TY - GEN
T1 - A Light Recipe to Train Robust Vision Transformers
AU - Debenedetti, Edoardo
AU - Sehwag, Vikash
AU - Mittal, Prateek
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - In this paper, we ask whether Vision Transformers (ViTs) can serve as an underlying architecture for improving the adversarial robustness of machine learning models against evasion attacks. While earlier works have focused on improving Convolutional Neural Networks, we show that also ViTs are highly suitable for adversarial training to achieve competitive performance. We achieve this objective using a custom adversarial training recipe, discovered using rigorous ablation studies on a subset of the ImageNet dataset. The canonical training recipe for ViTs recommends strong data augmentation, in part to compensate for the lack of vision inductive bias of attention modules, when compared to convolutions. We show that this recipe achieves suboptimal performance when used for adversarial training. In contrast, we find that omitting all heavy data augmentation, and adding some additional bag-of-tricks ϵ- warmup and larger weight decay), significantly boosts the performance of robust ViTs. We show that our recipe generalizes to different classes of ViT architectures and large-scale models on full ImageNet-1k. Additionally, investigating the reasons for the robustness of our models, we show that it is easier to generate strong attacks during training when using our recipe and that this leads to better robustness at test time. Finally, we further study one consequence of adversarial training by proposing a way to quantify the semantic nature of adversarial perturbations and highlight its correlation with the robustness of the model. Overall, we recommend that the community should avoid translating the canonical training recipes in ViTs to robust training and rethink common training choices in the context of adversarial training. We share the code for your experiments at the following URL: https://github.com/dedeswim/vits-robustness-torch.
AB - In this paper, we ask whether Vision Transformers (ViTs) can serve as an underlying architecture for improving the adversarial robustness of machine learning models against evasion attacks. While earlier works have focused on improving Convolutional Neural Networks, we show that also ViTs are highly suitable for adversarial training to achieve competitive performance. We achieve this objective using a custom adversarial training recipe, discovered using rigorous ablation studies on a subset of the ImageNet dataset. The canonical training recipe for ViTs recommends strong data augmentation, in part to compensate for the lack of vision inductive bias of attention modules, when compared to convolutions. We show that this recipe achieves suboptimal performance when used for adversarial training. In contrast, we find that omitting all heavy data augmentation, and adding some additional bag-of-tricks ϵ- warmup and larger weight decay), significantly boosts the performance of robust ViTs. We show that our recipe generalizes to different classes of ViT architectures and large-scale models on full ImageNet-1k. Additionally, investigating the reasons for the robustness of our models, we show that it is easier to generate strong attacks during training when using our recipe and that this leads to better robustness at test time. Finally, we further study one consequence of adversarial training by proposing a way to quantify the semantic nature of adversarial perturbations and highlight its correlation with the robustness of the model. Overall, we recommend that the community should avoid translating the canonical training recipes in ViTs to robust training and rethink common training choices in the context of adversarial training. We share the code for your experiments at the following URL: https://github.com/dedeswim/vits-robustness-torch.
KW - Adversarial Robustness
KW - Adversarial Training
KW - Computer Vision
KW - Vision Transformer
UR - http://www.scopus.com/inward/record.url?scp=85150207533&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85150207533&partnerID=8YFLogxK
U2 - 10.1109/SaTML54575.2023.00024
DO - 10.1109/SaTML54575.2023.00024
M3 - Conference contribution
AN - SCOPUS:85150207533
T3 - Proceedings - 2023 IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2023
SP - 225
EP - 253
BT - Proceedings - 2023 IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2023 IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2023
Y2 - 8 February 2023 through 10 February 2023
ER -