D2
Computer Vision and Machine Learning

David Stutz (PhD Student)

MSc David Stutz

Address
Max-Planck-Institut für Informatik
Saarland Informatics Campus
Campus
Location
-
Phone
+49 681 9325 0
Fax
+49 681 9325 2099

Personal Information

About Me | Blog | CV | GitHub | LinkedIn | Google Scholar

Bachelor/master theses available; topics on adversarial robustness — robustness of deep neural networks against adversarial examples.

Publications

Stutz, D., Hein, M., & Schiele, B. (2021). Relating Adversarially Robust Generalization to Flat Minima. In IEEE/CVF International Conference on Computer Vision (ICCV 2021). Virtual Event: IEEE. doi:10.1109/ICCV48922.2021.00771
Export
BibTeX
@inproceedings{Stutz_ICCV21, TITLE = {Relating Adversarially Robust Generalization to Flat Minima}, AUTHOR = {Stutz, David and Hein, Matthias and Schiele, Bernt}, LANGUAGE = {eng}, ISBN = {978-1-6654-2812-5}, DOI = {10.1109/ICCV48922.2021.00771}, PUBLISHER = {IEEE}, YEAR = {2021}, MARGINALMARK = {$\bullet$}, BOOKTITLE = {IEEE/CVF International Conference on Computer Vision (ICCV 2021)}, PAGES = {7787--7797}, ADDRESS = {Virtual Event}, }
Endnote
%0 Conference Proceedings %A Stutz, David %A Hein, Matthias %A Schiele, Bernt %+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society External Organizations Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society %T Relating Adversarially Robust Generalization to Flat Minima : %G eng %U http://hdl.handle.net/21.11116/0000-0009-8101-3 %R 10.1109/ICCV48922.2021.00771 %D 2021 %B International Conference on Computer Vision %Z date of event: 2021-10-11 - 2021-10-17 %C Virtual Event %B IEEE/CVF International Conference on Computer Vision %P 7787 - 7797 %I IEEE %@ 978-1-6654-2812-5
Stutz, D. (2022). Understanding and Improving Robustness and Uncertainty Estimation in Deep Learning. Universität des Saarlandes, Saarbrücken. Retrieved from nbn:de:bsz:291--ds-372867
Abstract
Deep learning is becoming increasingly relevant for many high-stakes applications such as autonomous driving or medical diagnosis where wrong decisions can have massive impact on human lives. Unfortunately, deep neural networks are typically assessed solely based on generalization, e.g., accuracy on a fixed test set. However, this is clearly insufficient for safe deployment as potential malicious actors and distribution shifts or the effects of quantization and unreliable hardware are disregarded. Thus, recent work additionally evaluates performance on potentially manipulated or corrupted inputs as well as after quantization and deployment on specialized hardware. In such settings, it is also important to obtain reasonable estimates of the model's confidence alongside its predictions. This thesis studies robustness and uncertainty estimation in deep learning along three main directions: First, we consider so-called adversarial examples, slightly perturbed inputs causing severe drops in accuracy. Second, we study weight perturbations, focusing particularly on bit errors in quantized weights. This is relevant for deploying models on special-purpose hardware for efficient inference, so-called accelerators. Finally, we address uncertainty estimation to improve robustness and provide meaningful statistical performance guarantees for safe deployment. In detail, we study the existence of adversarial examples with respect to the underlying data manifold. In this context, we also investigate adversarial training which improves robustness by augmenting training with adversarial examples at the cost of reduced accuracy. We show that regular adversarial examples leave the data manifold in an almost orthogonal direction. While we find no inherent trade-off between robustness and accuracy, this contributes to a higher sample complexity as well as severe overfitting of adversarial training. Using a novel measure of flatness in the robust loss landscape with respect to weight changes, we also show that robust overfitting is caused by converging to particularly sharp minima. In fact, we find a clear correlation between flatness and good robust generalization. Further, we study random and adversarial bit errors in quantized weights. In accelerators, random bit errors occur in the memory when reducing voltage with the goal of improving energy-efficiency. Here, we consider a robust quantization scheme, use weight clipping as regularization and perform random bit error training to improve bit error robustness, allowing considerable energy savings without requiring hardware changes. In contrast, adversarial bit errors are maliciously introduced through hardware- or software-based attacks on the memory, with severe consequences on performance. We propose a novel adversarial bit error attack to study this threat and use adversarial bit error training to improve robustness and thereby also the accelerator's security. Finally, we view robustness in the context of uncertainty estimation. By encouraging low-confidence predictions on adversarial examples, our confidence-calibrated adversarial training successfully rejects adversarial, corrupted as well as out-of-distribution examples at test time. Thereby, we are also able to improve the robustness-accuracy trade-off compared to regular adversarial training. However, even robust models do not provide any guarantee for safe deployment. To address this problem, conformal prediction allows the model to predict confidence sets with user-specified guarantee of including the true label. Unfortunately, as conformal prediction is usually applied after training, the model is trained without taking this calibration step into account. To address this limitation, we propose conformal training which allows training conformal predictors end-to-end with the underlying model. This not only improves the obtained uncertainty estimates but also enables optimizing application-specific objectives without losing the provided guarantee. Besides our work on robustness or uncertainty, we also address the problem of 3D shape completion of partially observed point clouds. Specifically, we consider an autonomous driving or robotics setting where vehicles are commonly equipped with LiDAR or depth sensors and obtaining a complete 3D representation of the environment is crucial. However, ground truth shapes that are essential for applying deep learning techniques are extremely difficult to obtain. Thus, we propose a weakly-supervised approach that can be trained on the incomplete point clouds while offering efficient inference. In summary, this thesis contributes to our understanding of robustness against both input and weight perturbations. To this end, we also develop methods to improve robustness alongside uncertainty estimation for safe deployment of deep learning methods in high-stakes applications. In the particular context of autonomous driving, we also address 3D shape completion of sparse point clouds.
Export
BibTeX
@phdthesis{Stutzphd2022, TITLE = {Understanding and Improving Robustness and Uncertainty Estimation in Deep Learning}, AUTHOR = {Stutz, David}, LANGUAGE = {eng}, URL = {nbn:de:bsz:291--ds-372867}, DOI = {10.22028/D291-37286}, SCHOOL = {Universit{\"a}t des Saarlandes}, ADDRESS = {Saarbr{\"u}cken}, YEAR = {2022}, MARGINALMARK = {$\bullet$}, DATE = {2022}, ABSTRACT = {Deep learning is becoming increasingly relevant for many high-stakes applications such as autonomous driving or medical diagnosis where wrong decisions can have massive impact on human lives. Unfortunately, deep neural networks are typically assessed solely based on generalization, e.g., accuracy on a fixed test set. However, this is clearly insufficient for safe deployment as potential malicious actors and distribution shifts or the effects of quantization and unreliable hardware are disregarded. Thus, recent work additionally evaluates performance on potentially manipulated or corrupted inputs as well as after quantization and deployment on specialized hardware. In such settings, it is also important to obtain reasonable estimates of the model's confidence alongside its predictions. This thesis studies robustness and uncertainty estimation in deep learning along three main directions: First, we consider so-called adversarial examples, slightly perturbed inputs causing severe drops in accuracy. Second, we study weight perturbations, focusing particularly on bit errors in quantized weights. This is relevant for deploying models on special-purpose hardware for efficient inference, so-called accelerators. Finally, we address uncertainty estimation to improve robustness and provide meaningful statistical performance guarantees for safe deployment. In detail, we study the existence of adversarial examples with respect to the underlying data manifold. In this context, we also investigate adversarial training which improves robustness by augmenting training with adversarial examples at the cost of reduced accuracy. We show that regular adversarial examples leave the data manifold in an almost orthogonal direction. While we find no inherent trade-off between robustness and accuracy, this contributes to a higher sample complexity as well as severe overfitting of adversarial training. Using a novel measure of flatness in the robust loss landscape with respect to weight changes, we also show that robust overfitting is caused by converging to particularly sharp minima. In fact, we find a clear correlation between flatness and good robust generalization. Further, we study random and adversarial bit errors in quantized weights. In accelerators, random bit errors occur in the memory when reducing voltage with the goal of improving energy-efficiency. Here, we consider a robust quantization scheme, use weight clipping as regularization and perform random bit error training to improve bit error robustness, allowing considerable energy savings without requiring hardware changes. In contrast, adversarial bit errors are maliciously introduced through hardware- or software-based attacks on the memory, with severe consequences on performance. We propose a novel adversarial bit error attack to study this threat and use adversarial bit error training to improve robustness and thereby also the accelerator's security. Finally, we view robustness in the context of uncertainty estimation. By encouraging low-confidence predictions on adversarial examples, our confidence-calibrated adversarial training successfully rejects adversarial, corrupted as well as out-of-distribution examples at test time. Thereby, we are also able to improve the robustness-accuracy trade-off compared to regular adversarial training. However, even robust models do not provide any guarantee for safe deployment. To address this problem, conformal prediction allows the model to predict confidence sets with user-specified guarantee of including the true label. Unfortunately, as conformal prediction is usually applied after training, the model is trained without taking this calibration step into account. To address this limitation, we propose conformal training which allows training conformal predictors end-to-end with the underlying model. This not only improves the obtained uncertainty estimates but also enables optimizing application-specific objectives without losing the provided guarantee. Besides our work on robustness or uncertainty, we also address the problem of 3D shape completion of partially observed point clouds. Specifically, we consider an autonomous driving or robotics setting where vehicles are commonly equipped with LiDAR or depth sensors and obtaining a complete 3D representation of the environment is crucial. However, ground truth shapes that are essential for applying deep learning techniques are extremely difficult to obtain. Thus, we propose a weakly-supervised approach that can be trained on the incomplete point clouds while offering efficient inference. In summary, this thesis contributes to our understanding of robustness against both input and weight perturbations. To this end, we also develop methods to improve robustness alongside uncertainty estimation for safe deployment of deep learning methods in high-stakes applications. In the particular context of autonomous driving, we also address 3D shape completion of sparse point clouds.}, }
Endnote
%0 Thesis %A Stutz, David %Y Schiele, Bernt %A referee: Hein, Matthias %A referee: Kumar, Pawan %A referee: Fritz, Mario %+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society International Max Planck Research School, MPI for Informatics, Max Planck Society Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society External Organizations External Organizations Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society %T Understanding and Improving Robustness and Uncertainty Estimation in Deep Learning : %G eng %U http://hdl.handle.net/21.11116/0000-000B-3FE6-C %R 10.22028/D291-37286 %U nbn:de:bsz:291--ds-372867 %I Universität des Saarlandes %C Saarbrücken %D 2022 %P 291 p. %V phd %9 phd %X Deep learning is becoming increasingly relevant for many high-stakes applications such as autonomous driving or medical diagnosis where wrong decisions can have massive impact on human lives. Unfortunately, deep neural networks are typically assessed solely based on generalization, e.g., accuracy on a fixed test set. However, this is clearly insufficient for safe deployment as potential malicious actors and distribution shifts or the effects of quantization and unreliable hardware are disregarded. Thus, recent work additionally evaluates performance on potentially manipulated or corrupted inputs as well as after quantization and deployment on specialized hardware. In such settings, it is also important to obtain reasonable estimates of the model's confidence alongside its predictions. This thesis studies robustness and uncertainty estimation in deep learning along three main directions: First, we consider so-called adversarial examples, slightly perturbed inputs causing severe drops in accuracy. Second, we study weight perturbations, focusing particularly on bit errors in quantized weights. This is relevant for deploying models on special-purpose hardware for efficient inference, so-called accelerators. Finally, we address uncertainty estimation to improve robustness and provide meaningful statistical performance guarantees for safe deployment. In detail, we study the existence of adversarial examples with respect to the underlying data manifold. In this context, we also investigate adversarial training which improves robustness by augmenting training with adversarial examples at the cost of reduced accuracy. We show that regular adversarial examples leave the data manifold in an almost orthogonal direction. While we find no inherent trade-off between robustness and accuracy, this contributes to a higher sample complexity as well as severe overfitting of adversarial training. Using a novel measure of flatness in the robust loss landscape with respect to weight changes, we also show that robust overfitting is caused by converging to particularly sharp minima. In fact, we find a clear correlation between flatness and good robust generalization. Further, we study random and adversarial bit errors in quantized weights. In accelerators, random bit errors occur in the memory when reducing voltage with the goal of improving energy-efficiency. Here, we consider a robust quantization scheme, use weight clipping as regularization and perform random bit error training to improve bit error robustness, allowing considerable energy savings without requiring hardware changes. In contrast, adversarial bit errors are maliciously introduced through hardware- or software-based attacks on the memory, with severe consequences on performance. We propose a novel adversarial bit error attack to study this threat and use adversarial bit error training to improve robustness and thereby also the accelerator's security. Finally, we view robustness in the context of uncertainty estimation. By encouraging low-confidence predictions on adversarial examples, our confidence-calibrated adversarial training successfully rejects adversarial, corrupted as well as out-of-distribution examples at test time. Thereby, we are also able to improve the robustness-accuracy trade-off compared to regular adversarial training. However, even robust models do not provide any guarantee for safe deployment. To address this problem, conformal prediction allows the model to predict confidence sets with user-specified guarantee of including the true label. Unfortunately, as conformal prediction is usually applied after training, the model is trained without taking this calibration step into account. To address this limitation, we propose conformal training which allows training conformal predictors end-to-end with the underlying model. This not only improves the obtained uncertainty estimates but also enables optimizing application-specific objectives without losing the provided guarantee. Besides our work on robustness or uncertainty, we also address the problem of 3D shape completion of partially observed point clouds. Specifically, we consider an autonomous driving or robotics setting where vehicles are commonly equipped with LiDAR or depth sensors and obtaining a complete 3D representation of the environment is crucial. However, ground truth shapes that are essential for applying deep learning techniques are extremely difficult to obtain. Thus, we propose a weakly-supervised approach that can be trained on the incomplete point clouds while offering efficient inference. In summary, this thesis contributes to our understanding of robustness against both input and weight perturbations. To this end, we also develop methods to improve robustness alongside uncertainty estimation for safe deployment of deep learning methods in high-stakes applications. In the particular context of autonomous driving, we also address 3D shape completion of sparse point clouds. %U https://publikationen.sulb.uni-saarland.de/handle/20.500.11880/33949
Stutz, D., & Geiger, A. (2018a). Learning 3D Shape Completion under Weak Supervision. International Journal of Computer Vision, 128. doi:10.1007/s11263-018-1126-y
Export
BibTeX
@article{Stutz2018IJCV, TITLE = {Learning {3D} Shape Completion under Weak Supervision}, AUTHOR = {Stutz, David and Geiger, Andreas}, LANGUAGE = {eng}, ISSN = {0920-5691}, DOI = {10.1007/s11263-018-1126-y}, PUBLISHER = {Springer}, ADDRESS = {New York, NY}, YEAR = {2018}, JOURNAL = {International Journal of Computer Vision}, VOLUME = {128}, PAGES = {1162--1181}, }
Endnote
%0 Journal Article %A Stutz, David %A Geiger, Andreas %+ Computer Vision and Multimodal Computing, MPI for Informatics, Max Planck Society External Organizations %T Learning 3D Shape Completion under Weak Supervision : %G eng %U http://hdl.handle.net/21.11116/0000-0002-A28C-9 %R 10.1007/s11263-018-1126-y %7 2018 %D 2018 %J International Journal of Computer Vision %O Int. J. Comput. Vis. %V 128 %& 1162 %P 1162 - 1181 %I Springer %C New York, NY %@ false
Stutz, D., & Geiger, A. (2018b). Learning 3D Shape Completion from Laser Scan Data with Weak Supervision. In IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2018). Salt Lake City, UT, USA: IEEE. doi:10.1109/CVPR.2018.00209
Export
BibTeX
@inproceedings{Stutz2018CVPRb, TITLE = {Learning {3D} Shape Completion from Laser Scan Data with Weak Supervision}, AUTHOR = {Stutz, David and Geiger, Andreas}, LANGUAGE = {eng}, ISBN = {978-1-5386-6420-9}, DOI = {10.1109/CVPR.2018.00209}, PUBLISHER = {IEEE}, YEAR = {2018}, BOOKTITLE = {IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2018)}, PAGES = {1955--1964}, ADDRESS = {Salt Lake City, UT, USA}, }
Endnote
%0 Conference Proceedings %A Stutz, David %A Geiger, Andreas %+ Computer Vision and Multimodal Computing, MPI for Informatics, Max Planck Society External Organizations %T Learning 3D Shape Completion from Laser Scan Data with Weak Supervision : %G eng %U http://hdl.handle.net/21.11116/0000-0002-A296-D %R 10.1109/CVPR.2018.00209 %D 2018 %B 31st IEEE Conference on Computer Vision and Pattern Recognition %Z date of event: 2018-06-18 - 2018-06-22 %C Salt Lake City, UT, USA %B IEEE/CVF Conference on Computer Vision and Pattern Recognition %P 1955 - 1964 %I IEEE %@ 978-1-5386-6420-9
Stutz, D., Chandramoorthy, N., Hein, M., & Schiele, B. (2021a). Random and Adversarial Bit Error Robustness: Energy-Efficient and Secure DNN Accelerators. Retrieved from https://arxiv.org/abs/2104.08323
(arXiv: 2104.08323)
Abstract
Deep neural network (DNN) accelerators received considerable attention in<br>recent years due to the potential to save energy compared to mainstream<br>hardware. Low-voltage operation of DNN accelerators allows to further reduce<br>energy consumption significantly, however, causes bit-level failures in the<br>memory storing the quantized DNN weights. Furthermore, DNN accelerators have<br>been shown to be vulnerable to adversarial attacks on voltage controllers or<br>individual bits. In this paper, we show that a combination of robust<br>fixed-point quantization, weight clipping, as well as random bit error training<br>(RandBET) or adversarial bit error training (AdvBET) improves robustness<br>against random or adversarial bit errors in quantized DNN weights<br>significantly. This leads not only to high energy savings for low-voltage<br>operation as well as low-precision quantization, but also improves security of<br>DNN accelerators. Our approach generalizes across operating voltages and<br>accelerators, as demonstrated on bit errors from profiled SRAM arrays, and<br>achieves robustness against both targeted and untargeted bit-level attacks.<br>Without losing more than 0.8%/2% in test accuracy, we can reduce energy<br>consumption on CIFAR10 by 20%/30% for 8/4-bit quantization using RandBET.<br>Allowing up to 320 adversarial bit errors, AdvBET reduces test error from above<br>90% (chance level) to 26.22% on CIFAR10.<br>
Export
BibTeX
@online{Stutz2104.08323, TITLE = {Random and Adversarial Bit Error Robustness: {E}nergy-Efficient and Secure {DNN} Accelerators}, AUTHOR = {Stutz, David and Chandramoorthy, Nandhini and Hein, Matthias and Schiele, Bernt}, LANGUAGE = {eng}, URL = {https://arxiv.org/abs/2104.08323}, EPRINT = {2104.08323}, EPRINTTYPE = {arXiv}, YEAR = {2021}, MARGINALMARK = {$\bullet$}, ABSTRACT = {Deep neural network (DNN) accelerators received considerable attention in<br>recent years due to the potential to save energy compared to mainstream<br>hardware. Low-voltage operation of DNN accelerators allows to further reduce<br>energy consumption significantly, however, causes bit-level failures in the<br>memory storing the quantized DNN weights. Furthermore, DNN accelerators have<br>been shown to be vulnerable to adversarial attacks on voltage controllers or<br>individual bits. In this paper, we show that a combination of robust<br>fixed-point quantization, weight clipping, as well as random bit error training<br>(RandBET) or adversarial bit error training (AdvBET) improves robustness<br>against random or adversarial bit errors in quantized DNN weights<br>significantly. This leads not only to high energy savings for low-voltage<br>operation as well as low-precision quantization, but also improves security of<br>DNN accelerators. Our approach generalizes across operating voltages and<br>accelerators, as demonstrated on bit errors from profiled SRAM arrays, and<br>achieves robustness against both targeted and untargeted bit-level attacks.<br>Without losing more than 0.8%/2% in test accuracy, we can reduce energy<br>consumption on CIFAR10 by 20%/30% for 8/4-bit quantization using RandBET.<br>Allowing up to 320 adversarial bit errors, AdvBET reduces test error from above<br>90% (chance level) to 26.22% on CIFAR10.<br>}, }
Endnote
%0 Report %A Stutz, David %A Chandramoorthy, Nandhini %A Hein, Matthias %A Schiele, Bernt %+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society External Organizations External Organizations Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society %T Random and Adversarial Bit Error Robustness: Energy-Efficient and Secure DNN Accelerators : %G eng %U http://hdl.handle.net/21.11116/0000-0009-8108-C %U https://arxiv.org/abs/2104.08323 %D 2021 %X Deep neural network (DNN) accelerators received considerable attention in<br>recent years due to the potential to save energy compared to mainstream<br>hardware. Low-voltage operation of DNN accelerators allows to further reduce<br>energy consumption significantly, however, causes bit-level failures in the<br>memory storing the quantized DNN weights. Furthermore, DNN accelerators have<br>been shown to be vulnerable to adversarial attacks on voltage controllers or<br>individual bits. In this paper, we show that a combination of robust<br>fixed-point quantization, weight clipping, as well as random bit error training<br>(RandBET) or adversarial bit error training (AdvBET) improves robustness<br>against random or adversarial bit errors in quantized DNN weights<br>significantly. This leads not only to high energy savings for low-voltage<br>operation as well as low-precision quantization, but also improves security of<br>DNN accelerators. Our approach generalizes across operating voltages and<br>accelerators, as demonstrated on bit errors from profiled SRAM arrays, and<br>achieves robustness against both targeted and untargeted bit-level attacks.<br>Without losing more than 0.8%/2% in test accuracy, we can reduce energy<br>consumption on CIFAR10 by 20%/30% for 8/4-bit quantization using RandBET.<br>Allowing up to 320 adversarial bit errors, AdvBET reduces test error from above<br>90% (chance level) to 26.22% on CIFAR10.<br> %K Computer Science, Learning, cs.LG,Computer Science, Architecture, cs.AR,Computer Science, Cryptography and Security, cs.CR,Computer Science, Computer Vision and Pattern Recognition, cs.CV
Rao, S., Stutz, D., & Schiele, B. (2021). Adversarial Training Against Location-Optimized Adversarial Patches. In Computer Vision -- ECCV Workshops 2020. Glasgow, UK: Springer. doi:10.1007/978-3-030-68238-5_32
Export
BibTeX
@inproceedings{DBLP:conf/eccv/RaoSS20, TITLE = {Adversarial Training Against Location-Optimized Adversarial Patches}, AUTHOR = {Rao, Sukrut and Stutz, David and Schiele, Bernt}, LANGUAGE = {eng}, ISBN = {978-3-030-68237-8}, DOI = {10.1007/978-3-030-68238-5_32}, PUBLISHER = {Springer}, YEAR = {2020}, MARGINALMARK = {$\bullet$}, DATE = {2021}, BOOKTITLE = {Computer Vision -- ECCV Workshops 2020}, EDITOR = {Bartoli, Adrian and Fusiello, Andrea}, PAGES = {429--448}, SERIES = {Lecture Notes in Computer Science}, VOLUME = {12539}, ADDRESS = {Glasgow, UK}, }
Endnote
%0 Conference Proceedings %A Rao, Sukrut %A Stutz, David %A Schiele, Bernt %+ Computer Graphics, MPI for Informatics, Max Planck Society Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society %T Adversarial Training Against Location-Optimized Adversarial Patches : %G eng %U http://hdl.handle.net/21.11116/0000-0008-1662-1 %R 10.1007/978-3-030-68238-5_32 %D 2021 %B 16th European Conference on Computer Vision %Z date of event: 2020-08-23 - 2020-08-28 %C Glasgow, UK %B Computer Vision -- ECCV Workshops 2020 %E Bartoli, Adrian; Fusiello, Andrea %P 429 - 448 %I Springer %@ 978-3-030-68237-8 %B Lecture Notes in Computer Science %N 12539
Stutz, D., Hein,, M., & Schiele, B. (2019). Disentangling Adversarial Robustness and Generalization. In IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2019). Long Beach, CA, USA: IEEE. doi:10.1109/CVPR.2019.00714
Export
BibTeX
@inproceedings{Stutz2018ARXIV, TITLE = {Disentangling Adversarial Robustness and Generalization}, AUTHOR = {Stutz, David and Hein,, Matthias and Schiele, Bernt}, LANGUAGE = {eng}, ISBN = {978-1-7281-3293-8}, DOI = {10.1109/CVPR.2019.00714}, PUBLISHER = {IEEE}, YEAR = {2019}, BOOKTITLE = {IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2019)}, PAGES = {6969--6980}, ADDRESS = {Long Beach, CA, USA}, }
Endnote
%0 Conference Proceedings %A Stutz, David %A Hein,, Matthias %A Schiele, Bernt %+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society External Organizations Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society %T Disentangling Adversarial Robustness and Generalization : %G eng %U http://hdl.handle.net/21.11116/0000-0002-A285-0 %R 10.1109/CVPR.2019.00714 %D 2019 %B 32nd IEEE Conference on Computer Vision and Pattern Recognition %Z date of event: 2019-06-16 - 2019-06-20 %C Long Beach, CA, USA %B IEEE/CVF Conference on Computer Vision and Pattern Recognition %P 6969 - 6980 %I IEEE %@ 978-1-7281-3293-8
Stutz, D., Hein, M., & Schiele, B. (2019). Confidence-Calibrated Adversarial Training and Detection: More Robust Models Generalizing Beyond the Attack Used During Training. Retrieved from http://arxiv.org/abs/1910.06259
(arXiv: 1910.06259)
Abstract
Adversarial training is the standard to train models robust against<br>adversarial examples. However, especially for complex datasets, adversarial<br>training incurs a significant loss in accuracy and is known to generalize<br>poorly to stronger attacks, e.g., larger perturbations or other threat models.<br>In this paper, we introduce confidence-calibrated adversarial training (CCAT)<br>where the key idea is to enforce that the confidence on adversarial examples<br>decays with their distance to the attacked examples. We show that CCAT<br>preserves better the accuracy of normal training while robustness against<br>adversarial examples is achieved via confidence thresholding, i.e., detecting<br>adversarial examples based on their confidence. Most importantly, in strong<br>contrast to adversarial training, the robustness of CCAT generalizes to larger<br>perturbations and other threat models, not encountered during training. For<br>evaluation, we extend the commonly used robust test error to our detection<br>setting, present an adaptive attack with backtracking and allow the attacker to<br>select, per test example, the worst-case adversarial example from multiple<br>black- and white-box attacks. We present experimental results using $L_\infty$,<br>$L_2$, $L_1$ and $L_0$ attacks on MNIST, SVHN and Cifar10.<br>
Export
BibTeX
@online{Stutz_arXiv1910.06259, TITLE = {Confidence-Calibrated Adversarial Training and Detection: More Robust Models Generalizing Beyond the Attack Used During Training}, AUTHOR = {Stutz, David and Hein, Matthias and Schiele, Bernt}, LANGUAGE = {eng}, URL = {http://arxiv.org/abs/1910.06259}, EPRINT = {1910.06259}, EPRINTTYPE = {arXiv}, YEAR = {2019}, ABSTRACT = {Adversarial training is the standard to train models robust against<br>adversarial examples. However, especially for complex datasets, adversarial<br>training incurs a significant loss in accuracy and is known to generalize<br>poorly to stronger attacks, e.g., larger perturbations or other threat models.<br>In this paper, we introduce confidence-calibrated adversarial training (CCAT)<br>where the key idea is to enforce that the confidence on adversarial examples<br>decays with their distance to the attacked examples. We show that CCAT<br>preserves better the accuracy of normal training while robustness against<br>adversarial examples is achieved via confidence thresholding, i.e., detecting<br>adversarial examples based on their confidence. Most importantly, in strong<br>contrast to adversarial training, the robustness of CCAT generalizes to larger<br>perturbations and other threat models, not encountered during training. For<br>evaluation, we extend the commonly used robust test error to our detection<br>setting, present an adaptive attack with backtracking and allow the attacker to<br>select, per test example, the worst-case adversarial example from multiple<br>black- and white-box attacks. We present experimental results using $L_\infty$,<br>$L_2$, $L_1$ and $L_0$ attacks on MNIST, SVHN and Cifar10.<br>}, }
Endnote
%0 Report %A Stutz, David %A Hein, Matthias %A Schiele, Bernt %+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society External Organizations Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society %T Confidence-Calibrated Adversarial Training and Detection: More Robust Models Generalizing Beyond the Attack Used During Training : %G eng %U http://hdl.handle.net/21.11116/0000-0005-5559-8 %U http://arxiv.org/abs/1910.06259 %D 2019 %X Adversarial training is the standard to train models robust against<br>adversarial examples. However, especially for complex datasets, adversarial<br>training incurs a significant loss in accuracy and is known to generalize<br>poorly to stronger attacks, e.g., larger perturbations or other threat models.<br>In this paper, we introduce confidence-calibrated adversarial training (CCAT)<br>where the key idea is to enforce that the confidence on adversarial examples<br>decays with their distance to the attacked examples. We show that CCAT<br>preserves better the accuracy of normal training while robustness against<br>adversarial examples is achieved via confidence thresholding, i.e., detecting<br>adversarial examples based on their confidence. Most importantly, in strong<br>contrast to adversarial training, the robustness of CCAT generalizes to larger<br>perturbations and other threat models, not encountered during training. For<br>evaluation, we extend the commonly used robust test error to our detection<br>setting, present an adaptive attack with backtracking and allow the attacker to<br>select, per test example, the worst-case adversarial example from multiple<br>black- and white-box attacks. We present experimental results using $L_\infty$,<br>$L_2$, $L_1$ and $L_0$ attacks on MNIST, SVHN and Cifar10.<br> %K Computer Science, Learning, cs.LG,Computer Science, Cryptography and Security, cs.CR,Computer Science, Computer Vision and Pattern Recognition, cs.CV,Statistics, Machine Learning, stat.ML
Stutz, D., Chandramoorthy, N., Hein, M., & Schiele, B. (2021b). Bit Error Robustness for Energy-Efficient DNN Accelerators. In Proceedings of the 4th MLSys Conference. Virtual Conference: mlsys.org.
Abstract
Deep neural network (DNN) accelerators received considerable attention in<br>past years due to saved energy compared to mainstream hardware. Low-voltage<br>operation of DNN accelerators allows to further reduce energy consumption<br>significantly, however, causes bit-level failures in the memory storing the<br>quantized DNN weights. In this paper, we show that a combination of robust<br>fixed-point quantization, weight clipping, and random bit error training<br>(RandBET) improves robustness against random bit errors in (quantized) DNN<br>weights significantly. This leads to high energy savings from both low-voltage<br>operation as well as low-precision quantization. Our approach generalizes<br>across operating voltages and accelerators, as demonstrated on bit errors from<br>profiled SRAM arrays. We also discuss why weight clipping alone is already a<br>quite effective way to achieve robustness against bit errors. Moreover, we<br>specifically discuss the involved trade-offs regarding accuracy, robustness and<br>precision: Without losing more than 1% in accuracy compared to a normally<br>trained 8-bit DNN, we can reduce energy consumption on CIFAR-10 by 20%. Higher<br>energy savings of, e.g., 30%, are possible at the cost of 2.5% accuracy, even<br>for 4-bit DNNs.<br>
Export
BibTeX
@inproceedings{StutzMLSYS2021, TITLE = {Bit Error Robustness for Energy-Efficient {DNN} Accelerators}, AUTHOR = {Stutz, David and Chandramoorthy, Nandhini and Hein, Matthias and Schiele, Bernt}, LANGUAGE = {eng}, PUBLISHER = {mlsys.org}, YEAR = {2021}, MARGINALMARK = {$\bullet$}, ABSTRACT = {Deep neural network (DNN) accelerators received considerable attention in<br>past years due to saved energy compared to mainstream hardware. Low-voltage<br>operation of DNN accelerators allows to further reduce energy consumption<br>significantly, however, causes bit-level failures in the memory storing the<br>quantized DNN weights. In this paper, we show that a combination of robust<br>fixed-point quantization, weight clipping, and random bit error training<br>(RandBET) improves robustness against random bit errors in (quantized) DNN<br>weights significantly. This leads to high energy savings from both low-voltage<br>operation as well as low-precision quantization. Our approach generalizes<br>across operating voltages and accelerators, as demonstrated on bit errors from<br>profiled SRAM arrays. We also discuss why weight clipping alone is already a<br>quite effective way to achieve robustness against bit errors. Moreover, we<br>specifically discuss the involved trade-offs regarding accuracy, robustness and<br>precision: Without losing more than 1% in accuracy compared to a normally<br>trained 8-bit DNN, we can reduce energy consumption on CIFAR-10 by 20%. Higher<br>energy savings of, e.g., 30%, are possible at the cost of 2.5% accuracy, even<br>for 4-bit DNNs.<br>}, BOOKTITLE = {Proceedings of the 4th MLSys Conference}, EDITOR = {Smola, A. and Dimakis, A. and Stoica, I.}, ADDRESS = {Virtual Conference}, }
Endnote
%0 Conference Proceedings %A Stutz, David %A Chandramoorthy, Nandhini %A Hein, Matthias %A Schiele, Bernt %+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society External Organizations External Organizations Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society %T Bit Error Robustness for Energy-Efficient DNN Accelerators : %G eng %U http://hdl.handle.net/21.11116/0000-0007-80D4-8 %D 2021 %B Fourth Conference on Machine Learning and Systems %Z date of event: 2021-04-05 - 2021-04-09 %C Virtual Conference %X Deep neural network (DNN) accelerators received considerable attention in<br>past years due to saved energy compared to mainstream hardware. Low-voltage<br>operation of DNN accelerators allows to further reduce energy consumption<br>significantly, however, causes bit-level failures in the memory storing the<br>quantized DNN weights. In this paper, we show that a combination of robust<br>fixed-point quantization, weight clipping, and random bit error training<br>(RandBET) improves robustness against random bit errors in (quantized) DNN<br>weights significantly. This leads to high energy savings from both low-voltage<br>operation as well as low-precision quantization. Our approach generalizes<br>across operating voltages and accelerators, as demonstrated on bit errors from<br>profiled SRAM arrays. We also discuss why weight clipping alone is already a<br>quite effective way to achieve robustness against bit errors. Moreover, we<br>specifically discuss the involved trade-offs regarding accuracy, robustness and<br>precision: Without losing more than 1% in accuracy compared to a normally<br>trained 8-bit DNN, we can reduce energy consumption on CIFAR-10 by 20%. Higher<br>energy savings of, e.g., 30%, are possible at the cost of 2.5% accuracy, even<br>for 4-bit DNNs.<br> %K Computer Science, Learning, cs.LG,Computer Science, Architecture, cs.AR,Computer Science, Cryptography and Security, cs.CR,Computer Science, Computer Vision and Pattern Recognition, cs.CV,Statistics, Machine Learning, stat.ML %B Proceedings of the 4th MLSys Conference %E Smola, A.; Dimakis, A.; Stoica, I. %I mlsys.org
Guo, Y., Stutz, D., & Schiele, B. (n.d.). Improving Robustness by Enhancing Weak Subnets. In European Conference on Computer Vision (ECCV 2022). Tel Aviv, Israel: Springer.
(Accepted/in press)
Export
BibTeX
@inproceedings{Guo_ECCV2022, TITLE = {Improving Robustness by Enhancing Weak Subnets}, AUTHOR = {Guo, Yong and Stutz, David and Schiele, Bernt}, LANGUAGE = {eng}, PUBLISHER = {Springer}, YEAR = {2022}, PUBLREMARK = {Accepted}, MARGINALMARK = {$\bullet$}, BOOKTITLE = {European Conference on Computer Vision (ECCV 2022)}, SERIES = {Lecture Notes in Computer Science}, ADDRESS = {Tel Aviv, Israel}, }
Endnote
%0 Conference Proceedings %A Guo, Yong %A Stutz, David %A Schiele, Bernt %+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society %T Improving Robustness by Enhancing Weak Subnets : %G eng %U http://hdl.handle.net/21.11116/0000-000B-01E4-2 %D 2022 %B European Conference on Computer Vision %Z date of event: 2022-10-23 - 2022-10-27 %C Tel Aviv, Israel %B European Conference on Computer Vision %I Springer %B Lecture Notes in Computer Science
Stutz, D., Hein, M., & Schiele, B. (2020). Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks. In Proceedings of the 37th International Conference on Machine Learning (ICML 2020). Virtual Conference: MLResearchPress.
Export
BibTeX
@inproceedings{DBLP:conf/icml/Stutz0S20, TITLE = {Confidence-Calibrated Adversarial Training: {G}eneralizing to Unseen Attacks}, AUTHOR = {Stutz, David and Hein, Matthias and Schiele, Bernt}, LANGUAGE = {eng}, ISSN = {2640-3498}, PUBLISHER = {MLResearchPress}, YEAR = {2020}, BOOKTITLE = {Proceedings of the 37th International Conference on Machine Learning (ICML 2020)}, EDITOR = {Daum{\'e}, Hal and Singh, Aarti}, PAGES = {9155--9166}, SERIES = {Proceedings of Machine Learning Research}, VOLUME = {119}, ADDRESS = {Virtual Conference}, }
Endnote
%0 Conference Proceedings %A Stutz, David %A Hein, Matthias %A Schiele, Bernt %+ Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society External Organizations Computer Vision and Machine Learning, MPI for Informatics, Max Planck Society %T Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks : %G eng %U http://hdl.handle.net/21.11116/0000-0007-AA75-6 %D 2020 %B 37th International Conference on Machine Learning %Z date of event: 2020-07-13 - 2020-07-18 %C Virtual Conference %B Proceedings of the 37th International Conference on Machine Learning %E Daum&#233;, Hal; Singh, Aarti %P 9155 - 9166 %I MLResearchPress %B Proceedings of Machine Learning Research %N 119 %@ false %U http://proceedings.mlr.press/v119/stutz20a/stutz20a.pdf