Revisiting Residual Networks for Adversarial Robustness

Shihua Huang; Zhichao Lu; Kalyanmoy Deb; Vishnu Boddeti

doi:10.1109/CVPR52729.2023.00793

Revisiting Residual Networks for Adversarial Robustness

Shihua Huang
, Zhichao Lu^*
, Kalyanmoy Deb
, Vishnu Boddeti

^*Corresponding author for this work

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

42 Citations (Scopus)

Abstract

Efforts to improve the adversarial robustness of convolutional neural networks have primarily focused on developing more effective adversarial training methods. In contrast, little attention was devoted to analyzing the role of architectural elements (e.g., topology, depth, and width) on adversarial robustness. This paper seeks to bridge this gap and present a holistic study on the impact of architectural design on adversarial robustness. We focus on residual networks and consider architecture design at the block level as well as at the network scaling level. In both cases, we first derive insights through systematic experiments. Then we design a robust residual block, dubbed RobustResBlock, and a compound scaling rule, dubbed RobustScaling, to distribute depth and width at the desired FLOP count. Finally, we combine RobustResBlock and RobustScaling and present a portfolio of adversarially robust residual networks, RobustResNets, spanning a broad spectrum of model capacities. Experimental validation across multiple datasets and adversarial attacks demonstrate that RobustResNets consistently outperform both the standard WRNs and other existing robust architectures, achieving state-of-the-art AutoAttack robust accuracy 63.7% with 500K external data while being 2x more compact in terms of parameters. The code is available at https://github.com/zhichao-lu/robust-residual-network. ©2023 IEEE

Original language	English
Title of host publication	2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
Publisher	IEEE
Pages	8202-8211
Number of pages	10
ISBN (Print)	979-8-3503-0129-8
DOIs	https://doi.org/10.1109/CVPR52729.2023.00793
Publication status	Published - 22 Aug 2023
Externally published	Yes
Event	2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023) - Vancouver Convention Center, Vancouver, Canada Duration: 18 Jun 2023 → 22 Jun 2023 https://cvpr2023.thecvf.com/Conferences/2023 https://openaccess.thecvf.com/menu https://ieeexplore.ieee.org/xpl/conhome/1000147/all-proceedings

Conference

Conference	2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023)
Abbreviated title	CVPR2023
Place	Canada
City	Vancouver
Period	18/06/23 → 22/06/23
Internet address	https://cvpr2023.thecvf.com/Conferences/2023 https://openaccess.thecvf.com/menu https://ieeexplore.ieee.org/xpl/conhome/1000147/all-proceedings

Access Output

10.1109/CVPR52729.2023.00793

https://openaccess.thecvf.com/content/CVPR2023/html/Huang_Revisiting_Residual_Networks_for_Adversarial_Robustness_CVPR_2023_paper.html

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@inproceedings{9be34c8aa2f443e4862301460273380f,

title = "Revisiting Residual Networks for Adversarial Robustness",

abstract = "Efforts to improve the adversarial robustness of convolutional neural networks have primarily focused on developing more effective adversarial training methods. In contrast, little attention was devoted to analyzing the role of architectural elements (e.g., topology, depth, and width) on adversarial robustness. This paper seeks to bridge this gap and present a holistic study on the impact of architectural design on adversarial robustness. We focus on residual networks and consider architecture design at the block level as well as at the network scaling level. In both cases, we first derive insights through systematic experiments. Then we design a robust residual block, dubbed RobustResBlock, and a compound scaling rule, dubbed RobustScaling, to distribute depth and width at the desired FLOP count. Finally, we combine RobustResBlock and RobustScaling and present a portfolio of adversarially robust residual networks, RobustResNets, spanning a broad spectrum of model capacities. Experimental validation across multiple datasets and adversarial attacks demonstrate that RobustResNets consistently outperform both the standard WRNs and other existing robust architectures, achieving state-of-the-art AutoAttack robust accuracy 63.7\% with 500K external data while being 2x more compact in terms of parameters. The code is available at https://github.com/zhichao-lu/robust-residual-network. {\textcopyright}2023 IEEE",

author = "Shihua Huang and Zhichao Lu and Kalyanmoy Deb and Vishnu Boddeti",

year = "2023",

month = aug,

day = "22",

doi = "10.1109/CVPR52729.2023.00793",

language = "English",

isbn = "979-8-3503-0129-8 ",

pages = "8202--8211",

booktitle = "2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)",

publisher = "IEEE",

address = "United States",

note = "2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023), CVPR2023 ; Conference date: 18-06-2023 Through 22-06-2023",

url = "https://cvpr2023.thecvf.com/Conferences/2023, https://openaccess.thecvf.com/menu, https://ieeexplore.ieee.org/xpl/conhome/1000147/all-proceedings",

}

Huang, S, Lu, Z, Deb, K & Boddeti, V 2023, Revisiting Residual Networks for Adversarial Robustness. in 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, pp. 8202-8211, 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023), Vancouver, British Columbia, Canada, 18/06/23. https://doi.org/10.1109/CVPR52729.2023.00793

TY - GEN

T1 - Revisiting Residual Networks for Adversarial Robustness

AU - Huang, Shihua

AU - Lu, Zhichao

AU - Deb, Kalyanmoy

AU - Boddeti, Vishnu

PY - 2023/8/22

Y1 - 2023/8/22

N2 - Efforts to improve the adversarial robustness of convolutional neural networks have primarily focused on developing more effective adversarial training methods. In contrast, little attention was devoted to analyzing the role of architectural elements (e.g., topology, depth, and width) on adversarial robustness. This paper seeks to bridge this gap and present a holistic study on the impact of architectural design on adversarial robustness. We focus on residual networks and consider architecture design at the block level as well as at the network scaling level. In both cases, we first derive insights through systematic experiments. Then we design a robust residual block, dubbed RobustResBlock, and a compound scaling rule, dubbed RobustScaling, to distribute depth and width at the desired FLOP count. Finally, we combine RobustResBlock and RobustScaling and present a portfolio of adversarially robust residual networks, RobustResNets, spanning a broad spectrum of model capacities. Experimental validation across multiple datasets and adversarial attacks demonstrate that RobustResNets consistently outperform both the standard WRNs and other existing robust architectures, achieving state-of-the-art AutoAttack robust accuracy 63.7% with 500K external data while being 2x more compact in terms of parameters. The code is available at https://github.com/zhichao-lu/robust-residual-network. ©2023 IEEE

AB - Efforts to improve the adversarial robustness of convolutional neural networks have primarily focused on developing more effective adversarial training methods. In contrast, little attention was devoted to analyzing the role of architectural elements (e.g., topology, depth, and width) on adversarial robustness. This paper seeks to bridge this gap and present a holistic study on the impact of architectural design on adversarial robustness. We focus on residual networks and consider architecture design at the block level as well as at the network scaling level. In both cases, we first derive insights through systematic experiments. Then we design a robust residual block, dubbed RobustResBlock, and a compound scaling rule, dubbed RobustScaling, to distribute depth and width at the desired FLOP count. Finally, we combine RobustResBlock and RobustScaling and present a portfolio of adversarially robust residual networks, RobustResNets, spanning a broad spectrum of model capacities. Experimental validation across multiple datasets and adversarial attacks demonstrate that RobustResNets consistently outperform both the standard WRNs and other existing robust architectures, achieving state-of-the-art AutoAttack robust accuracy 63.7% with 500K external data while being 2x more compact in terms of parameters. The code is available at https://github.com/zhichao-lu/robust-residual-network. ©2023 IEEE

UR - https://www.webofscience.com/wos/woscc/full-record/WOS:001062522100020

U2 - 10.1109/CVPR52729.2023.00793

DO - 10.1109/CVPR52729.2023.00793

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 979-8-3503-0129-8

SP - 8202

EP - 8211

BT - 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)

PB - IEEE

T2 - 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023)

Y2 - 18 June 2023 through 22 June 2023

ER -

Revisiting Residual Networks for Adversarial Robustness

Abstract

Conference

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this