TWINS: A Fine-Tuning Framework for Improved Transferability of Adversarial Robustness and Generalization

Ziquan Liu; Yi Xu; Xiangyang Ji; Antoni B. Chan

doi:10.1109/CVPR52729.2023.01577

TWINS: A Fine-Tuning Framework for Improved Transferability of Adversarial Robustness and Generalization

Ziquan Liu, Yi Xu^*, Xiangyang Ji, Antoni B. Chan^*

^*Corresponding author for this work

Department of Computer Science

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

15 Citations (Scopus)

Abstract

Recent years have seen the ever-increasing importance of pre-trained models and their downstream training in deep learning research and applications. At the same time, the defense for adversarial examples has been mainly investigated in the context of training from random initialization on simple classification tasks. To better exploit the potential of pre-trained models in adversarial robustness, this paper focuses on the fine-tuning of an adversarially pre-trained model in various classification tasks. Existing research has shown that since the robust pre-trained model has already learned a robust feature extractor, the crucial question is how to maintain the robustness in the pre-trained model when learning the downstream task. We study the model-based and data-based approaches for this goal and find that the two common approaches cannot achieve the objective of improving both generalization and adversarial robustness. Thus, we propose a novel statistics-based approach, Two-WIng NormliSation (TWINS) fine-tuning framework, which consists of two neural networks where one of them keeps the population means and variances of pre-training data in the batch normalization layers. Besides the robust information transfer, TWINS increases the effective learning rate without hurting the training stability since the relationship between a weight norm and its gradient norm in standard batch normalization layer is broken, resulting in a faster escape from the sub-optimal initialization and alleviating the robust overfitting. Finally, TWINS is shown to be effective on a wide range of image classification datasets in terms of both generalization and robustness.

©2023 IEEE

Original language	English
Title of host publication	Proceedings - 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023
Publisher	IEEE
Pages	16436-16446
ISBN (Print)	979-8-3503-0129-8
DOIs	https://doi.org/10.1109/CVPR52729.2023.01577
Publication status	Published - Jun 2023
Event	2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023) - Vancouver Convention Center, Vancouver, Canada Duration: 18 Jun 2023 → 22 Jun 2023 https://cvpr2023.thecvf.com/Conferences/2023 https://openaccess.thecvf.com/menu https://ieeexplore.ieee.org/xpl/conhome/1000147/all-proceedings

Conference

Conference	2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023)
Abbreviated title	CVPR2023
Country/Territory	Canada
City	Vancouver
Period	18/06/23 → 22/06/23
Internet address	https://cvpr2023.thecvf.com/Conferences/2023 https://openaccess.thecvf.com/menu https://ieeexplore.ieee.org/xpl/conhome/1000147/all-proceedings

Access Output

10.1109/CVPR52729.2023.01577

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@inproceedings{aaa64912986b473995ae3856489903ea,

title = "TWINS: A Fine-Tuning Framework for Improved Transferability of Adversarial Robustness and Generalization",

abstract = "Recent years have seen the ever-increasing importance of pre-trained models and their downstream training in deep learning research and applications. At the same time, the defense for adversarial examples has been mainly investigated in the context of training from random initialization on simple classification tasks. To better exploit the potential of pre-trained models in adversarial robustness, this paper focuses on the fine-tuning of an adversarially pre-trained model in various classification tasks. Existing research has shown that since the robust pre-trained model has already learned a robust feature extractor, the crucial question is how to maintain the robustness in the pre-trained model when learning the downstream task. We study the model-based and data-based approaches for this goal and find that the two common approaches cannot achieve the objective of improving both generalization and adversarial robustness. Thus, we propose a novel statistics-based approach, Two-WIng NormliSation (TWINS) fine-tuning framework, which consists of two neural networks where one of them keeps the population means and variances of pre-training data in the batch normalization layers. Besides the robust information transfer, TWINS increases the effective learning rate without hurting the training stability since the relationship between a weight norm and its gradient norm in standard batch normalization layer is broken, resulting in a faster escape from the sub-optimal initialization and alleviating the robust overfitting. Finally, TWINS is shown to be effective on a wide range of image classification datasets in terms of both generalization and robustness.{\textcopyright}2023 IEEE",

author = "Ziquan Liu and Yi Xu and Xiangyang Ji and Chan, {Antoni B.}",

year = "2023",

month = jun,

doi = "10.1109/CVPR52729.2023.01577",

language = "English",

isbn = "979-8-3503-0129-8",

pages = "16436--16446",

booktitle = "Proceedings - 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023",

publisher = "IEEE",

address = "United States",

note = "2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023), CVPR2023 ; Conference date: 18-06-2023 Through 22-06-2023",

url = "https://cvpr2023.thecvf.com/Conferences/2023, https://openaccess.thecvf.com/menu, https://ieeexplore.ieee.org/xpl/conhome/1000147/all-proceedings",

}

Liu, Z, Xu, Y, Ji, X & Chan, AB 2023, TWINS: A Fine-Tuning Framework for Improved Transferability of Adversarial Robustness and Generalization. in Proceedings - 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023. IEEE, pp. 16436-16446, 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023), Vancouver, British Columbia, Canada, 18/06/23. https://doi.org/10.1109/CVPR52729.2023.01577

TWINS: A Fine-Tuning Framework for Improved Transferability of Adversarial Robustness and Generalization. / Liu, Ziquan; Xu, Yi; Ji, Xiangyang et al.
Proceedings - 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023. IEEE, 2023. p. 16436-16446.

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - TWINS

T2 - 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023)

AU - Liu, Ziquan

AU - Xu, Yi

AU - Ji, Xiangyang

AU - Chan, Antoni B.

PY - 2023/6

Y1 - 2023/6

N2 - Recent years have seen the ever-increasing importance of pre-trained models and their downstream training in deep learning research and applications. At the same time, the defense for adversarial examples has been mainly investigated in the context of training from random initialization on simple classification tasks. To better exploit the potential of pre-trained models in adversarial robustness, this paper focuses on the fine-tuning of an adversarially pre-trained model in various classification tasks. Existing research has shown that since the robust pre-trained model has already learned a robust feature extractor, the crucial question is how to maintain the robustness in the pre-trained model when learning the downstream task. We study the model-based and data-based approaches for this goal and find that the two common approaches cannot achieve the objective of improving both generalization and adversarial robustness. Thus, we propose a novel statistics-based approach, Two-WIng NormliSation (TWINS) fine-tuning framework, which consists of two neural networks where one of them keeps the population means and variances of pre-training data in the batch normalization layers. Besides the robust information transfer, TWINS increases the effective learning rate without hurting the training stability since the relationship between a weight norm and its gradient norm in standard batch normalization layer is broken, resulting in a faster escape from the sub-optimal initialization and alleviating the robust overfitting. Finally, TWINS is shown to be effective on a wide range of image classification datasets in terms of both generalization and robustness.©2023 IEEE

AB - Recent years have seen the ever-increasing importance of pre-trained models and their downstream training in deep learning research and applications. At the same time, the defense for adversarial examples has been mainly investigated in the context of training from random initialization on simple classification tasks. To better exploit the potential of pre-trained models in adversarial robustness, this paper focuses on the fine-tuning of an adversarially pre-trained model in various classification tasks. Existing research has shown that since the robust pre-trained model has already learned a robust feature extractor, the crucial question is how to maintain the robustness in the pre-trained model when learning the downstream task. We study the model-based and data-based approaches for this goal and find that the two common approaches cannot achieve the objective of improving both generalization and adversarial robustness. Thus, we propose a novel statistics-based approach, Two-WIng NormliSation (TWINS) fine-tuning framework, which consists of two neural networks where one of them keeps the population means and variances of pre-training data in the batch normalization layers. Besides the robust information transfer, TWINS increases the effective learning rate without hurting the training stability since the relationship between a weight norm and its gradient norm in standard batch normalization layer is broken, resulting in a faster escape from the sub-optimal initialization and alleviating the robust overfitting. Finally, TWINS is shown to be effective on a wide range of image classification datasets in terms of both generalization and robustness.©2023 IEEE

UR - https://openaccess.thecvf.com/content/CVPR2023/html/Liu_TWINS_A_Fine-Tuning_Framework_for_Improved_Transferability_of_Adversarial_Robustness_CVPR_2023_paper.html

UR - https://cvpr2023.thecvf.com/virtual/2023/papers.html?filter=titles&search=TWINS:+A+Fine-Tuning+Framework+for+Improved+Transferability+of+Adversarial+Robustness+and+Generalization

U2 - 10.1109/CVPR52729.2023.01577

DO - 10.1109/CVPR52729.2023.01577

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 979-8-3503-0129-8

SP - 16436

EP - 16446

BT - Proceedings - 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023

PB - IEEE

Y2 - 18 June 2023 through 22 June 2023

ER -

TWINS: A Fine-Tuning Framework for Improved Transferability of Adversarial Robustness and Generalization

Abstract

Conference

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this