Shedding More Light on Robust Classifiers Under the Lens of Energy-Based Models

Abstract

By reinterpreting a robust discriminative classifier as Energy-based Model (EBM), we offer a new take on the dynamics of adversarial training (AT). Our analysis of the energy landscape during AT reveals that untargeted attacks generate adversarial images much more in-distribution (lower energy) than the original data from the point of view of the model. Conversely, we observe the opposite for targeted attacks. On the ground of our thorough analysis, we present new theoretical and practical results that show how interpreting AT energy dynamics unlocks a better understanding: (1) AT dynamic is governed by three phases and robust overfitting occurs in the third phase with a drastic divergence between natural and adversarial energies (2) by rewriting the loss of TRadeoff-inspired Adversarial DEfense via Surrogate-loss minimization (TRADES) in terms of energies, we show that TRADES implicitly alleviates overfitting by means of aligning the natural energy with the adversarial one (3) we empirically show that all recent state-of-the-art robust classifiers are smoothing the energy landscape and we reconcile a variety of studies about understanding AT and weighting the loss function under the umbrella of EBMs. Motivated by rigorous evidence, we propose Weighted Energy Adversarial Training (WEAT), a novel sample weighting scheme that yields robust accuracy matching the state-of-the-art on multiple benchmarks such as CIFAR-10 and SVHN and going beyond in CIFAR-100 and Tiny-ImageNet. We further show that robust classifiers vary in the intensity and quality of their generative capabilities, and offer a simple method to push this capability, reaching a remarkable Inception Score (IS) and FID using a robust classifier without training for generative modeling.

Publication
European Conference on Computer Vision (ECCV)
Mirza Mujtaba Hussain
Mirza Mujtaba Hussain
PhD Student

Hi there! 👋 I’m Hussain, a Ph.D. student at Sapienza University. Currently I’m diving into Adversarial Machine Learning and Explainable AI to find practical solutions for real-world challenges. My goal is to use AI to make a positive impact on our society.

Maria Rosaria Briglia
Maria Rosaria Briglia
PhD Student

Hello everyone! My name is Maria Rosaria, a Ph.D. student in AI Security, based in Sapienza University. My main research interest is in developing adversarial techniques in the generative AI domain, with a particular focus on Diffusion Model’s technology, and applying them also to the world of Explainable AI. My main research topics are Diffusion Models, Adversarial Machine Learning and Explainble AI by counterfactual examples.

Senad Beadini
Senad Beadini
Machine Learning Engineer and AI Researcher

Research Engineer at Eustema s.p.a.

Iacopo Masi
Iacopo Masi
Associate Professor (PI)

My research interests include computer vision, biometrics, AI.