Learning Robust Kernel Ensembles with Kernel Average Pooling Pouya Bashivan12

2025-04-29 1 0 1.66MB 20 页 10玖币

侵权投诉

Learning Robust Kernel Ensembles with Kernel Average

Pooling

Pouya Bashivan1,2,∗

Adam Ibrahim2

Amirozhan Dehghani1

Yifei Ren1

1McGill University, Montreal, Canada

2Mila, Université de Montréal, Montreal, Canada

*Correspondence to: {pouya.bashivan}@mcgill.ca

Abstract

Model ensembles have long been used in machine learning to reduce the variance in individ-

ual model predictions, making them more robust to input perturbations. Pseudo-ensemble

methods like dropout have also been commonly used in deep learning models to improve

generalization. However, the application of these techniques to improve neural networks’

robustness against input perturbations remains underexplored. We introduce Kernel Aver-

age Pooling (KAP), a neural network building block that applies the mean ﬁlter along the

kernel dimension of the layer activation tensor. We show that ensembles of kernels with sim-

ilar functionality naturally emerge in convolutional neural networks equipped with KAP and

trained with backpropagation. Moreover, we show that when trained on inputs perturbed

with additive Gaussian noise, KAP models are remarkably robust against various forms

of adversarial attacks. Empirical evaluations on CIFAR10, CIFAR100, TinyImagenet, and

Imagenet datasets show substantial improvements in robustness against strong adversarial

attacks such as AutoAttack without training on any adversarial examples.

1 Introduction

Model ensembles have long been used to improve robustness in the presence of noise. Classic methods like

bagging Breiman (1996), boosting Freund (1995); Freund et al. (1996), and random forests Breiman (2001)

are established approaches for reducing the variance in estimated prediction functions that build on the idea

of constructing strong predictor models by combining many weaker ones. As a result, performance of these

ensemble models (especially random forests) is surprisingly robust to noise variables (i.e. features) Hastie

et al. (2009).

Model ensembling has also been applied in deep learning Zhou et al. (2001); Agarwal et al. (2021); Liu et al.

(2021); Wen et al. (2020); Horváth et al. (2022). However, the high computational cost of training multiple

neural networks and averaging their outputs at test time can quickly become prohibitively expensive (also

see work on averaging network weights across multiple ﬁne-tuned versions Wortsman et al. (2022)). To tackle

these challenges, alternative approaches have been proposed to allow learning pseudo-ensembles of models by

allowing individual models within the ensemble to share parameters Bachman et al. (2014); Srivastava et al.

(2014); Hinton et al. (2012); Goodfellow et al. (2013). Most notably, dropout Hinton et al. (2012); Srivastava

et al. (2014) was introduced to approximate the process of combining exponentially many diﬀerent neural

networks by “dropping out” a portion of units from layers of the neural network for each batch.

While these techniques often improve generalization for i.i.d. sample sets, they are not as eﬀective in

improving the network’s robustness against input perturbations and in particular against adversarial attacks

arXiv:2210.00062v2 [cs.LG] 30 May 2023

Wang et al. (2018). Adversarial attacks Szegedy et al. (2013); Biggio et al. (2013); Goodfellow et al. (2014),

slight but carefully constructed input perturbations that can signiﬁcantly impair the network’s performance,

are one of the major challenges to the reliability of modern neural networks. Despite numerous works on

this topic in recent years, the problem remains largely unsolved Kannan et al. (2018); Madry et al. (2017);

Zhang et al. (2019); Sarkar et al. (2021); Pang et al. (2020); Bashivan et al. (2021); Rebuﬃ et al. (2021);

Gowal et al. (2021). Moreover, the most eﬀective empirical defense methods against adversarial attacks (e.g.

adversarial training Madry et al. (2017) and TRADES Zhang et al. (2019)) are extremely computationally

demanding (although see more recent work on reducing their computational cost Wong et al. (2019); Shafahi

et al. (2019)).

Our central premise in this work is that if ensembles can be learned at the level of features (the unit activity at

the intermediate layers of the network; in contrast to class likelihoods), the resulting hierarchy of ensembles in

the neural network could potentially lead to a much more robust classiﬁer. To this end, we propose a simple

method for learning ensembles of kernels in deep neural networks that signiﬁcantly improves the network’s

robustness against adversarial attacks. In contrast to prior methods such as dropout that focus on minimizing

feature co-adaptation and improving the individual features’ utility in the absence of others, our method

focuses on learning feature ensembles that form local “committees” similar to those used in Boosting and

Random Forests. To create these committees in layers of a neural network, we introduce the Kernel Average

Pooling (KAP) operation that computes the average activity in nearby kernels within each layer – similar

to how spatial Average Pooling layer computes the locally averaged activity within each spatial window, but

instead along the kernel dimension. We show that incorporating KAP into convolutional networks leads to

learning kernel ensembles that are topographically organized across the tensor dimensions over which the

kernels are arranged (i.e. kernels are arranged in a vector or matrix according to their functional similarity).

When such networks are trained on inputs perturbed by additive Gaussian noise, these networks demonstrate

a substantial boost in robustness against adversarial attacks. In contrast to other ensemble approaches to

adversarial robustness, our approach does not seek to train multiple independent neural network models and

instead focuses on learning kernel ensembles within a single neural network. Moreover, compared to neural

network robustness methods such as Adversarial Training Madry et al. (2017) and TRADES Zhang et al.

(2019), training on Gaussian noise is about an order of magnitude more computationally eﬃcient.

Our contributions are as follows:

•We introduce kernel average pooling as a simple method for learning kernel ensembles in deep neural

networks.

•We demonstrate how kernel average pooling leads to learning topographically organized kernel en-

sembles that in turn substantially improve model robustness against input noise.

•Through extensive experiments on a wide range of benchmarks, we demonstrate the eﬀectiveness of

kernel average pooling on robustness against strong adversarial attacks.

2 Related works and background

Adversarial attacks: despite their superhuman performance in many vision tasks such as visual object

recognition, neural network predictions can become highly unreliable in the presence of input perturbations,

including naturally- and artiﬁcially-generated noise. While performance robustness of predictive models

to natural noise has long been studied in the literature, more modern methods have been invented in the

past decade to allow discovering small model-speciﬁc noise patterns (i.e. adversarial examples) that could

maximize the model’s risk Szegedy et al. (2013); Biggio et al. (2013); Goodfellow et al. (2014).

Numerous adversarial attacks have been proposed in the literature during the past decade Carlini & Wagner

(2017); Croce & Hein (2020); Moosavi-Dezfooli et al. (2016); Andriushchenko et al. (2020); Brendel et al.

(2017); Gowal et al. (2019). These attacks seek to ﬁnd artiﬁcially generated samples that maximize the

model’s risk. Formally, given a classiﬁer function fθ:X → Y,X ⊆ Rn,Y={1, ..., C}, denote by π(x, ϵ)

a perturbation function (i.e. adversarial attack) which, for a given (x, y)∈ X × Y, generates a perturbed

sample x′∈ B(x, ϵ)within the ϵ-neighborhood of x,B(x, ϵ) = {x′∈ X :∥x′−x∥p< ϵ}, by solving the

following maximization problem

max

t∈B(x,ϵ)L(fθ(t), y),(1)

where Lis the classiﬁcation loss function (i.e. classiﬁer’s risk) and ∥.∥pis the Lpnorm function. We refer

to solutions x′of this problem as adversarial examples.

Adversarial defenses: Concurrent to the research on adversarial attacks, numerous methods have also

been proposed to defend neural networks against these attacks Kannan et al. (2018); Madry et al. (2017);

Zhang et al. (2019); Sarkar et al. (2021); Pang et al. (2020); Bashivan et al. (2021); Robey et al. (2021);

Sehwag et al. (2022); Rebuﬃ et al. (2021); Gowal et al. (2021). Formally, the goal of these defense methods

is to guarantee that the model predictions match the true label not only over the sample set but also within

the ϵ-neighborhood of samples x. Adversarial training, which is the most established defense method to

date, formulates adversarial defense as a minimax optimization problem through which the classiﬁer’s risk

for adversarially perturbed samples is iteratively minimized during training Madry et al. (2017). Likewise,

other prominent methods such as ALP Kannan et al. (2018) and TRADES Zhang et al. (2019), encourage

the classiﬁer to predict matching labels for the original (x) and perturbed samples (x′).

Despite the continuing progress towards robust neural networks, most adversarial defenses remain computa-

tionally demanding, requiring an order of magnitude or more computational resources compared to normal

training of these networks. This issue has highlighted the dire need for computationally cheaper defense

methods that are also scalable to large-scale datasets such as Imagenet. In that regard, several recent papers

have proposed alternative methods for discovering diverse adversarial examples at a much lower computa-

tional cost and have been shown to perform competitively with adversarial training using costly iterative

attacks like Projected Gradient Descent (PGD) Wong et al. (2019); Shafahi et al. (2019).

Another line of work has proposed utilizing random additive noise as a way to empirically improve the neural

network robustness Liu et al. (2018); Wang et al. (2018); He et al. (2019) and to derive robustness guarantees

Cohen et al. (2019); Lecuyer et al. (2019). While, some of the proposed defenses in this category have later

been discovered to remain vulnerable to other forms of attacks Tramer et al. (2020), there is a growing

body of work that highlights the close relationship between robustness against random perturbations (e.g.

Gaussian noise) and adversarial robustness Dapello et al. (2021); Ford et al. (2019); Cohen et al. (2019). Also

related to our present work, Xie et al. (2019) showed that denoising feature maps in neural networks together

with adversarial training leads to large gains in robustness against adversarial examples. Yan et al. (2021);

Bai et al. (2022) showed that reweighting channel activations could help further improving the network

robustness during adversarial training. However, these works are fundamentally diﬀerent from our proposed

method in that the focus of Xie et al. (2019) is on denoising individual feature maps by considering the

distribution of feature values across the spatial dimensions within each feature map, while Yan et al. (2021);

Bai et al. (2022) propose methods for regulating channel activity in the context of adversarial training.

Ensemble methods: Ensemble methods have long been used in machine learning and deep learning because

of their eﬀectiveness in improving generalization and obtaining robust performance against input noise

Hastie et al. (2009). In neural networks, pseudo-ensemble methods like dropout Hinton et al. (2012) create

and simultaneously train an ensemble of "child" models spawned from a "parent" model using parameter

perturbations sampled from a perturbation distribution Bachman et al. (2014). Through this procedure,

pseudo-ensemble methods can improve generalization and robustness against input noise. Another related

method is MaxOut Goodfellow et al. (2013) which proposes an activation function that selects the maximum

output amongst a series of unit outputs.

Naturally, similar ideas consisting of neural network ensembles have been tested in recent years to improve

prediction variability and robustness in neural networks with various degrees of success Pang et al. (2019);

Kariyappa & Qureshi (2019); Abbasi et al. (2020); Horváth et al. (2022); Liu et al. (2021). Defenses based

on ensemble of attack models Tramèr et al. (2018) were also previously proposed where adversarial examples

were transferred from various models during adversarial training to improve the robustness of the model.

Several other works have focused on enhancing the diversity among models within the ensemble with the

goal of making it more diﬃcult for adversarial examples to transfer between models Pang et al. (2019);

Kariyappa & Qureshi (2019). However these ensemble models still remain prone to ensembles of adversarial

attacks Tramer et al. (2020).

3 Methods

3.1 Preliminaries

Let fθ(x) : X → Y be a classiﬁer with parameters θwhere, X ⊆ RD,Y={1, ..., C}. In feed-forward

deep neural networks, the classiﬁer fθusually consists of simpler functions f(l)(x),l∈ {1, . . . , L}composed

together such that the network output is computed as ˆy=f(L)(f(L−1)(. . . f (1)(x))). For our function fθto

correctly classify the input x, we wish for it to attain a small risk for (x, y)∼ D as measured by loss function

L. Additionally, for our classiﬁer to be robust, we also wish fθto attain a small risk in the vicinity of all

x∈ X, normally deﬁned by a p-norm ball of ﬁxed radius ϵaround the sample points Madry et al. (2017).

Intuitively, a model which has a high prediction variance (or similarly high risk variance) to noisy inputs, is

more likely to exhibit extreme high risks for data points sampled from the same distribution (i.e. adversarial

examples). Indeed, classiﬁers that generate lower variance predictions are often expected to generalize better

and be more robust to input noise. For example, classic ensemble methods like bagging,boosting, and random

forests operate by combining the decisions of many weak (i.e. high variance) classiﬁers into a stronger one

with reduced prediction variance and improved generalization performance Hastie et al. (2009).

Given an ensemble of predictor functions fi, i ∈1, . . . , K with zero or small biases, the ensemble prediction

(normally considered as the mean prediction ¯y=1

KPK

i=1 ˆyi) reduces the expected generalization loss by

shrinking the prediction variance. To demonstrate the point, one can consider Ki.i.d. random variables

with variance σ2and their average value that has a variance of σ2

K. Based on this logic, one can expect

ensembles of neural network classiﬁers to be more robust in the presence of noise or input perturbations

in general. However, several prior ensemble models have been shown to remain prone to ensembles of

adversarial attacks with large epsilons Tramer et al. (2020). One reason for the ensemble models to remain

vulnerable to adversarial attacks is that individual networks participating in these ensembles may still learn

diﬀerent sets of non-robust representations leaving room for the attackers to ﬁnd common weak spots across

all individual models within the ensemble. Additionally, while larger ensembles may be eﬀective in that

regard, constructing ever-larger ensemble classiﬁers might quickly become infeasible, especially in the case

of neural network classiﬁers.

One possible solution could be to focus on learning robust features by forming ensembles of features in

the network. Indeed, learning robust features has been suggested as a way towards robust classiﬁcation

Bashivan et al. (2021). Consequently, if individual kernels within a single network are made robust through

ensembling, it would become much more diﬃcult to ﬁnd adversaries that can fool the full network. In the

next section, we introduce Kernel Average Pooling for learning ensembles of kernels with better robustness

properties against input perturbations.

3.2 Kernel average pooling (KAP)

Mean ﬁlters (a.k.a., average pooling) are widely accepted as simple noise suppression mechanisms in computer

vision. For example, spatial average pooling layers are commonly used in modern deep neural networks Zoph

et al. (2018) by applying a mean ﬁlter along the spatial dimensions of the input to reduce the eﬀect of spatially

distributed noise (e.g. adjacent pixels in an image).

Here, we wish to substitute each kernel in the neural network model with an ensemble of kernels performing

the same function such that the ensemble output is the average of individual kernel outputs. This can be

conveniently carried out by applying the average pooling operation along the kernel dimension of the input

tensor.

Given an input z= [z1, . . . , zNk]∈RNk, the kernel average pooling operation (KAP) with kernel size Kand

stride S, computes the function

¯zi=1

Si+K−1

l=Si−K−1

zl(2)

Where zlis zero-padded (with zero weight in the computation of the average) to match the dimensionality of

¯zand zvariables (see A.1 for the details of padding). Importantly, when zis the output of an operation linear

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10 玖币 0人已下载

立即下载

摘要：

LearningRobustKernelEnsembleswithKernelAveragePoolingPouyaBashivan1,2,∗AdamIbrahim2AmirozhanDehghani1YifeiRen11McGillUniversity,Montreal,Canada2Mila,UniversitédeMontréal,Montreal,Canada*Correspondenceto:{pouya.bashivan}@mcgill.caAbstractModelensembleshavelongbeenusedinmachinelearningtoreducethevaria...

展开>> 收起<<

Learning Robust Kernel Ensembles with Kernel Average Pooling Pouya Bashivan12.pdf

共20页,预览4页

还剩页未读，继续阅读

声明：本站为文档C2C交易模式，即用户上传的文档直接被用户下载，本站只是中间服务平台，本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私，请立即通知玖贝云文库，我们立即给予删除！

Learning Robust Kernel Ensembles with Kernel Average Pooling Pouya Bashivan12

相关推荐

开通VIP享超值会员特权

作者详情

相关内容

热门标签

举报选择: