using the basis described in (Friedman et al., 2001). The penalty matrix MM computes second-order finite differences of the parameters θ\theta. We solve the min-norm objective directly using CVXPY (Diamond & Boyd, 2016). Each point in Figure 1(a) represents the average standard error over 25 trials of randomly sampled training datasets between 2222 and 10001000 samples. Shaded regions represent 1 standard deviation.

E.2 RST experiments

We compare the standard error of the augmented estimator with an estimator trained using RST. We apply RST to adversarial training algorithms in Cifar-10 using 500k unlabeled examples sourced from Tiny Images, as in (Carmon et al., 2019).

We use Wide ResNet 40-2 models (Zagoruyko & Komodakis, 2016) while varying the number of samples in Cifar-10. We sub-sample CIFAR-10 by factors of {1,2,5,8,10,20,40}\{1,2,5,8,10,20,40\} in Figure 1(a) and {1,2,5,8,10}\{1,2,5,8,10\} in Figure 1(b). We report results averaged from 2 trials for each sub-sample factor. All models are trained for 200 epochs with respect to the size of the labeled training dataset and all achieve almost 100% standard and robust training accuracy.

We evaluate the robustness of models to the strong PGD-attack with 4040 steps and 55 restarts. In Figure 1(b), we used a simple heuristic to set the regularization strength on unlabeled data λ\lambda in Equation (D.3.1) to be λ=min(0.9,p)\lambda=\min(0.9,p) where pp\in is the fraction of the original Cifar-10 dataset sampled. We set β=0.5\beta=0.5. Intuitively, we give more weight to the unlabeled data when the original dataset is larger, meaning that the standard estimator produces more accurate pseudo-labels.

Figure 9 shows that the robust accuracy of the RST model improves about 5-15% percentage points above the robust model (trained using PGD adversarial training) for all subsamples, including the full dataset (Tables 2,3).

We use a smaller model due to computational constraints enforced by adversarial training. Since the model is small, we could only fit adversarially augmented examples with small ϵ=2/255\epsilon=2/255, while existing baselines use ϵ=8/255\epsilon=8/255. Note that even for ϵ=2/255\epsilon=2/255, adversarial data augmentation leads to an increase in standard error. We show that RST can fix this. While ensuring models are robust is an important goal in itself, in this work, we view adversarial training through the lens of covariate-shifted data augmentation and study how to use augmented data without increasing standard error. We show that RST preserves the other benefits of some kinds of data augmentation like increased robustness to adversarial examples.

E.2.3 Adversarial and random rotation/translations

In Table 1 (right), we use RST for adversarial and random rotation/translations, denoting these transformations as xadvx_{\text{adv}} in Equation (D.3.1). The attack model is a grid of rotations of up to 30 degrees and translations of up to 10%\sim 10\% of the image size. The grid consists of 31 linearly spaced rotations and 5 linearly spaced translations in both dimensions. The Worst-of-10 model samples 10 uniformly random transformations of each input and augment with the one where the model performs the worst (causes an incorrect prediction, if it exists). The Random model samples 1 random transformation as the augmented input. All models (besides cited models) use the WRN-40-2 architecture and are trained for 200 epochs. We use the same hyperparameters λ,β\lambda,\beta as in E.2.2 for Equation (D.3.1).

Appendix F Comparison to standard self-training algorithms

The main objective of RST is to allow to perform robust training without sacrificing standard accuracy. This is done by regularizing an augmented estimator to provide labels close to a standard estimator on the unlabeled data. This is closely related to but different two broad kinds of semi-supervised learning.

Self-training (pseudo-labeling): Classical self-training does not deal with data augmentation or robustness. We view RST as a a generalization of self-training in the context of data augmentations. Here the pseudolabels are generated by a standard non-augmented estimator that is not trained on the labeled augmented points. In contrast, standard self-training would just use all labeled data to generate pseudo-labels. However, since some augmentations cause a drop in standard accuracy, and hence this would generate worse pseudo-labels than RST.

Robust consistency training: Another popular semi-supervised learning strategy is based on enforcing consistency in a model’s predictions across various perturbations of the unlabeled data (Miyato et al., 2018; Xie et al., 2019; Sajjadi et al., 2016; Laine & Aila, 2017)). RST is similar in spirit, but has an additional crucial component. We generate pseudo-labels first by performing standard training, and rather than enforcing simply consistency across perturbations, RST enforces that the unlabeled data and perturbations are matched with the pseudo-labels generated.

We begin with a 3-dimensional construction and then increase the number of dimensions. Let the domain of possible values be X={x1,x2,x3}\mathcal{X}=\{\mathbf{x_{1}},\mathbf{x_{2}},\mathbf{x_{3}}\} where

Define the data distribution through the generative process for the random feature vector x\mathbf{x}

where 0<δ<10<\delta<1 and ϵ>0\epsilon>0. Define the optimal linear predictor θ=1\theta^{\star}=\mathbf{1} to be the all-ones vector, such that in all cases, xθ=2+δ\mathbf{x}^{\top}\theta^{\star}=2+\delta. We define the consistent perturbations as

The augmented estimator will add all possible consistent perturbations of the training set as extra data XextX_{\text{ext}}. For example, if x1\mathbf{x_{1}} is in the training set, then the augmented estimator will add x2\mathbf{x_{2}} as extra data since x2T(x1)\mathbf{x_{2}}\in T(\mathbf{x_{1}}). The standard error is measured by mean squared error.

We give some intuition for how augmentation can hurt standard error in this 3-dimensional example. Define E1E_{1} to be the event that we draw nn samples with value x1\mathbf{x_{1}}. Given E1E_{1}, the standard and augmented estimators are

G.2 Construction for general d𝑑d

We construct the example by sampling x\mathbf{x} in 3 dimensions and then repeating the vector dd times. In particular, the samples are realizations of the random vector [x;x;x;;x][\mathbf{x};\mathbf{x};\mathbf{x};\dots;\mathbf{x}] which have dimension 3d3d and every block of 3 coordinates have the same values. Under this setup, we can show that there is a family of problems such that the difference between standard errors of the augmented and standard estimators grows to infinity as d,nd,n\rightarrow\infty.

Let the setting be defined as above, where the dimension dd and number of samples nn are such that n/dγn/d\rightarrow\gamma approaches a constant. Let p=1/d2p=1/d^{2}, ϵ=1/d3\epsilon=1/d^{3}, and δ\delta be a constant. Then the ratio between standard errors of the augmented and standard estimators grows as

We define an event where the augmented estimator has high error relative to the standard estimator and bound the ratio between the standard errors of the standard and augmented estimators given this event. Define E1E_{1} as the event that we have nn samples where all samples are [x1;x1;;x1][\mathbf{x_{1}};\mathbf{x_{1}};\dots;\mathbf{x_{1}}]. The standard and augmented estimators are the corresponding repeated versions

The event E1E_{1} occurs with probability (1p)n+(pϵ)n(1-p)^{n}+(p-\epsilon)^{n}. It is straightforward to verify that the respective standard errors are

and that the ratio between standard errors is

The ratio between standard errors is bounded by

as n,dn,d\rightarrow\infty, where we used Bernoulli’s inequality in the second to last step. ∎