English
 
Help Privacy Policy Disclaimer
  Advanced SearchBrowse

Item

ITEM ACTIONSEXPORT
Add to Basket
  Local TagsRelease HistoryDetailsSummary

Released
Paper

On Fragile Features and Batch Normalization in Adversarial Training

MPS-Authors
/persons/resource/persons255884

Walter,  Nils Philipp
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society;

/persons/resource/persons228449

Stutz,  David
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society;

/persons/resource/persons45383

Schiele,  Bernt
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society;

External Resource
No external resources are shared
Fulltext (restricted access)
There are currently no full texts shared for your IP range.
Fulltext (public)

arXiv:2204.12393.pdf
(Preprint), 454KB

Supplementary Material (public)
There is no public supplementary material available
Citation

Walter, N. P., Stutz, D., & Schiele, B. (2022). On Fragile Features and Batch Normalization in Adversarial Training. Retrieved from https://arxiv.org/abs/2204.12393.


Cite as: https://hdl.handle.net/21.11116/0000-000C-1843-E
Abstract
Modern deep learning architecture utilize batch normalization (BN) to
stabilize training and improve accuracy. It has been shown that the BN layers
alone are surprisingly expressive. In the context of robustness against
adversarial examples, however, BN is argued to increase vulnerability. That is,
BN helps to learn fragile features. Nevertheless, BN is still used in
adversarial training, which is the de-facto standard to learn robust features.
In order to shed light on the role of BN in adversarial training, we
investigate to what extent the expressiveness of BN can be used to robustify
fragile features in comparison to random features. On CIFAR10, we find that
adversarially fine-tuning just the BN layers can result in non-trivial
adversarial robustness. Adversarially training only the BN layers from scratch,
in contrast, is not able to convey meaningful adversarial robustness. Our
results indicate that fragile features can be used to learn models with
moderate adversarial robustness, while random features cannot