Advertisement

A Simple Way to Make Neural Networks Robust Against Diverse Image Corruptions

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12348)

Abstract

The human visual system is remarkably robust against a wide range of naturally occurring variations and corruptions like rain or snow. In contrast, the performance of modern image recognition models strongly degrades when evaluated on previously unseen corruptions. Here, we demonstrate that a simple but properly tuned training with additive Gaussian and Speckle noise generalizes surprisingly well to unseen corruptions, easily reaching the state of the art on the corruption benchmark ImageNet-C (with ResNet50) and on MNIST-C. We build on top of these strong baseline results and show that an adversarial training of the recognition model against locally correlated worst-case noise distributions leads to an additional increase in performance. This regularization can be combined with previously proposed defense methods for further improvement.

Keywords

Image corruptions Robustness Generalization Adversarial training 

Supplementary material

504435_1_En_4_MOESM1_ESM.pdf (3.4 mb)
Supplementary material 1 (pdf 3487 KB)

References

  1. 1.
    Azulay, A., Weiss, Y.: Why do deep convolutional networks generalize so poorly to small image transformations? (2018)Google Scholar
  2. 2.
    Campbell, M., Hoane Jr., A.J., Hsu, F.: Deep blue. Artif. Intell. 134(1–2), 57–83 (2002).  https://doi.org/10.1016/S0004-3702(01)00129-1CrossRefzbMATHGoogle Scholar
  3. 3.
    Cubuk, E.D., Zoph, B., Mane, D., Vasudevan, V., Le, Q.V.: AutoAugment: Learning augmentation policies from data. arXiv preprint arXiv:1805.09501 (2018)
  4. 4.
    Diggle, P.J., Gratton, R.J.: Monte Carlo methods of inference for implicit statistical models. J. Roy. Stat. Soc.: Ser. B (Methodol.) 46(2), 193–212 (1984)MathSciNetzbMATHGoogle Scholar
  5. 5.
    Dodge, S.F., Karam, L.J.: A study and comparison of human and deep learning recognition performance under visual distortions. CoRR abs/1705.02498 (2017). http://arxiv.org/abs/1705.02498
  6. 6.
    Engstrom, L., Ilyas, A., Athalye, A.: Evaluating and understanding the robustness of adversarial logit pairing. CoRR abs/1807.10272 (2018). https://arxiv.org/abs/1807.10272
  7. 7.
    Engstrom, L., Tsipras, D., Schmidt, L., Madry, A.: A rotation and a translation suffice: fooling CNNs with simple transformations. In: ICML (2019)Google Scholar
  8. 8.
    Ford, N., Gilmer, J., Carlini, N., Cubuk, D.: Adversarial examples are a natural consequence of test error in noise. In: ICML (2019)Google Scholar
  9. 9.
    Geirhos, R., Rubisch, P., Michaelis, C., Bethge, M., Wichmann, F.A., Brendel, W.: ImageNet-trained CNNs are biased towards texture; increasing shape bias improves accuracy and robustness. In: International Conference on Learning Representations (2019). https://openreview.net/forum?id=Bygh9j09KX
  10. 10.
    Geirhos, R., Temme, C.R.M., Rauber, J., Schütt, H.H., Bethge, M., Wichmann, F.A.: Generalisation in humans and deep neural networks. In: Bengio, S., Wallach, H., Larochelle, H., Grauman, K., Cesa-Bianchi, N., Garnett, R. (eds.) Advances in Neural Information Processing Systems, vol. 31, pp. 7538–7550. Curran Associates, Inc. (2018). http://papers.nips.cc/paper/7982-generalisation-in-humans-and-deep-neural-networks.pdf
  11. 11.
    Gilmer, J., et al.: Adversarial spheres. CoRR abs/1801.02774 (2018). http://arxiv.org/abs/1801.02774
  12. 12.
    He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)Google Scholar
  13. 13.
    Hendrycks, D., Dietterich, T.: Benchmarking neural network robustness to common corruptions and perturbations. In: International Conference on Learning Representations (2019). https://openreview.net/forum?id=HJz6tiCqYm
  14. 14.
    Hendrycks, D., Mu, N., Cubuk, E.D., Zoph, B., Gilmer, J., Lakshminarayanan, B.: AugMix: a simple data processing method to improve robustness and uncertainty. In: International Conference on Learning Representations (2020). https://openreview.net/forum?id=S1gmrxHFvB
  15. 15.
    Huang, G., Liu, Z., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR (2017)Google Scholar
  16. 16.
    Jordan, M., Manoj, N., Goel, S., Dimakis, A.G.: Quantifying perceptual distortion of adversarial examples. arXiv preprint arXiv:1902.08265 (2019)
  17. 17.
    Kang, D., Sun, Y., Brown, T., Hendrycks, D., Steinhardt, J.: Transfer of adversarial robustness between perturbation types. CoRR abs/1905.01034 (2019). http://arxiv.org/abs/1905.01034
  18. 18.
    Lee, J., Won, T., Hong, K.: Compounding the performance improvements of assembled techniques in a convolutional neural network. arXiv preprint arXiv:2001.06268 (2020)
  19. 19.
    Lopes, R.G., Yin, D., Poole, B., Gilmer, J., Cubuk, E.D.: Improving robustness without sacrificing accuracy with patch Gaussian augmentation. CoRR abs/1906.02611 (2019). http://arxiv.org/abs/1906.02611
  20. 20.
    Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)
  21. 21.
    Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: International Conference on Learning Representations (2018). https://openreview.net/forum?id=rJzIBfZAb
  22. 22.
    Mahajan, D., et al.: Exploring the limits of weakly supervised pretraining. In: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (eds.) ECCV 2018. LNCS, vol. 11206, pp. 185–201. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-01216-8_12CrossRefGoogle Scholar
  23. 23.
    Marcel, S., Rodriguez, Y.: Torchvision the machine-vision package of torch. In: ACM International Conference on Multimedia (2010)Google Scholar
  24. 24.
    Merkel, D.: Docker: lightweight Linux containers for consistent development and deployment. Linux J. 2014(239), 2 (2014)Google Scholar
  25. 25.
    Michaelis, C., et al.: Benchmarking robustness in object detection: Autonomous driving when winter is coming. arXiv preprint arXiv:1907.07484 (2019)
  26. 26.
    Mikołajczyk, A., Grochowski, M.: Data augmentation for improving deep learning in image classification problem. In: 2018 International Interdisciplinary PhD Workshop (IIPhDW), pp. 117–122 (2018)Google Scholar
  27. 27.
    Mnih, V., et al.: Human-level control through deep reinforcement learning. Nature 518(7540), 529 (2015)CrossRefGoogle Scholar
  28. 28.
    Mohamed, S., Lakshminarayanan, B.: Learning in implicit generative models. arXiv preprint arXiv:1610.03483 (2016)
  29. 29.
    Mu, N., Gilmer, J.: MNIST-C: A robustness benchmark for computer vision. arXiv preprint arXiv:1906.02337 (2019)
  30. 30.
    OpenAI: OpenAI Five. https://blog.openai.com/openai-five/ (2018)
  31. 31.
    Paszke, A., et al.: Automatic differentiation in PyTorch. In: NIPS Autodiff Workshop (2017)Google Scholar
  32. 32.
    Rauber, J., Bethge, M.: Fast differentiable clipping-aware normalization and rescaling. arXiv preprint arXiv:2007.07677 (2020). https://github.com/jonasrauber/clipping-aware-rescaling
  33. 33.
    Rony, J., Hafemann, L.G., Oliveira, L.S., Ayed, I.B., Sabourin, R., Granger, E.: Decoupling direction and norm for efficient gradient-based L2 adversarial attacks and defenses. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 4322–4330 (2019)Google Scholar
  34. 34.
    Russakovsky, O., et al.: ImageNet large scale visual recognition challenge. CoRR abs/1409.0575 (2014). http://arxiv.org/abs/1409.0575
  35. 35.
    Schott, L., Rauber, J., Bethge, M., Brendel, W.: Towards the first adversarially robust neural network model on MNIST. In: International Conference on Learning Representations (2019). https://openreview.net/forum?id=S1EHOsC9tX
  36. 36.
    Shafahi, A., et al.: Adversarial training for free! arXiv preprint arXiv:1904.12843 (2019)
  37. 37.
    Shafahi, A., Najibi, M., Xu, Z., Dickerson, J.P., Davis, L.S., Goldstein, T.: Universal adversarial training. CoRR abs/1811.11304 (2018). http://arxiv.org/abs/1811.11304
  38. 38.
    Silver, D., et al.: Mastering the game of go without human knowledge. Nature 550, 354–359 (2017)CrossRefGoogle Scholar
  39. 39.
    Szegedy, C., et al.: Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)
  40. 40.
    Tramèr, F., Boneh, D.: Adversarial training and robustness for multiple perturbations. In: NeurIPS (2019). http://arxiv.org/abs/1904.13000
  41. 41.
    Virtanen, P., et al.: SciPy 1.0: fundamental algorithms for scientific computing in Python. Nat. Meth. 17, 261–272 (2020).  https://doi.org/10.1038/s41592-019-0686-2CrossRefGoogle Scholar
  42. 42.
    Xie, C., Wu, Y., van der Maaten, L., Yuille, A.L., He, K.: Feature denoising for improving adversarial robustness. In: CVPR (2019)Google Scholar
  43. 43.
    Xie, Q., Hovy, E., Luong, M.T., Le, Q.V.: Self-training with noisy student improves ImageNet classification. arXiv preprint arXiv:1911.04252 (2019)
  44. 44.
    Xiong, W., et al.: Achieving human parity in conversational speech recognition. In: IEEE/ACM Transactions on Audio, Speech, and Language Processing (2016)Google Scholar
  45. 45.
    Zhang, R.: Making convolutional networks shift-invariant again. In: ICML (2019)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.University of TübingenTübingenGermany
  2. 2.International Max Planck Research School for Intelligent SystemsTübingenGermany

Personalised recommendations