Robustness becomes one of the most desired properties in machine learning (ML) models due to their increasing adoption in safety/security-sensitive settings. Most attempts to train robust methods against adversarial manipulation rely on expensive robust optimization and a large amount of data. As a result, they are difficult to scale and yield limited improvement, especially when data are scarce. This work addresses these issues with a novel solution by incorporating human-guided knowledge into the architecture design and training objectives. As a first step, we propose part-based models, which first recognize parts that make up specific objects and then combine this high-level information to make a final prediction. Our model aligns better with human perception as it incorporates a hierarchical structure that recognizes simple shapes and parts before moving up to complex objects. This structure also reduces complexity of the overall task, allowing the model to be smaller and less data-hungry, which in turn makes adversarial training more efficient and effective. Additionally, our defense can make use of the orthogonal advancement on robust training and shed light on a broader scientific question around inductive bias in deep learning.
Findings, Papers, and Presentations
- Demystifying the Adversarial Robustness of Random Transformation Defenses
- Presented at 9th International Conference on Machine Learning
- Best Paper at AAAI-2022 Workshop on Adversarial Machine Learning and Beyond (Oct 2022)