David Stutz (PhD Student)

Personal Information

Bachelor/master theses available; topics on adversarial robustness — robustness of deep neural networks against adversarial examples.

Publications

2024

M. Losch, M. Omran, D. Stutz, M. Fritz, and B. Schiele

“On Adversarial Training without Perturbing all Examples,” in The Twelfth International Conference on Learning Representations (ICLR 2024), Vienna, Austria, 2024.

@inproceedings{Losch_ICLR24,
TITLE = {On Adversarial Training without Perturbing all Examples},
AUTHOR = {Losch, Max and Omran, Mohamed and Stutz, David and Fritz, Mario and Schiele, Bernt},
LANGUAGE = {eng},
URL = {https://openreview.net/forum?id=pE6gWrASQm; https://openreview.net/group?id=ICLR.cc/2024},
PUBLISHER = {OpenReview.net},
YEAR = {2024},
MARGINALMARK = {$\bullet$},
DATE = {2024},
BOOKTITLE = {The Twelfth International Conference on Learning Representations (ICLR 2024)},
PAGES = {1--21},
ADDRESS = {Vienna, Austria},
}

Endnote

%0 Conference Proceedings
%A Losch, Max
%A Omran, Mohamed
%A Stutz, David
%A Fritz, Mario
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
External Organizations
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T On Adversarial Training without Perturbing all Examples : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0010-445B-C
%U https://openreview.net/forum?id=pE6gWrASQm
%D 2024
%B Twelfth International Conference on Learning Representations
%Z date of event: 2024-05-07 - 2024-05-11
%C Vienna, Austria
%B The Twelfth International Conference on Learning Representations
%P 1 - 21
%I OpenReview.net

2023

Y. Guo, D. Stutz, and B. Schiele

“Improving Robustness of Vision Transformers by Reducing Sensitivity To Patch Corruptions,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023), Vancouver, Canada, 2023.

@inproceedings{Guo_CVPR23,
TITLE = {Improving Robustness of Vision Transformers by Reducing Sensitivity To Patch Corruptions},
AUTHOR = {Guo, Yong and Stutz, David and Schiele, Bernt},
LANGUAGE = {eng},
ISBN = {979-8-3503-0129-8},
DOI = {10.1109/CVPR52729.2023.00400},
PUBLISHER = {IEEE},
YEAR = {2023},
MARGINALMARK = {$\bullet$},
BOOKTITLE = {IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023)},
PAGES = {4108--4118},
ADDRESS = {Vancouver, Canada},
}

Endnote

%0 Conference Proceedings
%A Guo, Yong
%A Stutz, David
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Improving Robustness of Vision Transformers by Reducing Sensitivity To Patch Corruptions : 
%G eng
%U http://hdl.handle.net/21.11116/0000-000D-1F5D-A
%R 10.1109/CVPR52729.2023.00400
%D 2023
%B 36th IEEE/CVF Conference on Computer Vision and Pattern Recognition
%Z date of event: 2023-06-18 - 2023-06-23
%C Vancouver, Canada
%B IEEE/CVF Conference on Computer Vision and Pattern Recognition
%P 4108 - 4118
%I IEEE
%@ 979-8-3503-0129-8

Y. Guo, D. Stutz, and B. Schiele

“Robustifying Token Attention for Vision Transformers,” in IEEE/CVF International Conference on Computer Vision (ICCV 2023), Paris, France, 2023.

@inproceedings{Guo_ICCV23,
TITLE = {Robustifying Token Attention for Vision Transformers},
AUTHOR = {Guo, Yong and Stutz, David and Schiele, Bernt},
LANGUAGE = {eng},
ISBN = {979-8-3503-0718-4},
DOI = {10.1109/ICCV51070.2023.01610},
PUBLISHER = {IEEE},
YEAR = {2023},
MARGINALMARK = {$\bullet$},
DATE = {2023},
BOOKTITLE = {IEEE/CVF International Conference on Computer Vision (ICCV 2023)},
PAGES = {17511--17522},
ADDRESS = {Paris, France},
}

Endnote

%0 Conference Proceedings
%A Guo, Yong
%A Stutz, David
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Robustifying Token Attention for Vision Transformers  : 
%G eng
%U http://hdl.handle.net/21.11116/0000-000D-F981-8
%R 10.1109/ICCV51070.2023.01610
%D 2023
%B IEEE/CVF International Conference on Computer Vision
%Z date of event: 2023-10-02 - 2023-10-06
%C Paris, France
%B IEEE/CVF International Conference on Computer Vision
%P 17511 - 17522
%I IEEE
%@ 979-8-3503-0718-4

D. Stutz, N. Chandramoorthy, M. Hein, and B. Schiele

“Random and Adversarial Bit Error Robustness: Energy-Efficient and Secure DNN Accelerators,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 3, 2023.

@article{StutzTPAMI23,
TITLE = {Random and Adversarial Bit Error Robustness: {E}nergy-Efficient and Secure {DNN} Accelerators},
AUTHOR = {Stutz, David and Chandramoorthy, Nandhini and Hein, Matthias and Schiele, Bernt},
LANGUAGE = {eng},
ISSN = {0162-8828},
DOI = {10.1109/TPAMI.2022.3181972},
PUBLISHER = {IEEE},
ADDRESS = {Piscataway, NJ},
YEAR = {2023},
MARGINALMARK = {$\bullet$},
DATE = {2023},
JOURNAL = {IEEE Transactions on Pattern Analysis and Machine Intelligence},
VOLUME = {45},
NUMBER = {3},
PAGES = {3632--3647},
}

Endnote

%0 Journal Article
%A Stutz, David
%A Chandramoorthy, Nandhini
%A Hein, Matthias
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
External Organizations
External Organizations
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Random and Adversarial Bit Error Robustness: Energy-Efficient and Secure DNN Accelerators : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0009-8108-C
%R 10.1109/TPAMI.2022.3181972
%7 2023
%D 2023
%J IEEE Transactions on Pattern Analysis and Machine Intelligence
%O IEEE Trans. Pattern Anal. Mach. Intell.
%V 45
%N 3
%& 3632
%P 3632 - 3647
%I IEEE
%C Piscataway, NJ
%@ false

M. Losch, D. Stutz, B. Schiele, and M. Fritz

“Certified Robust Models with Slack Control and Large Lipschitz Constants,” in Pattern Recognition (DAGM GCPR 2023), Heidelberg, Germany, 2023.

@inproceedings{Losch_DAGMGCPR23,
TITLE = {Certified Robust Models with Slack Control and Large {L}ipschitz Constants},
AUTHOR = {Losch, Max and Stutz, David and Schiele, Bernt and Fritz, Mario},
LANGUAGE = {eng},
ISBN = {978-3-031-54604-4; 978-3-031-54605-1},
DOI = {10.1007/978-3-031-54605-1_37},
PUBLISHER = {Springer},
YEAR = {2023},
MARGINALMARK = {$\bullet$},
DATE = {2023},
BOOKTITLE = {Pattern Recognition (DAGM GCPR 2023)},
EDITOR = {K{\"o}the, Ullrich and Rother, Carsten},
PAGES = {574--588},
SERIES = {Lecture Notes in Computer Science},
VOLUME = {14264},
ADDRESS = {Heidelberg, Germany},
}

Endnote

%0 Conference Proceedings
%A Losch, Max
%A Stutz, David
%A Schiele, Bernt
%A Fritz, Mario
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
External Organizations
%T Certified Robust Models with Slack Control and Large Lipschitz Constants : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0010-4578-A
%R 10.1007/978-3-031-54605-1_37
%D 2023
%B 45th German Conference on Pattern Recognition
%Z date of event: 2023-09-19 - 2023-09-22
%C Heidelberg, Germany
%B Pattern Recognition
%E K&#246;the, Ullrich; Rother, Carsten
%P 574 - 588
%I Springer
%@ 978-3-031-54604-4 978-3-031-54605-1
%B Lecture Notes in Computer Science
%N 14264
%U https://rdcu.be/d2lZ3

2022

Y. Guo, D. Stutz, and B. Schiele

“Improving Robustness by Enhancing Weak Subnets,” in Computer Vision -- ECCV 2022, Tel Aviv, Israel, 2022.

@inproceedings{Guo_ECCV2022,
TITLE = {Improving Robustness by Enhancing Weak Subnets},
AUTHOR = {Guo, Yong and Stutz, David and Schiele, Bernt},
LANGUAGE = {eng},
ISBN = {978-3-031-20052-6},
DOI = {10.1007/978-3-031-20053-3_19},
PUBLISHER = {Springer},
YEAR = {2022},
DATE = {2022},
BOOKTITLE = {Computer Vision -- ECCV 2022},
EDITOR = {Avidan, Shai and Brostow, Gabriel and Ciss{\'e}, Moustapha and Farinella, Giovanni and Hassner, Tal},
PAGES = {320--338},
SERIES = {Lecture Notes in Computer Science},
VOLUME = {13684},
ADDRESS = {Tel Aviv, Israel},
}

Endnote

%0 Conference Proceedings
%A Guo, Yong
%A Stutz, David
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Improving Robustness by Enhancing Weak Subnets : 
%G eng
%U http://hdl.handle.net/21.11116/0000-000B-01E4-2
%R 10.1007/978-3-031-20053-3_19
%D 2022
%B 17th European Conference on Computer Vision
%Z date of event: 2022-10-23 - 2022-10-27
%C Tel Aviv, Israel
%B Computer Vision -- ECCV 2022
%E Avidan, Shai; Brostow, Gabriel; Ciss&#233;, Moustapha; Farinella, Giovanni; Hassner, Tal
%P 320 - 338
%I Springer
%@ 978-3-031-20052-6
%B Lecture Notes in Computer Science
%N 13684
%U https://rdcu.be/c269w

D. Stutz

“Understanding and Improving Robustness and Uncertainty Estimation in Deep Learning,” Universität des Saarlandes, Saarbrücken, 2022.

Abstract

Deep learning is becoming increasingly relevant for many high-stakes applications such as autonomous driving or medical diagnosis where wrong decisions can have massive impact on human lives. Unfortunately, deep neural networks are typically assessed solely based on generalization, e.g., accuracy on a fixed test set. However, this is clearly insufficient for safe deployment as potential malicious actors and distribution shifts or the effects of quantization and unreliable hardware are disregarded. Thus, recent work additionally evaluates performance on potentially manipulated or corrupted inputs as well as after quantization and deployment on specialized hardware. In such settings, it is also important to obtain reasonable estimates of the model's confidence alongside its predictions. This thesis studies robustness and uncertainty estimation in deep learning along three main directions: First, we consider so-called adversarial examples, slightly perturbed inputs causing severe drops in accuracy. Second, we study weight perturbations, focusing particularly on bit errors in quantized weights. This is relevant for deploying models on special-purpose hardware for efficient inference, so-called accelerators. Finally, we address uncertainty estimation to improve robustness and provide meaningful statistical performance guarantees for safe deployment. In detail, we study the existence of adversarial examples with respect to the underlying data manifold. In this context, we also investigate adversarial training which improves robustness by augmenting training with adversarial examples at the cost of reduced accuracy. We show that regular adversarial examples leave the data manifold in an almost orthogonal direction. While we find no inherent trade-off between robustness and accuracy, this contributes to a higher sample complexity as well as severe overfitting of adversarial training. Using a novel measure of flatness in the robust loss landscape with respect to weight changes, we also show that robust overfitting is caused by converging to particularly sharp minima. In fact, we find a clear correlation between flatness and good robust generalization. Further, we study random and adversarial bit errors in quantized weights. In accelerators, random bit errors occur in the memory when reducing voltage with the goal of improving energy-efficiency. Here, we consider a robust quantization scheme, use weight clipping as regularization and perform random bit error training to improve bit error robustness, allowing considerable energy savings without requiring hardware changes. In contrast, adversarial bit errors are maliciously introduced through hardware- or software-based attacks on the memory, with severe consequences on performance. We propose a novel adversarial bit error attack to study this threat and use adversarial bit error training to improve robustness and thereby also the accelerator's security. Finally, we view robustness in the context of uncertainty estimation. By encouraging low-confidence predictions on adversarial examples, our confidence-calibrated adversarial training successfully rejects adversarial, corrupted as well as out-of-distribution examples at test time. Thereby, we are also able to improve the robustness-accuracy trade-off compared to regular adversarial training. However, even robust models do not provide any guarantee for safe deployment. To address this problem, conformal prediction allows the model to predict confidence sets with user-specified guarantee of including the true label. Unfortunately, as conformal prediction is usually applied after training, the model is trained without taking this calibration step into account. To address this limitation, we propose conformal training which allows training conformal predictors end-to-end with the underlying model. This not only improves the obtained uncertainty estimates but also enables optimizing application-specific objectives without losing the provided guarantee. Besides our work on robustness or uncertainty, we also address the problem of 3D shape completion of partially observed point clouds. Specifically, we consider an autonomous driving or robotics setting where vehicles are commonly equipped with LiDAR or depth sensors and obtaining a complete 3D representation of the environment is crucial. However, ground truth shapes that are essential for applying deep learning techniques are extremely difficult to obtain. Thus, we propose a weakly-supervised approach that can be trained on the incomplete point clouds while offering efficient inference. In summary, this thesis contributes to our understanding of robustness against both input and weight perturbations. To this end, we also develop methods to improve robustness alongside uncertainty estimation for safe deployment of deep learning methods in high-stakes applications. In the particular context of autonomous driving, we also address 3D shape completion of sparse point clouds.

BibTeX

@phdthesis{Stutzphd2022,
TITLE = {Understanding and Improving Robustness and Uncertainty Estimation in Deep Learning},
AUTHOR = {Stutz, David},
LANGUAGE = {eng},
URL = {nbn:de:bsz:291--ds-372867},
DOI = {10.22028/D291-37286},
SCHOOL = {Universit{\"a}t des Saarlandes},
ADDRESS = {Saarbr{\"u}cken},
YEAR = {2022},
DATE = {2022},
ABSTRACT = {Deep learning is becoming increasingly relevant for many high-stakes applications such as autonomous driving or medical diagnosis where wrong decisions can have massive impact on human lives. Unfortunately, deep neural networks are typically assessed solely based on generalization, e.g., accuracy on a fixed test set. However, this is clearly insufficient for safe deployment as potential malicious actors and distribution shifts or the effects of quantization and unreliable hardware are disregarded. Thus, recent work additionally evaluates performance on potentially manipulated or corrupted inputs as well as after quantization and deployment on specialized hardware. In such settings, it is also important to obtain reasonable estimates of the model's confidence alongside its predictions. This thesis studies robustness and uncertainty estimation in deep learning along three main directions: First, we consider so-called adversarial examples, slightly perturbed inputs causing severe drops in accuracy. Second, we study weight perturbations, focusing particularly on bit errors in quantized weights. This is relevant for deploying models on special-purpose hardware for efficient inference, so-called accelerators. Finally, we address uncertainty estimation to improve robustness and provide meaningful statistical performance guarantees for safe deployment. In detail, we study the existence of adversarial examples with respect to the underlying data manifold. In this context, we also investigate adversarial training which improves robustness by augmenting training with adversarial examples at the cost of reduced accuracy. We show that regular adversarial examples leave the data manifold in an almost orthogonal direction. While we find no inherent trade-off between robustness and accuracy, this contributes to a higher sample complexity as well as severe overfitting of adversarial training. Using a novel measure of flatness in the robust loss landscape with respect to weight changes, we also show that robust overfitting is caused by converging to particularly sharp minima. In fact, we find a clear correlation between flatness and good robust generalization. Further, we study random and adversarial bit errors in quantized weights. In accelerators, random bit errors occur in the memory when reducing voltage with the goal of improving energy-efficiency. Here, we consider a robust quantization scheme, use weight clipping as regularization and perform random bit error training to improve bit error robustness, allowing considerable energy savings without requiring hardware changes. In contrast, adversarial bit errors are maliciously introduced through hardware- or software-based attacks on the memory, with severe consequences on performance. We propose a novel adversarial bit error attack to study this threat and use adversarial bit error training to improve robustness and thereby also the accelerator's security. Finally, we view robustness in the context of uncertainty estimation. By encouraging low-confidence predictions on adversarial examples, our confidence-calibrated adversarial training successfully rejects adversarial, corrupted as well as out-of-distribution examples at test time. Thereby, we are also able to improve the robustness-accuracy trade-off compared to regular adversarial training. However, even robust models do not provide any guarantee for safe deployment. To address this problem, conformal prediction allows the model to predict confidence sets with user-specified guarantee of including the true label. Unfortunately, as conformal prediction is usually applied after training, the model is trained without taking this calibration step into account. To address this limitation, we propose conformal training which allows training conformal predictors end-to-end with the underlying model. This not only improves the obtained uncertainty estimates but also enables optimizing application-specific objectives without losing the provided guarantee. Besides our work on robustness or uncertainty, we also address the problem of 3D shape completion of partially observed point clouds. Specifically, we consider an autonomous driving or robotics setting where vehicles are commonly equipped with LiDAR or depth sensors and obtaining a complete 3D representation of the environment is crucial. However, ground truth shapes that are essential for applying deep learning techniques are extremely difficult to obtain. Thus, we propose a weakly-supervised approach that can be trained on the incomplete point clouds while offering efficient inference. In summary, this thesis contributes to our understanding of robustness against both input and weight perturbations. To this end, we also develop methods to improve robustness alongside uncertainty estimation for safe deployment of deep learning methods in high-stakes applications. In the particular context of autonomous driving, we also address 3D shape completion of sparse point clouds.},
}

Endnote

%0 Thesis
%A Stutz, David
%Y Schiele, Bernt
%A referee: Hein, Matthias
%A referee: Kumar, Pawan
%A referee: Fritz, Mario
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
International Max Planck Research School, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
External Organizations
External Organizations
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Understanding and Improving Robustness and
Uncertainty Estimation in Deep Learning :
%G eng
%U http://hdl.handle.net/21.11116/0000-000B-3FE6-C
%R 10.22028/D291-37286
%U nbn:de:bsz:291--ds-372867
%F OTHER: hdl:20.500.11880/33949
%I Universit&#228;t des Saarlandes
%C Saarbr&#252;cken
%D 2022
%P 291 p.
%V phd
%9 phd
%X Deep learning is becoming increasingly relevant for many high-stakes applications such as autonomous driving or medical diagnosis where wrong decisions can have massive impact on human lives. Unfortunately, deep neural networks are typically assessed solely based on generalization, e.g., accuracy on a fixed test set. However, this is clearly insufficient for safe deployment as potential malicious actors and distribution shifts or the effects of quantization and unreliable hardware are disregarded. Thus, recent work additionally evaluates performance on potentially manipulated or corrupted inputs as well as after quantization and deployment on specialized hardware. In such settings, it is also important to obtain reasonable estimates of the model's confidence alongside its predictions. This thesis studies robustness and uncertainty estimation in deep learning along three main directions: First, we consider so-called adversarial examples, slightly perturbed inputs causing severe drops in accuracy. Second, we study weight perturbations, focusing particularly on bit errors in quantized weights. This is relevant for deploying models on special-purpose hardware for efficient inference, so-called accelerators. Finally, we address uncertainty estimation to improve robustness and provide meaningful statistical performance guarantees for safe deployment. In detail, we study the existence of adversarial examples with respect to the underlying data manifold. In this context, we also investigate adversarial training which improves robustness by augmenting training with adversarial examples at the cost of reduced accuracy. We show that regular adversarial examples leave the data manifold in an almost orthogonal direction. While we find no inherent trade-off between robustness and accuracy, this contributes to a higher sample complexity as well as severe overfitting of adversarial training. Using a novel measure of flatness in the robust loss landscape with respect to weight changes, we also show that robust overfitting is caused by converging to particularly sharp minima. In fact, we find a clear correlation between flatness and good robust generalization. Further, we study random and adversarial bit errors in quantized weights. In accelerators, random bit errors occur in the memory when reducing voltage with the goal of improving energy-efficiency. Here, we consider a robust quantization scheme, use weight clipping as regularization and perform random bit error training to improve bit error robustness, allowing considerable energy savings without requiring hardware changes. In contrast, adversarial bit errors are maliciously introduced through hardware- or software-based attacks on the memory, with severe consequences on performance. We propose a novel adversarial bit error attack to study this threat and use adversarial bit error training to improve robustness and thereby also the accelerator's security. Finally, we view robustness in the context of uncertainty estimation. By encouraging low-confidence predictions on adversarial examples, our confidence-calibrated adversarial training successfully rejects adversarial, corrupted as well as out-of-distribution examples at test time. Thereby, we are also able to improve the robustness-accuracy trade-off compared to regular adversarial training. However, even robust models do not provide any guarantee for safe deployment. To address this problem, conformal prediction allows the model to predict confidence sets with user-specified guarantee of including the true label. Unfortunately, as conformal prediction is usually applied after training, the model is trained without taking this calibration step into account. To address this limitation, we propose conformal training which allows training conformal predictors end-to-end with the underlying model. This not only improves the obtained uncertainty estimates but also enables optimizing application-specific objectives without losing the provided guarantee. Besides our work on robustness or uncertainty, we also address the problem of 3D shape completion of partially observed point clouds. Specifically, we consider an autonomous driving or robotics setting where vehicles are commonly equipped with LiDAR or depth sensors and obtaining a complete 3D representation of the environment is crucial. However, ground truth shapes that are essential for applying deep learning techniques are extremely difficult to obtain. Thus, we propose a weakly-supervised approach that can be trained on the incomplete point clouds while offering efficient inference. In summary, this thesis contributes to our understanding of robustness against both input and weight perturbations. To this end, we also develop methods to improve robustness alongside uncertainty estimation for safe deployment of deep learning methods in high-stakes applications. In the particular context of autonomous driving, we also address 3D shape completion of sparse point clouds.
%U https://publikationen.sulb.uni-saarland.de/handle/20.500.11880/33949

N. P. Walter, D. Stutz, and B. Schiele

“On Fragile Features and Batch Normalization in Adversarial Training,” 2022. [Online]. Available: https://arxiv.org/abs/2204.12393.

Abstract

Modern deep learning architecture utilize batch normalization (BN) to
stabilize training and improve accuracy. It has been shown that the BN layers
alone are surprisingly expressive. In the context of robustness against
adversarial examples, however, BN is argued to increase vulnerability. That is,
BN helps to learn fragile features. Nevertheless, BN is still used in
adversarial training, which is the de-facto standard to learn robust features.
In order to shed light on the role of BN in adversarial training, we
investigate to what extent the expressiveness of BN can be used to robustify
fragile features in comparison to random features. On CIFAR10, we find that
adversarially fine-tuning just the BN layers can result in non-trivial
adversarial robustness. Adversarially training only the BN layers from scratch,
in contrast, is not able to convey meaningful adversarial robustness. Our
results indicate that fragile features can be used to learn models with
moderate adversarial robustness, while random features cannot

BibTeX

@online{Walter2204.12393,
TITLE = {On Fragile Features and Batch Normalization in Adversarial Training},
AUTHOR = {Walter, Nils Philipp and Stutz, David and Schiele, Bernt},
LANGUAGE = {eng},
URL = {https://arxiv.org/abs/2204.12393},
EPRINT = {2204.12393},
EPRINTTYPE = {arXiv},
YEAR = {2022},
ABSTRACT = {Modern deep learning architecture utilize batch normalization (BN) to<br>stabilize training and improve accuracy. It has been shown that the BN layers<br>alone are surprisingly expressive. In the context of robustness against<br>adversarial examples, however, BN is argued to increase vulnerability. That is,<br>BN helps to learn fragile features. Nevertheless, BN is still used in<br>adversarial training, which is the de-facto standard to learn robust features.<br>In order to shed light on the role of BN in adversarial training, we<br>investigate to what extent the expressiveness of BN can be used to robustify<br>fragile features in comparison to random features. On CIFAR10, we find that<br>adversarially fine-tuning just the BN layers can result in non-trivial<br>adversarial robustness. Adversarially training only the BN layers from scratch,<br>in contrast, is not able to convey meaningful adversarial robustness. Our<br>results indicate that fragile features can be used to learn models with<br>moderate adversarial robustness, while random features cannot<br>},
}

Endnote

%0 Report
%A Walter, Nils Philipp
%A Stutz, David
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T On Fragile Features and Batch Normalization in Adversarial Training : 
%G eng
%U http://hdl.handle.net/21.11116/0000-000C-1843-E
%U https://arxiv.org/abs/2204.12393
%D 2022
%X   Modern deep learning architecture utilize batch normalization (BN) to<br>stabilize training and improve accuracy. It has been shown that the BN layers<br>alone are surprisingly expressive. In the context of robustness against<br>adversarial examples, however, BN is argued to increase vulnerability. That is,<br>BN helps to learn fragile features. Nevertheless, BN is still used in<br>adversarial training, which is the de-facto standard to learn robust features.<br>In order to shed light on the role of BN in adversarial training, we<br>investigate to what extent the expressiveness of BN can be used to robustify<br>fragile features in comparison to random features. On CIFAR10, we find that<br>adversarially fine-tuning just the BN layers can result in non-trivial<br>adversarial robustness. Adversarially training only the BN layers from scratch,<br>in contrast, is not able to convey meaningful adversarial robustness. Our<br>results indicate that fragile features can be used to learn models with<br>moderate adversarial robustness, while random features cannot<br>
%K Computer Science, Learning, cs.LG,Computer Science, Cryptography and Security, cs.CR,Computer Science, Computer Vision and Pattern Recognition, cs.CV,Statistics, Machine Learning, stat.ML

2021

D. Stutz, M. Hein, and B. Schiele

“Relating Adversarially Robust Generalization to Flat Minima,” in ICCV 2021, IEEE/CVF International Conference on Computer Vision, Virtual Event, 2021.

@inproceedings{Stutz_ICCV21,
TITLE = {Relating Adversarially Robust Generalization to Flat Minima},
AUTHOR = {Stutz, David and Hein, Matthias and Schiele, Bernt},
LANGUAGE = {eng},
ISBN = {978-1-6654-2812-5},
DOI = {10.1109/ICCV48922.2021.00771},
PUBLISHER = {IEEE},
YEAR = {2021},
BOOKTITLE = {ICCV 2021, IEEE/CVF International Conference on Computer Vision},
PAGES = {7787--7797},
ADDRESS = {Virtual Event},
}

Endnote

%0 Conference Proceedings
%A Stutz, David
%A Hein, Matthias
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
External Organizations
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Relating Adversarially Robust Generalization to Flat Minima : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0009-8101-3
%R 10.1109/ICCV48922.2021.00771
%D 2021
%B IEEE/CVF International Conference on Computer Vision
%Z date of event: 2021-10-11 - 2021-10-17
%C Virtual Event
%B ICCV 2021
%P 7787 - 7797
%I IEEE
%@ 978-1-6654-2812-5

D. Stutz, N. Chandramoorthy, M. Hein, and B. Schiele

“Bit Error Robustness for Energy-Efficient DNN Accelerators,” in Proceedings of the 4th MLSys Conference, Virtual Conference, 2021.

Abstract

Deep neural network (DNN) accelerators received considerable attention in
past years due to saved energy compared to mainstream hardware. Low-voltage
operation of DNN accelerators allows to further reduce energy consumption
significantly, however, causes bit-level failures in the memory storing the
quantized DNN weights. In this paper, we show that a combination of robust
fixed-point quantization, weight clipping, and random bit error training
(RandBET) improves robustness against random bit errors in (quantized) DNN
weights significantly. This leads to high energy savings from both low-voltage
operation as well as low-precision quantization. Our approach generalizes
across operating voltages and accelerators, as demonstrated on bit errors from
profiled SRAM arrays. We also discuss why weight clipping alone is already a
quite effective way to achieve robustness against bit errors. Moreover, we
specifically discuss the involved trade-offs regarding accuracy, robustness and
precision: Without losing more than 1% in accuracy compared to a normally
trained 8-bit DNN, we can reduce energy consumption on CIFAR-10 by 20%. Higher
energy savings of, e.g., 30%, are possible at the cost of 2.5% accuracy, even
for 4-bit DNNs.

BibTeX

@inproceedings{StutzMLSYS2021,
TITLE = {Bit Error Robustness for Energy-Efficient {DNN} Accelerators},
AUTHOR = {Stutz, David and Chandramoorthy, Nandhini and Hein, Matthias and Schiele, Bernt},
LANGUAGE = {eng},
PUBLISHER = {mlsys.org},
YEAR = {2021},
ABSTRACT = {Deep neural network (DNN) accelerators received considerable attention in<br>past years due to saved energy compared to mainstream hardware. Low-voltage<br>operation of DNN accelerators allows to further reduce energy consumption<br>significantly, however, causes bit-level failures in the memory storing the<br>quantized DNN weights. In this paper, we show that a combination of robust<br>fixed-point quantization, weight clipping, and random bit error training<br>(RandBET) improves robustness against random bit errors in (quantized) DNN<br>weights significantly. This leads to high energy savings from both low-voltage<br>operation as well as low-precision quantization. Our approach generalizes<br>across operating voltages and accelerators, as demonstrated on bit errors from<br>profiled SRAM arrays. We also discuss why weight clipping alone is already a<br>quite effective way to achieve robustness against bit errors. Moreover, we<br>specifically discuss the involved trade-offs regarding accuracy, robustness and<br>precision: Without losing more than 1% in accuracy compared to a normally<br>trained 8-bit DNN, we can reduce energy consumption on CIFAR-10 by 20%. Higher<br>energy savings of, e.g., 30%, are possible at the cost of 2.5% accuracy, even<br>for 4-bit DNNs.<br>},
BOOKTITLE = {Proceedings of the 4th MLSys Conference},
EDITOR = {Smola, A. and Dimakis, A. and Stoica, I.},
ADDRESS = {Virtual Conference},
}

Endnote

%0 Conference Proceedings
%A Stutz, David
%A Chandramoorthy, Nandhini
%A Hein, Matthias
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
External Organizations
External Organizations
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Bit Error Robustness for Energy-Efficient DNN Accelerators : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0007-80D4-8
%D 2021
%B Fourth Conference on Machine Learning and Systems
%Z date of event: 2021-04-05 - 2021-04-09
%C Virtual Conference
%X   Deep neural network (DNN) accelerators received considerable attention in<br>past years due to saved energy compared to mainstream hardware. Low-voltage<br>operation of DNN accelerators allows to further reduce energy consumption<br>significantly, however, causes bit-level failures in the memory storing the<br>quantized DNN weights. In this paper, we show that a combination of robust<br>fixed-point quantization, weight clipping, and random bit error training<br>(RandBET) improves robustness against random bit errors in (quantized) DNN<br>weights significantly. This leads to high energy savings from both low-voltage<br>operation as well as low-precision quantization. Our approach generalizes<br>across operating voltages and accelerators, as demonstrated on bit errors from<br>profiled SRAM arrays. We also discuss why weight clipping alone is already a<br>quite effective way to achieve robustness against bit errors. Moreover, we<br>specifically discuss the involved trade-offs regarding accuracy, robustness and<br>precision: Without losing more than 1% in accuracy compared to a normally<br>trained 8-bit DNN, we can reduce energy consumption on CIFAR-10 by 20%. Higher<br>energy savings of, e.g., 30%, are possible at the cost of 2.5% accuracy, even<br>for 4-bit DNNs.<br>
%K Computer Science, Learning, cs.LG,Computer Science, Architecture, cs.AR,Computer Science, Cryptography and Security, cs.CR,Computer Science, Computer Vision and Pattern Recognition, cs.CV,Statistics, Machine Learning, stat.ML
%B Proceedings of the 4th MLSys Conference
%E Smola, A.; Dimakis, A.; Stoica, I.
%I mlsys.org

2020

S. Rao, D. Stutz, and B. Schiele

“Adversarial Training Against Location-Optimized Adversarial Patches,” in Computer Vision -- ECCV Workshops 2020, Glasgow, UK, 2021.

@inproceedings{DBLP:conf/eccv/RaoSS20,
TITLE = {Adversarial Training Against Location-Optimized Adversarial Patches},
AUTHOR = {Rao, Sukrut and Stutz, David and Schiele, Bernt},
LANGUAGE = {eng},
ISBN = {978-3-030-68237-8},
DOI = {10.1007/978-3-030-68238-5_32},
PUBLISHER = {Springer},
YEAR = {2020},
DATE = {2021},
BOOKTITLE = {Computer Vision -- ECCV Workshops 2020},
EDITOR = {Bartoli, Adrian and Fusiello, Andrea},
PAGES = {429--448},
SERIES = {Lecture Notes in Computer Science},
VOLUME = {12539},
ADDRESS = {Glasgow, UK},
}

Endnote

%0 Conference Proceedings
%A Rao, Sukrut
%A Stutz, David
%A Schiele, Bernt
%+ Computer Graphics, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Adversarial Training Against Location-Optimized Adversarial Patches : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0008-1662-1
%R 10.1007/978-3-030-68238-5_32
%D 2021
%B 16th European Conference on Computer Vision
%Z date of event: 2020-08-23 - 2020-08-28
%C Glasgow, UK
%B Computer Vision -- ECCV Workshops 2020 
%E Bartoli, Adrian; Fusiello, Andrea
%P 429 - 448
%I Springer
%@ 978-3-030-68237-8
%B Lecture Notes in Computer Science
%N 12539

D. Stutz, M. Hein, and B. Schiele

“Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks,” in Proceedings of the 37th International Conference on Machine Learning (ICML 2020), Virtual Conference, 2020.

@inproceedings{DBLP:conf/icml/Stutz0S20,
TITLE = {Confidence-Calibrated Adversarial Training: {G}eneralizing to Unseen Attacks},
AUTHOR = {Stutz, David and Hein, Matthias and Schiele, Bernt},
LANGUAGE = {eng},
ISSN = {2640-3498},
PUBLISHER = {MLResearchPress},
YEAR = {2020},
BOOKTITLE = {Proceedings of the 37th International Conference on Machine Learning (ICML 2020)},
EDITOR = {Daum{\'e}, Hal and Singh, Aarti},
PAGES = {9155--9166},
SERIES = {Proceedings of Machine Learning Research},
VOLUME = {119},
ADDRESS = {Virtual Conference},
}

Endnote

%0 Conference Proceedings
%A Stutz, David
%A Hein, Matthias
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
External Organizations
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0007-AA75-6
%D 2020
%B 37th International Conference on Machine Learning
%Z date of event: 2020-07-13 - 2020-07-18
%C Virtual Conference
%B Proceedings of the 37th International Conference on Machine Learning
%E Daum&#233;, Hal; Singh, Aarti
%P 9155 - 9166
%I MLResearchPress
%B Proceedings of Machine Learning Research
%N 119
%@ false
%U http://proceedings.mlr.press/v119/stutz20a/stutz20a.pdf

2019

D. Stutz, M. Hein, and B. Schiele

“Disentangling Adversarial Robustness and Generalization,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2019), Long Beach, CA, USA, 2019.

@inproceedings{Stutz2018ARXIV,
TITLE = {Disentangling Adversarial Robustness and Generalization},
AUTHOR = {Stutz, David and Hein,, Matthias and Schiele, Bernt},
LANGUAGE = {eng},
ISBN = {978-1-7281-3293-8},
DOI = {10.1109/CVPR.2019.00714},
PUBLISHER = {IEEE},
YEAR = {2019},
BOOKTITLE = {IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2019)},
PAGES = {6969--6980},
ADDRESS = {Long Beach, CA, USA},
}

Endnote

%0 Conference Proceedings
%A Stutz, David
%A Hein,, Matthias
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
External Organizations
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Disentangling Adversarial Robustness and Generalization : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0002-A285-0
%R 10.1109/CVPR.2019.00714
%D 2019
%B 32nd IEEE Conference on Computer Vision and Pattern Recognition
%Z date of event: 2019-06-16 - 2019-06-20
%C Long Beach, CA, USA
%B IEEE/CVF Conference on Computer Vision and Pattern Recognition
%P 6969 - 6980
%I IEEE
%@ 978-1-7281-3293-8

D. Stutz, M. Hein, and B. Schiele

“Confidence-Calibrated Adversarial Training and Detection: More Robust Models Generalizing Beyond the Attack Used During Training,” 2019. [Online]. Available: http://arxiv.org/abs/1910.06259.

Abstract

Adversarial training is the standard to train models robust against
adversarial examples. However, especially for complex datasets, adversarial
training incurs a significant loss in accuracy and is known to generalize
poorly to stronger attacks, e.g., larger perturbations or other threat models.
In this paper, we introduce confidence-calibrated adversarial training (CCAT)
where the key idea is to enforce that the confidence on adversarial examples
decays with their distance to the attacked examples. We show that CCAT
preserves better the accuracy of normal training while robustness against
adversarial examples is achieved via confidence thresholding, i.e., detecting
adversarial examples based on their confidence. Most importantly, in strong
contrast to adversarial training, the robustness of CCAT generalizes to larger
perturbations and other threat models, not encountered during training. For
evaluation, we extend the commonly used robust test error to our detection
setting, present an adaptive attack with backtracking and allow the attacker to
select, per test example, the worst-case adversarial example from multiple
black- and white-box attacks. We present experimental results using $L_\infty$,
$L_2$, $L_1$ and $L_0$ attacks on MNIST, SVHN and Cifar10.

BibTeX

@online{Stutz_arXiv1910.06259,
TITLE = {Confidence-Calibrated Adversarial Training and Detection: More Robust Models Generalizing Beyond the Attack Used During Training},
AUTHOR = {Stutz, David and Hein, Matthias and Schiele, Bernt},
LANGUAGE = {eng},
URL = {http://arxiv.org/abs/1910.06259},
EPRINT = {1910.06259},
EPRINTTYPE = {arXiv},
YEAR = {2019},
ABSTRACT = {Adversarial training is the standard to train models robust against<br>adversarial examples. However, especially for complex datasets, adversarial<br>training incurs a significant loss in accuracy and is known to generalize<br>poorly to stronger attacks, e.g., larger perturbations or other threat models.<br>In this paper, we introduce confidence-calibrated adversarial training (CCAT)<br>where the key idea is to enforce that the confidence on adversarial examples<br>decays with their distance to the attacked examples. We show that CCAT<br>preserves better the accuracy of normal training while robustness against<br>adversarial examples is achieved via confidence thresholding, i.e., detecting<br>adversarial examples based on their confidence. Most importantly, in strong<br>contrast to adversarial training, the robustness of CCAT generalizes to larger<br>perturbations and other threat models, not encountered during training. For<br>evaluation, we extend the commonly used robust test error to our detection<br>setting, present an adaptive attack with backtracking and allow the attacker to<br>select, per test example, the worst-case adversarial example from multiple<br>black- and white-box attacks. We present experimental results using $L_\infty$,<br>$L_2$, $L_1$ and $L_0$ attacks on MNIST, SVHN and Cifar10.<br>},
}

Endnote

%0 Report
%A Stutz, David
%A Hein, Matthias
%A Schiele, Bernt
%+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
External Organizations
Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society
%T Confidence-Calibrated Adversarial Training and Detection: More Robust
  Models Generalizing Beyond the Attack Used During Training : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0005-5559-8
%U http://arxiv.org/abs/1910.06259
%D 2019
%X   Adversarial training is the standard to train models robust against<br>adversarial examples. However, especially for complex datasets, adversarial<br>training incurs a significant loss in accuracy and is known to generalize<br>poorly to stronger attacks, e.g., larger perturbations or other threat models.<br>In this paper, we introduce confidence-calibrated adversarial training (CCAT)<br>where the key idea is to enforce that the confidence on adversarial examples<br>decays with their distance to the attacked examples. We show that CCAT<br>preserves better the accuracy of normal training while robustness against<br>adversarial examples is achieved via confidence thresholding, i.e., detecting<br>adversarial examples based on their confidence. Most importantly, in strong<br>contrast to adversarial training, the robustness of CCAT generalizes to larger<br>perturbations and other threat models, not encountered during training. For<br>evaluation, we extend the commonly used robust test error to our detection<br>setting, present an adaptive attack with backtracking and allow the attacker to<br>select, per test example, the worst-case adversarial example from multiple<br>black- and white-box attacks. We present experimental results using $L_\infty$,<br>$L_2$, $L_1$ and $L_0$ attacks on MNIST, SVHN and Cifar10.<br>
%K Computer Science, Learning, cs.LG,Computer Science, Cryptography and Security, cs.CR,Computer Science, Computer Vision and Pattern Recognition, cs.CV,Statistics, Machine Learning, stat.ML

2018

D. Stutz and A. Geiger

“Learning 3D Shape Completion from Laser Scan Data with Weak Supervision,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2018), Salt Lake City, UT, USA, 2018.

@inproceedings{Stutz2018CVPRb,
TITLE = {Learning {3D} Shape Completion from Laser Scan Data with Weak Supervision},
AUTHOR = {Stutz, David and Geiger, Andreas},
LANGUAGE = {eng},
ISBN = {978-1-5386-6420-9},
DOI = {10.1109/CVPR.2018.00209},
PUBLISHER = {IEEE},
YEAR = {2018},
BOOKTITLE = {IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2018)},
PAGES = {1955--1964},
ADDRESS = {Salt Lake City, UT, USA},
}

Endnote

%0 Conference Proceedings
%A Stutz, David
%A Geiger, Andreas
%+ Computer Vision and Multimodal Computing, MPI for Informatics, Max Planck Society
External Organizations
%T Learning 3D Shape Completion from Laser Scan Data with Weak Supervision : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0002-A296-D
%R 10.1109/CVPR.2018.00209
%D 2018
%B 31st IEEE Conference on Computer Vision and Pattern Recognition 
%Z date of event: 2018-06-18 - 2018-06-22
%C Salt Lake City, UT, USA
%B IEEE/CVF Conference on Computer Vision and Pattern Recognition 
%P 1955 - 1964
%I IEEE
%@ 978-1-5386-6420-9

D. Stutz and A. Geiger

“Learning 3D Shape Completion under Weak Supervision,” International Journal of Computer Vision, vol. 128, 2018.

@article{Stutz2018IJCV,
TITLE = {Learning {3D} Shape Completion under Weak Supervision},
AUTHOR = {Stutz, David and Geiger, Andreas},
LANGUAGE = {eng},
ISSN = {0920-5691},
DOI = {10.1007/s11263-018-1126-y},
PUBLISHER = {Springer},
ADDRESS = {New York, NY},
YEAR = {2018},
JOURNAL = {International Journal of Computer Vision},
VOLUME = {128},
PAGES = {1162--1181},
}

Endnote

%0 Journal Article
%A Stutz, David
%A Geiger, Andreas
%+ Computer Vision and Multimodal Computing, MPI for Informatics, Max Planck Society
External Organizations
%T Learning 3D Shape Completion under Weak Supervision : 
%G eng
%U http://hdl.handle.net/21.11116/0000-0002-A28C-9
%R 10.1007/s11263-018-1126-y
%7 2018
%D 2018
%J International Journal of Computer Vision
%O Int. J. Comput. Vis.
%V 128
%& 1162
%P 1162 - 1181
%I Springer
%C New York, NY
%@ false