On the Sensitivity of Adversarial Robustness to Input Data Distributions
Abstract
Neural networks are vulnerable to small adversarial perturbations. While existing literature largely focused on the vulnerability of learned models, we demonstrate an intriguing phenomenon that adversarial robustness, unlike clean accuracy, is sensitive to the input data distribution. Even a semantics-preserving transformations on the input data distribution can cause a significantly different robustness for the adversarially trained model that is both trained and evaluated on the new distribution. We show this by constructing semantically-identical variants for MNIST and CIFAR10 respectively, and show that standardly trained models achieve similar clean accuracies on them, but adversarially trained models achieve significantly different robustness accuracies. This counter-intuitive phenomenon indicates that input data distribution alone can affect the adversarial robustness of trained neural networks, not necessarily the tasks themselves. The full paper (ICLR 2019) can be found at https://openreview.net/forum?id= S1xNEhR9KX.
Cite
Text
Ding et al. "On the Sensitivity of Adversarial Robustness to Input Data Distributions." IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, 2019.Markdown
[Ding et al. "On the Sensitivity of Adversarial Robustness to Input Data Distributions." IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, 2019.](https://mlanthology.org/cvprw/2019/ding2019cvprw-sensitivity/)BibTeX
@inproceedings{ding2019cvprw-sensitivity,
title = {{On the Sensitivity of Adversarial Robustness to Input Data Distributions}},
author = {Ding, Gavin Weiguang and Lui, Kry Yik Chau and Jin, Xiaomeng and Wang, Luyu and Huang, Ruitong},
booktitle = {IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops},
year = {2019},
pages = {13-16},
url = {https://mlanthology.org/cvprw/2019/ding2019cvprw-sensitivity/}
}