zhangcen456
commented
1 year ago Our method is supposed to filter out features that can be easily affected by attack methods from the input, which makes the models more robust, while adversarial training adds perturbation to the embedding of the input to generate extra examples. We believe that's the main difference between our method and AT. And for adversarial training, new adversarial examples can still be generated for adversarially trained networks.[1] [1]Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey
Opdoop
From [1], we have:
$$\mathcal{L}=\mathcal{L}{\mathrm{CE}}+\beta \cdot D{\mathrm{KL}}[P(\mathbf{T} \mid \mathbf{X}) | Q(\mathbf{T})]$$
While comparing to conventional adversarial training, from [2], we have: $$\min \left[\underset{x, y \sim p{\mathcal{D}}}{\mathbb{E}}\left[\max {\hat{x} \in \mathbb{B}(x)} \mathcal{L}(x, \hat{x}, y)\right]\right]$$
where above objective can be specified in semi-supervised fashion as: $$-\log q\left(y \mid F{s}(x)\right)+\beta \mathrm{KL}\left(q\left(\cdot \mid F{s}(x)\right) | q\left(\cdot \mid F_{s}(\hat{x})\right)\right)$$
IB principle and adversarial training(AT) both introduce a regularization term to smooth the landscape of model. The only difference is distribution term used KL distance, variational IB uses Gaussian while AT uses adversarial examples.
Adversarial examples can be viewed as a special out-of-distribution. In this view, compare with IB, AT should be a tighter bound for OOD optimization. But from your experiment results, IB surpasses all previous AT-liked methods. How could a loose bound be better than a tighter bound? This really confused me. Is there something I misunderstood?
[1] Improving the Adversarial Robustness of NLP Models by Information Bottleneck [2] How Should Pre-Trained Language Models Be Fine-Tuned Towards Adversarial Robustness?