Abstract:Recent progress in empirical and certified robustness promises to deliver reliable and deployable Deep Neural Networks (DNNs). Despite that success, most existing evaluations of DNN robustness have been done on images sampled from the same distribution on which the model was trained. However, in the real world, DNNs may be deployed in dynamic environments that exhibit significant distribution shifts. In this work, we take a first step towards thoroughly investigating the interplay between empirical and certified adversarial robustness on one hand and domain generalization on another. To do so, we train robust models on multiple domains and evaluate their accuracy and robustness on an unseen domain. We observe that: (1) both empirical and certified robustness generalize to unseen domains, and (2) the level of generalizability does not correlate well with input visual similarity, measured by the FID between source and target domains. We also extend our study to cover a real-world medical application, in which adversarial augmentation significantly boosts the generalization of robustness with minimal effect on clean data accuracy.

What problem does this paper attempt to address?

The main problem that this paper attempts to solve is: **the generalization ability of adversarial robustness under distribution shift**. Specifically, researchers are concerned with whether the adversarial robustness of deep neural networks (DNNs) can be maintained when they are transferred from a source domain to an unseen target domain. ### Problem Background In recent years, significant progress has been made in the study of adversarial robustness, aiming to improve the reliability and deployability of DNNs. However, most existing adversarial robustness evaluations are based on test data that is identically distributed to the training data. In the real world, DNNs may be deployed in dynamic environments where the data distribution may be significantly different from the training data (i.e., there is a distribution shift). This distribution shift may lead to poor performance of the model in the new environment, especially when facing adversarial attacks. ### Research Objectives To solve this problem, this paper aims to: 1. **Explore the generalization ability of adversarial robustness across different domains**: Researchers train robust models on multiple source domains and evaluate their accuracy and robustness on unseen target domains to examine the generalization ability of empirical robustness and certified robustness across different domains. 2. **Analyze the impact of visual similarity on robustness generalization**: Researchers use metrics such as FID (Fréchet Inception Distance) to evaluate the visual similarity between the source and target domains and explore whether this similarity affects the generalization ability of robustness. 3. **Expand to practical applications**: Researchers also extend the experiment to a real - world medical application to verify whether adversarial augmentation can significantly improve the generalization ability of robustness while having a relatively small impact on the accuracy of clean data. ### Main Contributions - **Compare transfer learning and domain generalization**: The study finds that, unlike transfer learning, domain generalization is not necessarily improved by robust training. - **The relationship between visual similarity and generalization ability**: Experiments prove that there is no strong correlation between the visual similarity between the source and target domains and the generalization ability of robustness. - **Generalization of robustness in different settings**: The research shows that both empirical robustness and certified robustness can generalize to unseen domains in different settings (including actual distribution shifts in the medical field). Through these studies, the authors hope to provide guidance for future research, especially in terms of how to improve the robustness of DNNs in unknown domains.

Generalizability of Adversarial Robustness Under Distribution Shifts

Non-adversarial Robustness of Deep Learning Methods for Computer Vision

Robustness, Privacy, and Generalization of Adversarial Training

Wasserstein distributional robustness of neural networks

Towards Robust Out-of-Distribution Generalization: Data Augmentation and Neural Architecture Search Approaches

Feature Augmentation for Adversarial Robustness

Benchmarking Low-Shot Robustness to Natural Distribution Shifts

Certifying Model Accuracy under Distribution Shifts

Enhancing Adversarial Robustness via Uncertainty-Aware Distributional Adversarial Training

Are Adversarial Robustness and Common Perturbation Robustness Independent Attributes ?

Robust Computer Vision in an Ever-Changing World: A Survey of Techniques for Tackling Distribution Shifts

OODRobustBench: a Benchmark and Large-Scale Analysis of Adversarial Robustness under Distribution Shift

Certified Adversarial Robustness Under the Bounded Support Set.

Towards Certifying the Asymmetric Robustness for Neural Networks: Quantification and Applications

An Empirical Study on Distribution Shift Robustness from the Perspective of Pre-Training and Data Augmentation

Opportunities and Challenges in Deep Learning Adversarial Robustness: A Survey

Learning Representations Robust to Group Shifts and Adversarial Examples

Model-Based Robust Deep Learning: Generalizing to Natural, Out-of-Distribution Data

Local Competition and Uncertainty for Adversarial Robustness in Deep Learning

Not So Robust After All: Evaluating the Robustness of Deep Neural Networks to Unseen Adversarial Attacks

Perturbation diversity certificates robust generalization