Understanding and Mitigating the Tradeoff Between Robustness and Accuracy
Aditi Raghunathan, Sang Michael Xie, Fanny Yang, John Duchi, Percy Liang
Introduction
Adversarial training methods (Goodfellow et al., 2015; Madry et al., 2017) attempt to improve the robustness of neural networks against adversarial examples (Szegedy et al., 2014) by augmenting the training set (on-the-fly) with perturbed examples that preserve the label but that fool the current model. While such methods decrease the robust error, the error on worst-case perturbed inputs, they have been observed to cause an undesirable increase in the standard error, the error on unperturbed inputs (Madry et al., 2018; Zhang et al., 2019; Tsipras et al., 2019).
In this work, we provide a different explanation for the tradeoff between standard and robust error that takes generalization from finite data into account. We first consider a linear model where the true linear function has zero standard and robust error. Adversarial training augments the original training set with extra data, consisting of samples where the perturbations are consistent, meaning that the conditional distribution stays constant . We show that even in this simple setting, the augmented estimator, i.e. the minimum norm interpolant of the augmented data (standard + extra data), could have a larger standard error than that of the standard estimator, which is the minimum norm interpolant of the standard data alone. We found this surprising given that adding consistent perturbations enforces the predictor to satisfy invariances that the true model exhibits. One might think adding this information would only restrict the hypothesis class and thus enable better generalization, not worse.
We show that this tradeoff stems from overparameterization. If the restricted hypothesis class (by enforcing invariances) is still overparameterized, the inductive bias of the estimation procedure (e.g., the norm being minimized) plays a key role in determining the generalization of a model.
Figure 2 shows an illustrative example of this phenomenon with cubic smoothing splines. The predictor obtained via standard training (dashed blue) is a line that captures the global structure and obtains low error. Training on augmented data with locally consistent perturbations of the training data (crosses) restricts the hypothesis class by encouraging the predictor to fit the local structure of the high density points. Within this set, the cubic splines predictor (solid orange) minimizes the second derivative on the augmented data, compromising the global structure and performing badly on the tails (Figure 2(b)). More generally, as we characterize in Section 3, the tradeoff stems from the inductive bias of the minimum norm interpolant, which minimizes a fixed norm independent of the data, while the standard error depends on the geometry of the covariates.
Recent works (Carmon et al., 2019; Najafi et al., 2019; Uesato et al., 2019) introduced robust self-training (RST), a robust variant of self-training that overcomes the sample complexity barrier of learning a model with low robust error by leveraging extra unlabeled data. In this paper, our theoretical understanding of the tradeoff between standard and robust error in linear regression motivates RST as a method to improve robust error without sacrificing standard error. In Section 4.2, we prove that RST eliminates the tradeoff for linear regression—RST does not increase standard error compared to the standard estimator while simultaneously achieving the best possible robust error, matching the standard error (see Figure 2(c) for the effect of RST on the spline problem). Intuitively, RST regularizes the predictions of the robust estimator towards that of the standard estimator on the unlabeled data thereby eliminating the tradeoff.
As previous works only focus on the empirical evaluation of the gains in robustness via RST, we systematically evaluate the effect of RST on both the standard and robust error on Cifar-10 when using unlabeled data from Tiny Images as sourced in Carmon et al. (2019). We expand upon empirical results in two ways. First, we study the effect of the labeled training set sizes and and find that the RST improves both robust and standard error over vanilla adversarial training across all sample sizes. RST offers maximum gains at smaller sample sizes where vanilla adversarial training increases the standard error the most. Second, we consider an additional family of perturbations over random and adversarial rotation/translations and find that RST offers gains in both robust and standard error.
Setup
for consistent perturbations that satisfy
In this work, we focus on interpolating estimators in highly overparameterized models, motivated by modern machine learning models that achieve near zero training loss (on both standard and extra data). Interpolating estimators for linear regression have been studied in many recent works such as (Ma et al., 2018; Belkin et al., 2018; Hastie et al., 2019; Liang & Rakhlin, 2018; Bartlett et al., 2019). We present our results for interpolating estimators with minimum Euclidean norm, but our analysis directly applies to more general Mahalanobis norms via suitable reparameterization (see Appendix A).
Analysis in the linear regression setting
In this section, we compare the standard errors of the standard estimator and the augmented estimator in noiseless linear regression. We begin with a simple toy example that describes the intuition behind our results (Section 3.1) and provide a more complete characterization in Section 3.2. This section focuses only on the standard error of both estimators; we revisit the robust error together with the standard error in Section 4.
Suppose we augment with an extra data point which lies in (black dashed line in Figure 3). The augmented estimator still fits the standard data and thus . Due to fitting the extra data , (orange vector in Figure 3) must also satisfy an additional constraint . The crucial observation is that additional constraints along one direction ( in this case) could actually increase parameter error along other directions. For example, let’s consider the direction in Figure 3. Note that fitting makes have a large component along . Now if is small (precisely, ), has a larger parameter error along than , which was simply zero (Figure 3 (a)). Conversely, if the true component is large enough (precisely, ), the parameter error of along is smaller than that of .
The contribution of different components of the parameter error to the standard error is scaled by the population covariance (see Equation 4). For simplicity, let . In our example, the parameter error along is zero since both estimators interpolate the standard training point . Then, the ratio between and determines which component of the parameter error contributes more to the standard error.
Putting the two effects together, we see that when is small as in Fig 3(a), has larger parameter error than in the direction . If , error in is weighted much more heavily in the standard error and consequently would have a larger standard error. Precisely, we have
We present a formal characterization of this tradeoff in general in the next section.
2 General characterizations
In this section, we precisely characterize when the augmented estimator that fits extra training data points in addition to the standard points has higher standard error than the standard estimator that only fits . In particular, this enables us to understand when there is a “tradeoff” where the augmented estimator has lower robust error than by virtue of fitting perturbations, but has higher standard error. In Section 3.1, we illustrated how the parameter error of could be larger than in some directions, and if these directions are weighted heavily in the population covariance , the standard error of would be larger.
Formally, let us define the parameter errors and . Recall that the standard errors are
where is the population covariance of the underlying inputs drawn from .
To characterize the effect of the inductive bias of minimum norm interpolation on the standard errors, we define the following projection operators: , the projection matrix onto and , the projection matrix onto (see formal definition in Appendix B). Since and are minimum norm interpolants, and . Further, in noiseless linear regression, and have no error in the span of and respectively. Hence,
Our main result relies on the key observation that for any vector , can be decomposed into a sum of two orthogonal components and such that with and . This is because and thus . Now setting and using the error expressions in Equation 6 and Equation 7 gives a precise characterization of the difference in the standard errors of and .
The difference in the standard errors of the standard estimator and augmented estimator can be written as follows.
where and .
The proof of Theorem 1 is in Appendix B.3. The increase in standard error of the augmented estimator can be understood in terms of the vectors and defined in Theorem 1. The first term is always positive, and corresponds to the decrease in the standard error of the augmented estimator by virtue of fitting extra training points in some directions. However, the second term can be negative and intuitively measures the cost of a possible increase in the parameter error along other directions (similar to the increase along in the simple setting of Figure 3(a)). When the cost outweighs the benefit, the standard error of is larger. Note that both the cost and benefit is determined by which governs how the parameter error affects the standard error.
We can use the above expression (Theorem 1) for the difference in standard errors of and to characterize different “safe” conditions under which augmentation with extra data does not increase the standard error. See Appendix B.7 for a proof.
The following conditions are sufficient for , i.e. the standard error does not increase when fitting augmented data.
The population covariance is identity.
The augmented data spans the entire space, or equivalently .
We would like to draw special attention to the first condition. When , notice that the norm that governs the standard error (Equation 6) matches the norm that is minimized by the interpolants (Equation 5). Intuitively, the estimators have the “right” inductive bias; under this condition, the augmented estimator does not have higher standard error. In other words, the observed increase in the standard error of can be attributed to the “wrong” inductive bias. In Section 4, we will use this understanding to propose a method of robust training which does not increase standard error over standard training.
Finally, we relate the magnitude of increase in standard error of the augmented estimator to the complexity of the true model.
For a given ,
for some scalar that depends on .
Robust self-training
We now use insights from Section 3 to construct estimators with low robust error without increasing the standard error. While Section 3 characterized the effect of adding extra data in general, in this section we consider robust training which augments the dataset with extra data that are consistent perturbations of the standard training data .
Since the standard estimator has small standard error, a natural strategy to mitigate the tradeoff is to regularize the augmented estimator to be closer to the standard estimator. The choice of distance between the estimators we regularize is very important. Recall from Section 3.1 that the population covariance determines how the parameter error affects the standard error. This suggests using a regularizer that incorporates information about .
We first revisit the recently proposed robust self-training (RST) (Carmon et al., 2019; Najafi et al., 2019; Uesato et al., 2019) that incorporates additional unlabeled data via pseudo-labels from a standard estimator. Previous work only focused on the effectiveness of RST in improving the robust error. In Section 4.2, we prove that in linear regression, RST eliminates the tradeoff between standard and robust error (Theorem 2). The proof hinges on the connection between RST and the idea of regularizing towards the standard estimator discussed above. In particular, we show that the RST objective can be rewritten as minimizing a suitable -induced distance to the standard estimator.
We first describe the general two-step robust self-training (RST) procedure (Carmon et al., 2019; Uesato et al., 2019) for a parameteric model :
It is convenient to summarize the robust self-training estimator as the minimizer of a weighted combination of four separate losses as follows. We define the losses on the labeled dataset as
for fixed scalars .
2 Robust self-training for linear regression
We now return to the noiseless linear regression as described in Section 2 and specialize the general RST estimator described in Equation (10) to this setting. We prove that RST eliminates the decrease in standard error in this setting while achieving low robust error by showing that RST appropriately regularizes the augmented estimator towards the standard estimator.
Figure 5 shows the four losses of RST in this special case of linear regression.
Obtaining this specialized estimator from the general RST estimator in Equation (10) involves the following steps. First, for convenience of analysis, we assume access to the population covariance via infinite unlabeled data and thus replace the finite sample losses on the unlabeled data by their population losses . Second, the general RST objective minimizes some weighted combination of four losses. When specializing to the case of noiseless linear regression, since , rather than minimizing , we set the coefficients on the losses such that the estimator satisfies a hard constraint . This constraint which enforces interpolation on the labeled dataset allows us to rewrite the robust loss (Equation 9) on the labeled examples equivalently as a self-consistency loss defined independent of labels.
Since is invariant on perturbations by definition, we have and thus we introduce a constraint in the estimator.
For the losses on the unlabeled data, since the pseudo-labels are not perfect, we minimize in the objective instead of enforcing a hard constraint on . However, similarly to the robust loss on labeled data, we can reformulate the robust loss on unlabeled samples as a self-consistency loss that does not use pseudo-labels. By definition, and thus we enforce in the specialized estimator.
We now study the standard and robust error of the linear regression RST estimator defined above in Equation (4.2).
Assume the noiseless linear model . Let be an arbitrary interpolant of the standard data, i.e. . Then
Simultaneously, .
The crux of the proof is that the optimization objective of RST is an inductive bias that regularizes the estimator to be close to the standard estimator, weighing directions by their contribution to the standard error via . To see this, we rewrite
By incorporating an appropriate -induced regularizer while satisfying constraints on the robust losses, RST ensures that the standard error of the estimator never exceeds the standard error of . The robust error of any estimator is lower bounded by its standard error, and this gap can be arbitrarily large for the standard estimator. However, the robust error of the RST estimator matches the lower bound of its standard error which in turn is bounded by the standard error of the standard estimator and hence is small. To provide some graphical intuition for the result, see Figure 2 that visualizes the RST estimator on the cubic splines interpolation problem that exemplifies the increase in standard error upon augmentation. RST captures the global structure and obtains low standard error by matching (straight line) on unlabeled inputs. Simultaneously, RST enforces invariance on local transformations on both labeled and unlabeled inputs, and obtains low robust error by capturing the local structure across the domain.
The constraint on the standard loss on labeled data simply corresponds to interpolation on the standard labeled data. The constraints on the robust self-consistency losses involve a maximization over a set of transformations. In the case of linear regression, such constraints can be equivalently represented by a set of at most linear constraints, where is the dimension of the covariates. Further, with this finite set of constraints, we only require access to the covariance in order to constrain the population robust loss. Appendix D gives a practical iterative algorithm that computes the RST estimator for linear regression reminiscent of adversarial training in the semi-supervised setting.
3 Empirical evaluation of RST
Both RST+AT and RST+TRADES have lower robust and standard error than their supervised counterparts AT and TRADES across all perturbation types. This mirrors the theoretical analysis of RST in linear regression (Theorem 2) where the RST estimator has small robust error while provably not sacrificing standard error, and never obtaining larger standard error than the standard estimator.
Recall that our work motivates studying the tradeoff between robust and standard error while taking generalization from finite data into account. We showed that the gap in the standard error of a standard estimator and that of a robust estimator is large for small training set sizes and decreases as the labeled dataset is larger (Figure 1). We now study the effect of RST as we vary the training set size in Figure 6. We find that RST+AT has lower standard error than standard training across all sample sizes for small , while simultaneously achieving lower robust error than AT (see Appendix E.2.1). In the small data regime where vanilla adversarial training hurts the standard error the most, we find that RST+AT gives about 3x more absolute improvement than in the large data regime. We note that this set of experiments are complementary to the experiments in (Schmidt et al., 2018) which study the effect of the training set size only on robust error.
We also test the effect of RST on perturbations where robust training slightly improves standard error rather than hurting it. Since RST regularizes towards the standard estimator, one might suspect that the improvements from robust training disappear with RST. In particular, we consider spatial transformations that consist of simultaneous rotations and translations. We use two common forms of robust training for spatial perturbations, where we approximately maximize over with either adversarial (worst-of-10) or random augmentations (Yang et al., 2019; Engstrom et al., 2019). Table 1 (right) presents the results. In the regime where vanilla robust training does not hurt standard error, RST in fact further improves the standard error by almost 1% and the robust error by 2-3% over the standard and robust estimators for both forms of robust training. Thus in settings where vanilla robust training improves standard error, RST seems to further amplify the gains while in settings where vanilla robust training hurts standard error, RST mitigates the harmful effect.
The RST estimator minimizes both a robust loss and a standard loss on the unlabeled data with pseudo-labels (bottom row, Figure 5). Both of these losses are necessary to simultaneously the standard and robust error over vanilla supervised robust training. Standard self-training, which only uses standard loss on unlabeled data, has very high robust error (). Similarly, Robust Consistency Training, an extension of Virtual Adversarial Training (Miyato et al., 2018) that only minimizes a robust self-consistency loss on unlabeled data, marginally improves the robust error but actually hurts standard error (Table 1).
Related Work
In concurrent and independent work, Min et al. (2020) also study the effect of dataset size on the tradeoff. They prove that in a “strong adversary” regime, there is a tradeoff even with infinite data, as the perturbations are large enough to change the ground truth target. They also identify a “weak adversary” regime (smaller perturbations) where the gap in standard error between robust and standard estimators first increases and then decreases, with no tradeoff in the infinite data limit. Similar to our work, this provides an example of a tradeoff due to generalization from finite data. However, their experimental validation of the tradeoff trends is restricted to simulated settings and they do not study how to mitigate the tradeoff.
To the best of our knowledge, ours is the first work that theoretically studies how to mitigate the tradeoff between standard and robust error. While robust self-training (RST) was proposed in recent works (Carmon et al., 2019; Najafi et al., 2019; Uesato et al., 2019) as a way to improve robust error, we prove that RST eliminates the tradeoff between standard and robust error in noiseless linear regression and systematically study the effect on RST on the tradeoff with several different perturbations and adversarial training algorithms on Cifar-10.
Interpolated Adversarial Training (IAT) (Lamb et al., 2019) and Neural Architecture Search (NAS) (Cubuk et al., 2017) were proposed to mitigate the tradeoff bbetween standard and robust error empirically. IAS considers a different training algorithm based on Mixup, NAS (Cubuk et al., 2017) uses RL to search for more robust architectures. In Table 1, we also report the standard and robust errors of these methods. RST, IAT and NAS are incomparable as they find different tradeoffs between standard and robust error. Recently, Xie et al. (2020) showed that adversarial training with appropriate batch normalization (AdvProp) with small perturbations can actually improve standard error. However, since they only aim to improve and evaluate the standard error, it is unclear if the robust error improves. We believe that since RST provides a complementary statistical perspective on the tradeoff, it can be combined with methods like IAT, NAS or AdvProp to see further gains in standard and robust errors. We leave this to future work.
Conclusion
We study the commonly observed increase in standard error upon adversarial training due to generalization from finite data in a well-specified setting with consistent perturbations. Surprisingly, we show that methods that augment the training data with consistent perturbations, such as adversarial training, can increase the standard error even in the simple setting of noiseless linear regression where the true linear function has zero standard and robust error. Our analysis reveals that the mismatch between the inductive bias of models and the underlying distribution of the inputs causes the standard error to increase even when the augmented data is perfectly labeled. This insight motivates a method that provably eliminates the tradeoff in linear regression by incorporating an appropriate regularizer that utilizes the distribution of the inputs. While not immediately apparent, we show that this is a special case of the recently proposed robust self-training (RST) procedure that uses additional unlabeled data to estimate the distribution of the inputs. Previous works view RST as a method to improve the robust error by increasing the sample size. Our work provides some theoretical justification for why RST improves both the standard and robust error, thereby mitigating the tradeoff between accuracy and robustness. How to best utilize unlabeled data, and whether sufficient unlabeled data can completely eliminate the tradeoff remain open questions.
We are grateful to Tengyu Ma, Yair Carmon, Ananya Kumar, Pang Wei Koh, Fereshte Khani, Shiori Sagawa and Karan Goel for valuable discussions and comments. This work was funded by an Open Philanthropy Project Award and NSF Frontier Award as part of the Center for Trustworthy Machine Learning (CTML). AR was supported by Google Fellowship and Open Philanthropy AI Fellowship. SMX was supported by an NDSEG Fellowship. FY was supported by the Institute for Theoretical Studies ETH Zurich and the Dr. Max Rossler and the Walter Haefner Foundation. FY and JCD were supported by the Office of Naval Research Young Investigator Awards.
References
Appendix A Transformations to handle arbitrary matrix norms
Consider a more general minimum norm estimator of the following form. Given inputs and corresponding targets as training data, we study the interpolation estimator,
Appendix B Standard error of minimum norm interpolants
The projection operators and are formally defined as follows.
B.2 Invariant transformations may have arbitrary nullspace components
B.3 Proof of Theorem 1
by decomposition of where and . Note that the error difference does scale with , although the sign of the difference does not.
B.4 Proof of Corollary 1
Corollary 1 presents three sufficient conditions under which the standard error of the augmented estimator is never larger than the standard error of the standard estimator .
When the population covariance , from Theorem 1, we see that
since and are orthogonal.
When , the vector in Theorem 1 is , and hence we get
We prove the eigenvector condition in Section B.7 which studies the effect of augmenting with a single extra point in general.
B.5 Proof of Proposition 1
The proof of Proposition 1 is based on the following two lemmas that are also useful for characterization purposes in Corollary 2.
If a PSD matrix has non-equal eigenvalues, one can find two unit vectors for which the following holds
Hence, there exists a combination of original and augmentation dataset such that condition (19) holds for two directions and .
Note that neither nor can be eigenvectors of in order for both conditions in equation (19) to hold. Given a population covariance, fixed original and augmentation data for which condition (19) holds, we can now explicitly construct for which augmentation increases standard error.
where are constants that depend on .
Proposition 1 follows directly from the second statement of Lemma 2 by minimizing the bound (20) with respect to which is a free parameter to be chosen during construction of (see proof of Lemma (2). The minimum is attained for . We hence conclude that needs to be sufficiently more complex than a good standard solution, i.e. where is a constant that depends on the .
B.6 Proof of technical lemmas
In this section we prove the technical lemmas that are used to prove Theorem 1.
Any vector can be decomposed into orthogonal components . Using the minimum-norm property, we can then always decompose the (rotated) augmented estimator and true parameter by
where we define “ext” as the set of basis vectors which span and respectively “rest” for . Requiring the standard error increase to be some constant can be rewritten using identity (16) as follows
The left hand side of equation (21) is always positive, hence it is necessary for this equality to hold with any , that there exists at least one pair such that and one direction of the iff statement is proved.
For the other direction, we show that if there exist and for which condition (19) holds (wlog we assume that the ) we can construct a for which the inequality (8) in Theorem 1 holds as follows:
It is then necessary by our assumption that for at least some . We can then set such that , i.e. that the augmented estimator is not equal to the standard estimator (else obviously there can be no difference in error and equality (21) cannot be satisfied for any desired error increase ).
The choice of minimizing that also satisfies equation (21) is an appropriately scaled vector in the direction of where we define and . Defining for convenience and then setting
which is well-defined since , yields a such that augmentation increases standard error. It is thus necessary for that
By assuming existence of such that , we are guaranteed that .
Note due to construction we have and plugging in the choice of in equation (22) we have
Setting , yields the result.
B.6.2 Proof of Lemma 1
Let be the non-zero eigenvalues of and be the corresponding eigenvectors. Then choose to be any combination of the eigenvectors where where at least for . We next construct by choosing as follows such that the inequality in (19) holds:
and for . Then we have that and hence . Simultaneously
which concludes the proof of the first statement.
We now prove the second statement by constructing using . We can then obtain using any standard decomposition method to obtain . We construct using . Without loss of generality, we can make them simultaneously diagonalizable. We construct a set of eigenvectors that is the same for both matrices paired with different eigenvalues. Let the shared eigenvectors include . Then if we set the corresponding eigenvalues and , then such that and . This shows the second statement. With this, we can design a for which augmentation increases standard error as in Lemma 2.
B.7 Characterization Corollary 2
A simpler case to analyze is when we only augment with one extra data point. The following corollary characterizes which single augmentation directions lead to higher prediction error for the augmented estimator.
The following characterizations hold for augmentation directions that do not cause the standard error of the augmented estimator to be higher than the original estimator.
(in terms of ratios of inner products) For a given , data augmentation does not increase the standard error of the augmented estimator for a single augmentation direction if
(in terms of eigenvectors) Data augmentation does not increase standard error for any if is an eigenvector of . However if one augments in the direction of a mixture of eigenvectors of with different eigenvalues, there exists such that augmentation increases standard error.
(depending on well-conditioning of ) If and is an eigenvector of , then no augmentations increase standard error.
The form in Equation (23) compares ratios of inner products of and in two spaces: the one in the numerator is weighted by whereas the denominator is the standard inner product. Thus, if scales and rotates rather inhomogeneously, then augmenting with may hurt standard error. Here again, if for , then the condition must hold.
Note that for a single augmentation point , the orthogonal decomposition of into and is defined by and respectively. Plugging back into into identity (16) then yields the following condition for safe augmentations:
Rearranging the terms yields inequality (23).
Safe augmentation directions for specific choices of and are illustrated in Figure 3.
B.7.2 Proof of Corollary 2 (b)
Assume that is an eigevector of with eigenvalue . We have
for any . Hence by Corollary 2 (a), the standard error doesn’t increase by augmenting with eigenvectors of for any .
When the single augmentation direction is not an eigenvector of , by Lemma 1 one can find such that . The proof in Lemma 1 gives an explicit construction for such that condition (19) holds and the result then follows directly by Lemma 2.
B.7.3 Proof of Corollary 2 (c)
Suppose for some . Then starting with the expression (23),
by applying . Thus when is an eigenvector of , there are no augmentations that increase the standard error.
Appendix C Details for spline staircase
We describe the data distribution, augmentations, and model details for the spline experiment in Figure 1 and toy scenario in Figure 2. Finally, we show that we can construct a simplified family of spline problems where the ratio between standard errors of the augmented and standard estimators increases unboundedly as the number of stairs.
We describe the data distribution in terms of the one-dimensional input , and by the one-to-one correspondence with spline basis features , this also defines the distribution of spline features . Let define a distribution over where is the probability simplex of dimension . We define the data distribution with the following generative process for one sample . First, sample a point from according to the categorical distribution described by , such that . Second, sample by perturbing with probability such that
The sampled is in with probability and with probability , where we choose to be small.
C.2 Spline model
Our hypothesis class is the family of cubic B-splines as defined in (Friedman et al., 2001). Cubic B-splines are piecewise cubic functions, where the endpoints of each cubic function are called the knots. In our example, we fix the knots to be , which places a knot on every point in . This ensures that the function class contains an interpolating function on all , i.e. for some ,
for the standard estimator and the corresponding augmented problem to obtain the augmented estimator.
C.3 Evaluating Corollary 2 (a) for splines
In the spline staircase, the local perturbations can be thought of as fitting high frequency noise in the function space, where fitting them causes a global change in the function.
Suppose the original training set consists of two points, . We study the effect of augmenting point in terms of above. First, we find that the first two eigenvectors corresponding to linear functions satisfy . Intuitively, this is because the standard estimator is linear. For ease of visualization, we consider the 2D space in spanned by (global direction, low frequency) and (local direction, high frequency). The matrix projects onto this space. Note that the same results hold when projecting onto all in .
In terms of the simple 3-D example in Section 3.1, the global direction corresponds to the costly direction with large eigenvalue, as changes in global structure heavily affect the standard error. Figure 8 plots the projections and for different . When has high frequency variations and is complex, is aligned with the local dimension. For immediately local to training points, the projection (orange vector in Figure 8) has both local and global components. Augmenting these local perturbations introduces error in the global component. For other farther from training points, (blue vector in Figure 8) is almost entirely global and perpendicular to , leaving bias unchanged. Thus, augmenting data close to original data cause estimators to fit local components at the cost of the costly global component which changes overall structure of the predictor like in Figure 2(middle). The choice of inductive bias in the –norm being minimized results in eigenvectors of that correspond to local and global components, dictating this tradeoff.
C.4 Data augmentation can be quite painful for splines
We construct a family of spline problems such that as the number the augmented estimator has much higher error than the standard estimator. We assume that our predictors are from the full family of cubic splines.
We define a modified domain with continuous intervals . Considering only which is a multiple of 2, we sample the original data set as described in Section C.1 with the following probability mass :
for . We define a probability distribution on for a random variable by setting where and the -dependent perturbation is defined as
We obtain the training dataset by sampling .
Consider a modified augmented estimator for the splines problem, where for each point we augment with the entire interval with and the estimator is enforced to output for all in the interval . Additionally, suppose that the ratio between the number of stairs and the number of samples is constant.
In this simplified setting, we can show that the standard error of the augmented estimator grows while the standard error of the standard estimator decays to 0.
Let the setting be defined as above. Then with the choice of and for a constant , the ratio between standard errors is lower bounded as
which goes to infinity as . Furthermore, as .
We first lower bound the standard error of the augmented estimator. Define as the event that only the lower half of the stairs is sampled, i.e. , which occurs with probability . Let be the largest “stair” value seen in the training set. Note that the min-norm augmented estimator will extrapolate with zero derivative for . This is because on the interval , the augmented estimator is forced to have zero derivative, and the solution minimizing the second derivative of the prediction continues with zero derivative for all . In the event , , where achieves the lowest error in this event. As a result, on the points in the second half of the staircase, i.e. , the augmented estimator incurs large error:
Therefore the standard error of the augmented estimator is bounded by
where in the first line, we note that the error on each interval is the same and the probability of each interval is .
Next we upper bound the standard error of the standard estimator. Define to be the event where all points are sampled from , which occurs with probability . In this case, the standard estimator is linear and fits the points on with zero error, while incurring error for all points not in . Note that the probability density of sampling a point not in is either or , which we upper bound as .
Therefore for event , the standard error is bounded as
since for . For the complementary event , note that cubic spline predictors can grow only as , with error at most . Therefore the standard error for case is bounded as
Thus overall, and combining the bounds yields the result. ∎
Appendix D Robust Self-Training
We define the linear robust self-training estimator from Equation (4.2) and expand all the terms.
Notice that for unlabeled components of the estimator, we assume access to the data distribution and thus optimize the population quantities.
As we show in the next subsection, we can rewrite the robust self-training estimator into the following reduced form, more directly connecting to the general analysis of adding extra data in min-norm linear regression.
for the appropriate choice of , as shown in Section D.1. Here, we can interpret as the difference between the perturbed inputs and original inputs. These are perturbations which we want the model to be invariant to, and hence output zero.
We give an algorithm for constructing which enforces the population robustness constraints. Suppose we are given , the population covariance of . In robust self-training, we enforce that the model is consistent over perturbations of the labeled data and (infinite) unlabeled data. To do this, we add linear constraints of the form , where for all . We can view these linear constraints as augmenting the dataset with input-target pairs where . By assumption, so these augmentations fit into our data augmentation framework.
However, when we enforce these constraints over the entire population or when there are an infinite number of transformations in , a naive implementation requires augmenting with infinitely many points. Noting that the space of augmentations satisfying is a linear subspace, we can instead summarize the augmentations with a basis that spans the transformations. Let the space of perturbations be . Note that this space of perturbations also contains perturbations of the original data if is in the support of . If is not in the support of , the behavior of the estimator on these points do not affect standard or robust error. Assuming that we can efficiently optimize over , we construct the basis by an iterative procedure reminiscent of adversarial training.
Set . Initialize and as an empty matrix.
At iteration , solve for . If the objective is unbounded, choose any such that .
If , stop and return .
Otherwise, add as a row in . Increment and let solve (31) with .
In each iteration, we search for a perturbation that the current is not invariant to. If we can find such a perturbation, we add it to the constraint set in . We stop when we cannot find such a perturbation, implying that the rows of and span . The final RST estimator solves (31) using returned from this procedure.
This procedure terminates within iterations. To see this, note that is orthogonal to all rows of . Any vector in the span of is orthogonal to . Thus, if , then must not be in the span of . At most such new directions can be added until is full rank. When is full rank, must hold and the algorithm terminates.
D.2 Proof of Theorem 2
In this section, we prove Theorem 2, which we reproduce here. See 2
We work with the RST estimator in the form from Equation (31). We note that our result applies generally to any extra data . We define . Let be an orthonormal basis of the kernel and be an orthonormal basis for . Let and be the linear operators defined by and , respectively, noting that . Defining to be the projection onto the null space of , we see that there are unique vectors such that
Using the representations (32) we may provide an alternative formulation for the augmented estimator (D), using this to prove the theorem. Indeed, writing , we immediately have that the estimator has the form (32c), with the choice
The optimality conditions for this quadratic imply that
Now, recall that the standard error of a vector is , using Mahalanobis norm notation. In particular, a few quadratic expansions yield
where step used that from the optimality conditions (33).
Finally, we consider the rightmost term in equality (34). Again using the optimality conditions (33), we have
by Cauchy-Schwarz. Revisiting equality (34), we obtain
where we used that by assumption. Since , has perfect consistency, achieving the lowest possible robust error (matching the standard error). ∎
D.3 Different instantiations of the general RST procedure
In the first variant, RST + PG-AT, we use multiclass logistic loss (cross-entropy) as the standard loss. The robust loss is the maximum cross-entropy loss between any perturbed input (within the set of tranformations ) and the label (pseudo-label in the case of unlabeled data). We set the weights such that the estimator can be written as follows.
D.3.2 TRADES
Appendix E Experimental Details
For spline simulations in Figure 2 and Figure 1, we implement the optimization of the standard and robust objectives using the basis described in (Friedman et al., 2001). The penalty matrix computes second-order finite differences of the parameters . We solve the min-norm objective directly using CVXPY (Diamond & Boyd, 2016). Each point in Figure 1(a) represents the average standard error over 25 trials of randomly sampled training datasets between and samples. Shaded regions represent 1 standard deviation.
E.2 RST experiments
We compare the standard error of the augmented estimator with an estimator trained using RST. We apply RST to adversarial training algorithms in Cifar-10 using 500k unlabeled examples sourced from Tiny Images, as in (Carmon et al., 2019).
We use Wide ResNet 40-2 models (Zagoruyko & Komodakis, 2016) while varying the number of samples in Cifar-10. We sub-sample CIFAR-10 by factors of in Figure 1(a) and in Figure 1(b). We report results averaged from 2 trials for each sub-sample factor. All models are trained for 200 epochs with respect to the size of the labeled training dataset and all achieve almost 100% standard and robust training accuracy.
We evaluate the robustness of models to the strong PGD-attack with steps and restarts. In Figure 1(b), we used a simple heuristic to set the regularization strength on unlabeled data in Equation (D.3.1) to be where is the fraction of the original Cifar-10 dataset sampled. We set . Intuitively, we give more weight to the unlabeled data when the original dataset is larger, meaning that the standard estimator produces more accurate pseudo-labels.
Figure 9 shows that the robust accuracy of the RST model improves about 5-15% percentage points above the robust model (trained using PGD adversarial training) for all subsamples, including the full dataset (Tables 2,3).
We use a smaller model due to computational constraints enforced by adversarial training. Since the model is small, we could only fit adversarially augmented examples with small , while existing baselines use . Note that even for , adversarial data augmentation leads to an increase in standard error. We show that RST can fix this. While ensuring models are robust is an important goal in itself, in this work, we view adversarial training through the lens of covariate-shifted data augmentation and study how to use augmented data without increasing standard error. We show that RST preserves the other benefits of some kinds of data augmentation like increased robustness to adversarial examples.
E.2.3 Adversarial and random rotation/translations
In Table 1 (right), we use RST for adversarial and random rotation/translations, denoting these transformations as in Equation (D.3.1). The attack model is a grid of rotations of up to 30 degrees and translations of up to of the image size. The grid consists of 31 linearly spaced rotations and 5 linearly spaced translations in both dimensions. The Worst-of-10 model samples 10 uniformly random transformations of each input and augment with the one where the model performs the worst (causes an incorrect prediction, if it exists). The Random model samples 1 random transformation as the augmented input. All models (besides cited models) use the WRN-40-2 architecture and are trained for 200 epochs. We use the same hyperparameters as in E.2.2 for Equation (D.3.1).
Appendix F Comparison to standard self-training algorithms
The main objective of RST is to allow to perform robust training without sacrificing standard accuracy. This is done by regularizing an augmented estimator to provide labels close to a standard estimator on the unlabeled data. This is closely related to but different two broad kinds of semi-supervised learning.
Self-training (pseudo-labeling): Classical self-training does not deal with data augmentation or robustness. We view RST as a a generalization of self-training in the context of data augmentations. Here the pseudolabels are generated by a standard non-augmented estimator that is not trained on the labeled augmented points. In contrast, standard self-training would just use all labeled data to generate pseudo-labels. However, since some augmentations cause a drop in standard accuracy, and hence this would generate worse pseudo-labels than RST.
Robust consistency training: Another popular semi-supervised learning strategy is based on enforcing consistency in a model’s predictions across various perturbations of the unlabeled data (Miyato et al., 2018; Xie et al., 2019; Sajjadi et al., 2016; Laine & Aila, 2017)). RST is similar in spirit, but has an additional crucial component. We generate pseudo-labels first by performing standard training, and rather than enforcing simply consistency across perturbations, RST enforces that the unlabeled data and perturbations are matched with the pseudo-labels generated.
We begin with a 3-dimensional construction and then increase the number of dimensions. Let the domain of possible values be where
Define the data distribution through the generative process for the random feature vector
where and . Define the optimal linear predictor to be the all-ones vector, such that in all cases, . We define the consistent perturbations as
The augmented estimator will add all possible consistent perturbations of the training set as extra data . For example, if is in the training set, then the augmented estimator will add as extra data since . The standard error is measured by mean squared error.
We give some intuition for how augmentation can hurt standard error in this 3-dimensional example. Define to be the event that we draw samples with value . Given , the standard and augmented estimators are
G.2 Construction for general d𝑑d
We construct the example by sampling in 3 dimensions and then repeating the vector times. In particular, the samples are realizations of the random vector which have dimension and every block of 3 coordinates have the same values. Under this setup, we can show that there is a family of problems such that the difference between standard errors of the augmented and standard estimators grows to infinity as .
Let the setting be defined as above, where the dimension and number of samples are such that approaches a constant. Let , , and be a constant. Then the ratio between standard errors of the augmented and standard estimators grows as
We define an event where the augmented estimator has high error relative to the standard estimator and bound the ratio between the standard errors of the standard and augmented estimators given this event. Define as the event that we have samples where all samples are . The standard and augmented estimators are the corresponding repeated versions
The event occurs with probability . It is straightforward to verify that the respective standard errors are
and that the ratio between standard errors is
The ratio between standard errors is bounded by
as , where we used Bernoulli’s inequality in the second to last step. ∎