Improving Out-of-Distribution Generalization by Adversarial Training with Structured Priors Qixun Wang1Yifei Wang2Hong Zhu3Yisen Wang14y

2025-04-26 0 0 956.17KB 20 页 10玖币
侵权投诉
Improving Out-of-Distribution Generalization by
Adversarial Training with Structured Priors
Qixun Wang1* Yifei Wang 2Hong Zhu3Yisen Wang1,4
1Key Lab. of Machine Perception (MoE),
School of Intelligence Science and Technology, Peking University
2School of Mathematical Sciences, Peking University
3Huawei Noah’s Ark Lab
4Institute for Artificial Intelligence, Peking University
Abstract
Deep models often fail to generalize well in test domains when the data distribution
differs from that in the training domain. Among numerous approaches to address
this Out-of-Distribution (OOD) generalization problem, there has been a growing
surge of interest in exploiting Adversarial Training (AT) to improve OOD perfor-
mance. Recent works have revealed that the robust model obtained by conducting
sample-wise AT also retains transferability to biased test domains. In this paper,
we empirically show that sample-wise AT has limited improvement on OOD per-
formance. Specifically, we find that AT can only maintain performance at smaller
scales of perturbation while Universal AT (UAT) is more robust to larger-scale per-
turbations. This provides us with clues that adversarial perturbations with universal
(low dimensional) structures can enhance the robustness against large data distribu-
tion shifts that are common in OOD scenarios. Inspired by this, we propose two
AT variants with low-rank structures to train OOD-robust models. Extensive exper-
iments on DomainBed benchmark show that our proposed approaches outperform
Empirical Risk Minimization (ERM) and sample-wise AT. Our code is available at
https://github.com/NOVAglow646/NIPS22-MAT-and-LDAT-for-OOD.
1 Introduction
Existing deep learning methods have achieved good performance on visual classification tasks under
the same distribution of training sets and test sets. However, when the data distribution of the test set
is different from that of the training set, the classification performance of the deep neural networks
(DNNs) may decrease sharply [
1
]. This is mainly because DNNs may capture spurious features
such as the background and style information to assist the fast fitting during the training process [
2
].
However, in real-world scenarios, test data may differ from training data in the background and style
information, thus DNNs that rely on unstable spurious features to make predictions will fail. Solving
the above problem is known as the out-of-distribution (OOD) generalization.
Another scenario where DNNs may fail is that they are often vulnerable to adversarial examples [
3
].
Adversarial training (AT) is originally proposed as an effective way to defend against adversarial
attacks [
4
]. Moreover, there is work showing that adversarial training helps to solve the OOD
generalization problem because OOD data can be seen as stronger perturbations to some extent [
5
].
The reason why AT can defend against adversarial attacks meanwhile benefit OOD generalization is
that it can make DNNs robust to the interference of spurious features, such as randomly injected noise
Equal Contribution.
Corresponding author: Yisen Wang (yisen.wang@pku.edu.cn).
36th Conference on Neural Information Processing Systems (NeurIPS 2022).
arXiv:2210.06807v1 [cs.LG] 13 Oct 2022
(in adversarial examples) or the spurious correlation between labels and background information (in
OOD generalization). In other words, AT enables DNNs to make predictions using intrinsic features
rather than spurious features.
A potential problem, however, is that existing AT methods ignore the specific design of perturbations
when used for solving OOD generalization problems. They usually simply conduct sample-wise AT
[
6
], which only brings limited performance improvement to OOD generalization. The essential reason
for the failure of this type of approach is that the perturbations it uses cannot distinguish invariant and
spurious features. As a result, it improves the robustness at the expense of the decreasing standard
accuracy [
7
]. Moreover, we empirically find that when adapting Universal AT (UAT [
8
]) to OOD
problems, i.e., conducting AT with domain-wise perturbations, it shows stronger input-robustness
when facing larger-scale perturbations compared to the sample-wise AT (see Section 3.2). Since
the sample injected with large-scale perturbations can be regarded as OOD samples [
5
], we draw
inspiration from this phenomenon that AT with universal (low-dimensional) structures can be the
key to solving OOD generalization. Therefore, we propose to use structured low-rank perturbations
related to domain information in AT, which can help the model to filter out background and style
information, thus benefiting OOD generalization. We make the following contributions in our work:
We identify the limitations of sample-wise AT on OOD generalization through a series of
experiments. To alleviate this problem, we further propose two simple but effective AT
variants with structured priors to improve OOD performances.
We theoretically prove that our proposed structured AT approach can accelerate the conver-
gence of reliance on spurious features to 0 when using finite-time-stopped gradient descent,
thus enhancing the robustness of the model against spurious correlations.
By conducting experiments on the DomainBed benchmark [
9
], we demonstrate that our
methods outperform ERM and sample-wise AT on various OOD datasets.
2 Related Work
Solving OOD Generalization with AT.
According to [
3
], the performance of deep models is sus-
ceptible to small-scale perturbations injected in the input images, even if these perturbations are
imperceptible to humans. Adversarial training (AT) is an effective approach to improve the robust-
ness to input perturbations [
4
,
10
,
11
]. However, many recent works have begun to focus on the
connection between AT and OOD due to the fact that OOD data can be regarded as one kind of
large-scale perturbation. These works seek to exploit the robustness provided by AT to improve OOD
generalization. For instance, [
6
] applied sample-wise AT to OOD generalization. They theoretically
found that if a model is robust to input perturbation on training samples, it also generalizes well on
OOD data. [
5
] theoretically established a link between the objective of AT and the OOD robustness.
They revealed that the AT procedure can be regarded as a heuristic solution to the worst-case problem
around the training domain distribution. Nevertheless, the discussion of [
6
] and [
5
] is restricted to
the framework of using Wasserstein distance to measure the distribution shift, which is less practical
for the real-world OOD setting where domain shifts are diverse. Additionally, they only studied
the case of sample-wise AT and did not further investigate the effect of different forms of AT (not
sample-wise) on OOD performance. Other works such as [
12
] focus on the structure design of
the perturbations. They used multi-scale perturbations within one sample, but they did not exploit
the universal information within one training domain. In our work, we focus on real-world OOD
scenarios where there are additional clues lying in the distribution shifts, i.e, the low-rank structures
in the spurious features (such as background and style information) across one domain. We further
design a low-rank structure in the perturbations to specifically eliminate such low-rank spurious
correlations.
OOD Evaluation Benchmark.
The DomainBed benchmark [
9
] provides a fair way of evaluating
different state-of-the-art OOD methods, which has been widely accepted by the community. By
conducting rigorous experiments in a consistent setting, they revealed that many algorithms that
claim to outperform previous methods cannot even outperform ERM. Unlike previous works using
AT to address OOD generalization, such as [
6
] and [
5
], we adopt the Domainbed benchmark for a
fair comparison of our approach with existing state-of-the-art methods in this paper.
2
3 Weakness of Sample-wise AT for OOD Generalization
3.1 Preliminaries
Out-of-distribution (OOD) Generalization
. Assuming
x∈ X
as the random data in the input
space
X
and
y∈ Y
as the target random data in the label space
Y
, we have the predictor
f=wφ(x)
where φ:X → Z denotes the feature extractor and w:Z → Y denotes the classifier.
Now we give the formal definition of the OOD generalization problem. We have a set of
m
training domains
E={E1, E2, ..., Em}
, where each domain
Ee
is characterized by a input dataset
Ee:= {(xe
i, ye
i)}ne
i=1
containing
ne
i.i.d input samples drawn from the distribution of
Pe
, and a
test domain
Em+1
with data following the distribution of
Pte
, where
Pte 6=Pi, i = 1,2, ..., m
.
L:X R+
denotes the loss function. The ultimate goal of OOD generalization is to find an optimal
predictor fthat minimizes the risk on the unseen test domain:
min
f
E(x,y)∼Pte (x,y)[L(f(x), y)].(1)
Adversarial Training (AT)3
. According to [
4
], AT can be expressed as the following optimization
problem:
min
f
E(x,y)∼P(x,y)[max
δ∈S L(f(x+δ), y)] s.t. kδkp, (2)
where
δ∈ S
is the random injected perturbation with
lp
norm bounded by
. The inner maximization
problem can be optimized by fast gradient sign method (FGSM [13]), a simple one-step scheme:
x=x+sgn(xL(f(x), y)),(3)
where
sgn(·)
is the sign function, or by projected gradient descent (PGD [
4
]), a more powerful
multi-step variant:
xt+1 =Y
S
(xt+γsgn(xL(f(x), y))),(4)
where Q
S
is the projection operator onto the set S,γis the step size and tdenotes the iteration.
3.2 Weakness of AT for OOD Generalization
We now highlight some weaknesses of sample-wise AT for OOD generalization based on a series of
empirical evidence. We first conduct a toy experiment on the DomainBed benchmark [
9
] to evaluate
the OOD performance of AT. We run ERM and AT on four OOD datasets: PACS [
14
], OfficeHome
[
15
], VLCS [
16
], and NICO [
17
] with a fixed set of hyperparameters (detailed experimental settings
can be found in Appendix C.1). The results are shown in Table 1. We can see that the improvement
of OOD performance by AT is limited with an average improvement of only 0.1%.
Table 1: Test accuracy (%) on four OOD datasets on DomainBed benchmark with a fixed set of
hyperparameters. The improvement of AT is marginal.
Datasets
Algorithm PACS OfficeHome VLCS NICO avg
ERM 79.7 ±0.0 59.6 ±0.0 74.4 ±1.0 70.7 ±1.0 71.1
AT 81.5 ±0.4 59.9 ±0.4 75.3 ±0.7 68.2 ±2.2 71.2
We further investigate the reason behind the limitations of performance improvements on OOD
datasets of AT. Although previous works have revealed that the robust features obtained by AT can
improve OOD generalization ([
6
] [
5
] [
18
]), we find that sample-wise AT only tolerates small-scale
perturbations. Thus, we design an experiment on NICO dataset with multiple scales of perturbations.
The scale is calculated with the
l2
norm of the perturbation matrix (experiment details are shown
in Appendix C.1). As shown in Figure 1, AT suffers severe performance degradation when using
large perturbations. This provides clues to understanding the failure of AT in OOD scenarios. The
3For simplicity, we denote ‘AT’ for sample-wise AT by default in the rest of the paper.
3
distribution shifts in OOD data usually have much larger scales than the invisible perturbations
commonly used in AT. Hence, AT methods designed for small perturbations cannot handle these
large-scale domain shifts that often appear in OOD data. However, our experiment shows that this
problem can be alleviated by adapting universal AT (UAT [
8
]) to the OOD setting, i.e., using a
perturbation for each domain.
0.25 0.5 0.75 2 5 10 100 200 300 500
58
60
62
64
66
68
70
72
S
a
m
p
l
-
w
i
s
e
A
T
A
A
U
n
i
v
e
r
s
a
l
(
D
o
m
a
i
n
-
w
i
s
e
)
A
T
A
A
E
R
M
Perturabtion radius (l2-norm)
Test acc. (%)
Figure 1: Test accuracy (%) of AT, UAT (
l2
norm), and ERM on NICO dataset.
Figure 1 shows that UAT remains its generaliza-
tion performance when the perturbation scale is
large. There are two empirical explanations for
this: First, the background and style information
usually have a low-rank structure, such as the grass-
land and snowfield that have recurring parts. Sec-
ond, similar spurious features often appear within
one specific domain, such as PACS [
14
] and VLCS
[
16
] datasets. As stated in [
8
], the universal per-
turbation lies in a low dimensional space. Hence
using universal (domain-wise) perturbations will
help to resist such low-rank shifts and improve the
robustness of the model.
Inspired by this, we proposed two new AT variants
with more sophisticated low-rank structures on dif-
ferent dimensions to improve OOD generalization
in the next section.
4 The Proposed Structured AT Method
In order to construct low-rank structured perturbations, we start by analyzing the structure of sample-
wise perturbations. Assume that each input data
x
has a shape of
N×N×C
.
N
is the size of the
input image and
C
is the number of channels. For simplicity, we assume
C= 3
. We reparameterize
the sample-wise perturbations as a series of 2-D matrices
{D1
1, D1
2, ..., D1
m}
,
{D2
1, D2
2, ..., D2
m}
,
{D3
1, D3
2, ..., D3
m}
where
Dc
eRne×N2
denotes the perturbations in the
e
-th domain for the input
channel
c
,
ne
is the number of the samples in the domain
Ee
, and
m
is the number of domains.
The
i
-th row of
Dc
e
represents the
c
-th channel of the
i
-th sample in the domain
Ee
(see the first
column in Figure 2 for illustration). By such reparameterization, it is natural to find that there are two
orientations to reduce the rank of the perturbations:
1. Along the dimension of the number of samples
(along the red arrow in the upper left
corner of Figure 2). This corresponds to reducing the number of the perturbations used
within one domain.
2. Along the dimension of the input scale
(along the blue arrow in the upper left corner of
Figure 2). This corresponds to reducing the rank of the perturbation used for a specific input
sample.
In the following parts, we propose two AT variants with structured priors that reduce the rank in these
two directions.
4.1 MAT: Adversarial Training with Combinations of Multiple Perturbations
In this part, we propose domain-wise Multiple-perturbation Adversarial Training (MAT). It aims
to conduct rank minimization along the dimension of the number of samples. Instead of using
sample-wise perturbations, MAT constructs a combination of multiple perturbations and shares this
mixed perturbation within a domain. Specifically, we choose to train the linear combination of
k
perturbations for each domain
Ee
to conduct AT. Here
k
is a hyperparameter and
k
is far less than
the number of samples in domain Ee. The optimization problem can be reformulated as:
min
fX
e
E(x,y)∼Pe(x,y)[L(f(x+δe), y)],(5)
s.t. δe=
k
X
i=1
αe
iδe
i,kδe
ikp,
k
X
i=1
αe
i= 1, αe
i0for i= 1,2, ..., k, (6)
4
摘要:

ImprovingOut-of-DistributionGeneralizationbyAdversarialTrainingwithStructuredPriorsQixunWang1*YifeiWang2HongZhu3YisenWang1;4y1KeyLab.ofMachinePerception(MoE),SchoolofIntelligenceScienceandTechnology,PekingUniversity2SchoolofMathematicalSciences,PekingUniversity3HuaweiNoah'sArkLab4InstituteforArtic...

展开>> 收起<<
Improving Out-of-Distribution Generalization by Adversarial Training with Structured Priors Qixun Wang1Yifei Wang2Hong Zhu3Yisen Wang14y.pdf

共20页,预览4页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:20 页 大小:956.17KB 格式:PDF 时间:2025-04-26

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 动力学连接体 力的合成 配电装置 高考理综 全宋诗作者索引 公务员考试
/ 20
评分 收藏
分享
立即下载
客服
关注