{"id":683157,"date":"2020-08-11T10:00:18","date_gmt":"2020-08-11T17:00:18","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?p=683157"},"modified":"2020-12-09T14:08:39","modified_gmt":"2020-12-09T22:08:39","slug":"adversarial-robustness-as-a-prior-for-better-transfer-learning","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/research\/blog\/adversarial-robustness-as-a-prior-for-better-transfer-learning\/","title":{"rendered":"Adversarial robustness as a prior for better transfer learning"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/1400x788_AirSim_noLogo5secs-1.gif\" alt=\"\"\/><\/figure>\n\n\n\n<p><em>Editor\u2019s note: This post and its research are the collaborative efforts of our team, which includes <\/em><a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" rel=\"noopener noreferrer\" target=\"_blank\" href=\"http:\/\/andrewilyas.com\/\"><em>Andrew Ilyas<\/em><span class=\"sr-only\"> (opens in new tab)<\/span><\/a><em> (PhD Student, MIT), <\/em><a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" rel=\"noopener noreferrer\" target=\"_blank\" href=\"http:\/\/loganengstrom.com\/\"><em>Logan Engstrom<\/em><span class=\"sr-only\"> (opens in new tab)<\/span><\/a><em> (PhD Student, MIT), <\/em><a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" rel=\"noopener noreferrer\" target=\"_blank\" href=\"https:\/\/people.csail.mit.edu\/madry\/\"><em>Aleksander M\u0105dry<\/em><span class=\"sr-only\"> (opens in new tab)<\/span><\/a><em> (Professor at MIT), <\/em><a href=\"https:\/\/www.microsoft.com\/en-us\/research\/people\/akapoor\/\"><em>Ashish Kapoor<\/em><\/a><em> (Partner Research Manager).<\/em><\/p>\n\n\n\n<p>In practical machine learning, it is desirable to be able to transfer learned knowledge from some \u201csource\u201d task to downstream \u201ctarget\u201d tasks. This is known as transfer learning\u2014a simple and efficient way to obtain performant machine learning models, especially when there is little training data or compute available for solving the target task. Transfer learning is very useful in practice. For example, transfer learning allows <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/blog\/training-deep-control-policies-for-the-real-world\/\">perception models on a robot<\/a> or other <a href=\"https:\/\/www.microsoft.com\/en-us\/ai\/autonomous-systems\">autonomous system<\/a> to be trained on a synthetic dataset generated via a high-fidelity simulator, such as <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/github.com\/microsoft\/AirSim\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">AirSim<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>, and then refined on a small dataset collected in the real world.<\/p>\n\n\n\n<p>Transfer learning is also common in many computer vision tasks, including image classification and object detection, in which a model uses some pretrained representation as an \u201cinitialization\u201d to learn a more useful representation for the specific task in hand. In a recent collaboration with MIT, we explore adversarial robustness as a prior for improving transfer learning in computer vision. We find that adversarially robust models outperform their standard counterparts on a variety of downstream computer vision tasks.<\/p>\n\n\n\n<p class=\"has-text-align-center\"><strong><a href=\"https:\/\/www.microsoft.com\/en-us\/research\/publication\/do-adversarially-robust-imagenet-models-transfer-better\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Read Paper<\/a>   &nbsp;  &nbsp;  &nbsp;    &nbsp;   &nbsp;       &nbsp;     &nbsp;  &nbsp;            &nbsp;  &nbsp;                             <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/github.com\/microsoft\/robust-models-transfer\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">Code & Models<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> <\/strong><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"211\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-Figure-1-1024x211.jpg\" alt=\"Workflow for transfer learning: Train a model on large-scale source datasets (showing a collection of images from ImageNet). An arrow labeled \"Transfer the learned representation\" points to Target datasets (a number of image sets are shown: flowers, X-rays, airplanes).\" class=\"wp-image-683973\" srcset=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-Figure-1-1024x211.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-Figure-1-300x62.jpg 300w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-Figure-1-768x159.jpg 768w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-Figure-1.jpg 1366w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Figure 1: A depiction of transfer learning.<\/figcaption><\/figure><\/div>\n\n\n\n<p>In our work we focus on computer vision and consider a standard transfer learning pipeline: &#8220;ImageNet pretraining.&#8221; This pipeline trains a deep neural network on <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"http:\/\/image-net.org\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">ImageNet<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>, then tweaks this pretrained model for another target task, ranging from image classification of smaller datasets to more complex tasks like object detection and image segmentation.<\/p>\n\n\n\n<p>Refining the ImageNet pretrained model can be done in several ways. In our work we focus on two common methods:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Fixed-feature transfer: <\/strong>we replace the last layer of the neural network with a new layer that fits the target task. Then we train the last layer on the target dataset while keeping the rest of the layers fixed.<\/li><li><strong>Full-network transfer:<\/strong> we do the same as in fixed-feature, but instead of fine-tuning the last layer only, we fine-tune the full model.<\/li><\/ul>\n\n\n\n<p>The full-network transfer setting typically outperforms the fixed-feature strategy in practice.<\/p>\n\n\n\n\t<div class=\"border-bottom border-top border-gray-300 mt-5 mb-5 msr-promo text-center text-md-left alignwide\" data-bi-aN=\"promo\" data-bi-id=\"1141385\">\n\t\t\n\n\t\n\t<div class=\"row pt-3 pb-4 align-items-center\">\n\t\t\t\t\t\t<div class=\"msr-promo__media col-12 col-md-5\">\n\t\t\t\t<a class=\"bg-gray-300 display-block\" href=\"https:\/\/ai.azure.com\/labs\" aria-label=\"Azure AI Foundry Labs\" data-bi-cN=\"Azure AI Foundry Labs\" target=\"_blank\">\n\t\t\t\t\t<img decoding=\"async\" class=\"w-100 display-block\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2025\/06\/Azure-AI-Foundry_1600x900.jpg\" \/>\n\t\t\t\t<\/a>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"msr-promo__content p-3 px-5 col-12 col-md\">\n\n\t\t\t\t\t\t\t\t\t<h2 class=\"h4\">Azure AI Foundry Labs<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t<p id=\"azure-ai-foundry-labs\" class=\"large\">Get a glimpse of potential future directions for AI, with these experimental technologies from Microsoft Research.<\/p>\n\t\t\t\t\n\t\t\t\t\t\t\t\t<div class=\"wp-block-buttons justify-content-center justify-content-md-start\">\n\t\t\t\t\t<div class=\"wp-block-button\">\n\t\t\t\t\t\t<a href=\"https:\/\/ai.azure.com\/labs\" aria-describedby=\"azure-ai-foundry-labs\" class=\"btn btn-brand glyph-append glyph-append-chevron-right\" data-bi-cN=\"Azure AI Foundry Labs\" target=\"_blank\">\n\t\t\t\t\t\t\tAzure AI Foundry\t\t\t\t\t\t<\/a>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div><!--\/.msr-promo__content-->\n\t<\/div><!--\/.msr-promo__inner-wrap-->\n\t<\/div><!--\/.msr-promo-->\n\t\n\n\n<h3 id=\"how-can-we-improve-transfer-learning\">How can we improve transfer learning?<\/h3>\n\n\n\n<p>The performance of the pretrained model on the source tasks plays a major role in determining how well it transfers to the source tasks. In fact, a recent study by <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/arxiv.org\/abs\/1805.08974\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">Kornblith, Shlens, and Le<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> finds that a higher accuracy of pretrained ImageNet models leads to better performance on a wide range of downstream classification tasks. The question that we would like to answer here is whether improving the ImageNet accuracy of the pretrained model is the only way to improve its transfer learning.<\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" width=\"14\" height=\"14\" src=\"\">After all, our goal is to learn broadly applicable features on the source dataset that can transfer to target datasets. ImageNet accuracy likely correlates with the quality of features that a model learns, but it may not fully capture the downstream utility of those features. Ultimately, the quality of learned features stems from the priors we impose on them during training. For example, there have been several studies of the priors imposed by architectures (such as <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/dmitryulyanov.github.io\/deep_image_prior\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">convolutional layers<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>), <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/arxiv.org\/abs\/1811.00401\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">loss functions<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>, and <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/www.tandfonline.com\/doi\/abs\/10.1198\/10618600152418584\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">data<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/arxiv.org\/abs\/1911.09071\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">augmentation<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> on network training.<\/p>\n\n\n\n<p>In our paper <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/www.microsoft.com\/en-us\/research\/publication\/do-adversarially-robust-imagenet-models-transfer-better\/\" target=\"_blank\" rel=\"noreferrer noopener\">\u201cDo Adversarially Robust ImageNet Models Transfer Better?\u201d<\/a> we study another prior: <strong>adversarial robustness<\/strong>, which refers to a model&#8217;s invariance to small imperceptible perturbations of its inputs, namely <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/gradientscience.org\/intro_adversarial\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">adversarial examples<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>. It is well known by now that standard neural networks are extremely vulnerable to such adversarial examples. For instance, Figure 2 shows that a tiny perturbation (or change) of the pig image, a pretrained ImageNet classifier will mistakenly predict it as an &#8220;airliner&#8221; with very high confidence:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-blog-_-figure-2.png\" alt=\"An image of a pig labeled \"pig,\" +0.005 times perturbation (represented by multicolored square) equals the image of pig, unmodified to the human eye but labeled as \"airplane.\" \" class=\"wp-image-683631\" width=\"900\" height=\"269\" srcset=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-blog-_-figure-2.png 468w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-blog-_-figure-2-300x90.png 300w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><figcaption>Figure 2: An adversarial example. A pig on the left which is imperceptibly perturbed to be classified as an airliner on the right.<\/figcaption><\/figure>\n\n\n\n<p>Adversarial robustness is therefore typically enforced by replacing the standard loss objective with a <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/gradientscience.org\/robust_opt_pt1\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">robust optimization<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> objective:<\/p>\n\n\n\n\\[\\min_{\\theta} \\mathbb{E}_{(x,y)\\sim D}\\left[\\mathcal{L}(x,y;\\theta)\\right]  \\rightarrow \\min_{\\theta} \\mathbb{E}_{(x,y)\\sim D} \\left[\\max_{\\|\\delta\\|_2 \\leq \\varepsilon} \\mathcal{L}(x+\\delta,y;\\theta) \\right].\\]\n\n\n\n<p>This objective trains models to be robust to worse-case image perturbations within an \\(\\ell_2\\) ball around the input. The hyperparameter \\(\\varepsilon\\) governs the intended degree of invariance to the corresponding perturbations. Note that setting \\(\\varepsilon=0\\) corresponds to standard training, while increasing \u03b5 induces robustness to increasingly large perturbations.<\/p>\n\n\n\n<p>Adversarial robustness has been initially studied solely through the lens of machine learning security, but recently a <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/gradientscience.org\/robust_apps\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">line of<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/gradientscience.org\/adv\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">work<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> studied the effect of imposing adversarial robustness as a prior on learned feature representations. These works have found that although these adversarially robust models tend to attain lower accuracies than their standardly trained counterparts, their learned feature representations carry several advantages over those of standard models. These advantages include <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/arxiv.org\/abs\/1805.12152\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">better-behaved<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/arxiv.org\/abs\/1905.09797\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">gradients<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> (see Figure 3), <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/arxiv.org\/abs\/1910.08640\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">representation invertibility<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>, and more <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/arxiv.org\/abs\/2005.10190\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">specialized features<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>. These desirable properties might suggest that robust neural networks are learning better feature representations than standard networks, which could improve the transferability of those features.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"340\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-Blog_figure-3-1024x340.jpg\" alt=\"Two rows showing representations learning by standard models (on bottom row) and robust models (on top row). Visually, unlike standard models where you see abstractions and colors only, robust models show vibrant, partially blurred or morphed images: in one of the robust images, you can vaguely see various animal prints, whereas in the standard image it is only multicolored dots. \" class=\"wp-image-683640\" srcset=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-Blog_figure-3-1024x340.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-Blog_figure-3-300x100.jpg 300w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-Blog_figure-3-768x255.jpg 768w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/AirSim-Blog_figure-3.jpg 1430w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Figure 3: Representations learning by adversarially robust (top) and standard (bottom) models: robust models tend to learn more perceptually aligned representations which seem to transfer better to downstream tasks.<\/figcaption><\/figure>\n\n\n\n<h3 id=\"adversarial-robustness-and-transfer-learning\">Adversarial robustness and transfer learning<\/h3>\n\n\n\n<p>To sum up, we have two options of pretrained models to use for transfer learning. We can either use standard models that have high accuracy but little robustness on the source task; or we can use adversarially robust models, which are worse in terms of ImageNet accuracy but are robust and have the &#8220;nice&#8221; representational properties (see Figure 3). Which models are better for transfer learning?<\/p>\n\n\n\n<p>To answer this question, we trained a large number of standard and robust ImageNet models. (All models are available for download via our <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/github.com\/microsoft\/robust-models-transfer\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">code\/model release<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>, and more details on our training procedure can be found there and in <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/arxiv.org\/abs\/2007.08489\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noopener noreferrer\">our paper<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>.) We then transferred each model (using both the fixed-feature and full-network settings) to 12 downstream classification tasks and evaluated the performance.<\/p>\n\n\n\n<p>We find that adversarially robust source models almost always outperform their standard counterparts in terms of accuracy on the target task. This is reflected in the table below, in which we compare the accuracies of the best standard model and the best robust model (searching over the same set of hyperparameters and architectures):<\/p>\n\n\n\n<figure class=\"wp-block-table alignwide\"><table><tbody><tr><td><\/td><td><\/td><td><\/td><td><\/td><td><\/td><td><\/td><td><strong>Dataset <\/strong><\/td><td><\/td><td><\/td><td><\/td><td><\/td><td><\/td><td><\/td><td><\/td><\/tr><tr><td><strong>Mode<\/strong><\/td><td><strong>Model<\/strong><\/td><td>Aircraft<\/td><td>Birdsnap<\/td><td>CIFAR-10<\/td><td>CIFAR-100<\/td><td>Caltech-101<\/td><td>Caltech-256<\/td><td>Cars<\/td><td>DTD<\/td><td>Flowers<\/td><td>Food<\/td><td>Pets<\/td><td>SUN397<\/td><\/tr><tr><td>Fixed-feature<\/td><td>Robust Standard <\/td><td><strong>44.14 <\/strong><br>38.69<\/td><td><strong>50.72<\/strong><br>48.35<\/td><td><strong>95.53<\/strong><br>81.31<\/td><td><strong>81.08<\/strong><br>60.14<\/td><td><strong>92.76<\/strong><br>90.12<\/td><td><strong>85.08<\/strong><br>82.78<\/td><td><strong>50.67<\/strong><br>44.63<\/td><td><strong>70.37<\/strong><br><strong>70.09<\/strong><\/td><td><strong>91.84<\/strong><br><strong>91.90<\/strong><\/td><td><strong>69.26<\/strong><br>65.79<\/td><td><strong>92.05<\/strong><br><strong>91.83<\/strong><\/td><td>58.75<br><strong>55.92<\/strong><\/td><\/tr><tr><td>Full-network <\/td><td>Robust Standard <\/td><td><strong>86.24<\/strong><br><strong>86.57<\/strong><\/td><td><strong>76.55<\/strong><br>75.71<\/td><td><strong>98.68<\/strong><br>97.63<\/td><td><strong>89.04<\/strong><br>85.99<\/td><td><strong>95.62<\/strong><br>94.75<\/td><td><strong>87.62<\/strong><br>86.55<\/td><td><strong>91.48<\/strong><br><strong>91.52<\/strong><\/td><td><strong>76.93<br><\/strong>75.80<\/td><td><strong>97.21<\/strong><br><strong>97.04<\/strong><\/td><td><strong>89.12<\/strong><br>88.64<\/td><td><strong>94.53<\/strong><br><strong>94.20<\/strong><\/td><td><strong>64.89<\/strong><br>63.72<\/td><\/tr><\/tbody><\/table><figcaption>Table 1: <strong>The main result<\/strong>\u2014adversarially robust models outperform their standard counterparts when transferred to 12 downstream classification tasks.<\/figcaption><\/figure>\n\n\n\n<p>The following graph shows, for each architecture and downstream classification task, the performance of the best standard model compared to that of the best robust model. As we can see, adversarially robust models improve on the performance of their standard counterparts per architecture too, and the gap tends to increase as the network\u2019s width increases:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"988\" height=\"352\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/Figure-4-_AirSim-blog.jpg\" alt=\"Bar charts showing generally better transfer accuracy (%) using adversarially robust models versus standard models on Aircraft, Birdsnap, CIFAR-10, CIFAR-100, Caltect-101, Caltech-256, Cars, DTD, Flowers, Food, Pets, and  SUN397.\" class=\"wp-image-683652\" srcset=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/Figure-4-_AirSim-blog.jpg 988w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/Figure-4-_AirSim-blog-300x107.jpg 300w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/Figure-4-_AirSim-blog-768x274.jpg 768w\" sizes=\"auto, (max-width: 988px) 100vw, 988px\" \/><figcaption>Figure 4: Adversarially robust models tend to improve over standard networks for individual architectures too.<\/figcaption><\/figure>\n\n\n\n<p>We also evaluate transfer learning on other downstream tasks including object detection and instance segmentation, both for which using robustness backbone models outperforms using standard models as shown in the table below:<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>Task <\/strong><\/td><td><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>Box AP<\/strong><\/td><td><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>Mask AP<\/strong><\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><\/td><td><\/td><td class=\"has-text-align-center\" data-align=\"center\">Standard &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Robust <\/td><td><\/td><td class=\"has-text-align-center\" data-align=\"center\">Standard &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Robust <\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VOC Object Detection <\/td><td><\/td><td class=\"has-text-align-center\" data-align=\"center\">52.80 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;53.87 <\/td><td><\/td><td class=\"has-text-align-center\" data-align=\"center\">&#8212; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8212;   <\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">COCO Object Detection <\/td><td><\/td><td class=\"has-text-align-center\" data-align=\"center\">39.61 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;40.13 <\/td><td><\/td><td class=\"has-text-align-center\" data-align=\"center\">&#8212; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8212; <\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">COCO Instance Segmentation <\/td><td><\/td><td class=\"has-text-align-center\" data-align=\"center\">40.74 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;41.04 <\/td><td><\/td><td class=\"has-text-align-center\" data-align=\"center\">36.98 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;37.23<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 id=\"empirical-mysteries-and-future-work\">Empirical mysteries and future work<\/h3>\n\n\n\n<p>Overall, we have seen that adversarially robust models, although being less accurate on the source task than standard-trained models, can improve transfer learning on a wide range of downstream tasks. In <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" rel=\"noopener noreferrer\" target=\"_blank\" href=\"https:\/\/arxiv.org\/abs\/2007.08489\">our paper<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>, we study this phenomenon in more detail. There, we analyze the effects of model width and robustness levels on the transfer performance, and we compare adversarial robustness to other notions of robustness. We also uncover a few somewhat mysterious properties: for example, resizing images seems to have a non-trivial effect on the relationship between robustness and downstream accuracy.<\/p>\n\n\n\n<p>Finally, our work provides evidence that adversarially robust perception models transfer better, yet understanding precisely what causes this remains an open question. More broadly, the results we observe indicate that we still do not yet fully understand (even empirically) the ingredients that make transfer learning successful. We hope that our work paves the way for more research initiatives to explore and understand what makes transfer learning work well.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note: This post and its research are the collaborative efforts of our team, which includes Andrew Ilyas (opens in new tab) (PhD Student, MIT), Logan Engstrom (opens in new tab) (PhD Student, MIT), Aleksander M\u0105dry (opens in new tab) (Professor at MIT), Ashish Kapoor (Partner Research Manager). In practical machine learning, it is desirable [&hellip;]<\/p>\n","protected":false},"author":38838,"featured_media":684519,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","msr-author-ordering":[{"type":"user_nicename","value":"Hadi Salman","user_id":"38230"}],"msr_hide_image_in_river":0,"footnotes":""},"categories":[1],"tags":[],"research-area":[13556],"msr-region":[],"msr-event-type":[],"msr-locale":[268875],"msr-post-option":[],"msr-impact-theme":[],"msr-promo-type":[],"msr-podcast-series":[],"class_list":["post-683157","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research-blog","msr-research-area-artificial-intelligence","msr-locale-en_us"],"msr_event_details":{"start":"","end":"","location":""},"podcast_url":"","podcast_episode":"","msr_research_lab":[],"msr_impact_theme":[],"related-publications":[],"related-downloads":[],"related-videos":[],"related-academic-programs":[],"related-groups":[237595],"related-projects":[607743],"related-events":[708199],"related-researchers":[],"msr_type":"Post","featured_image_thumbnail":"<img width=\"393\" height=\"221\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/RobustModelsAirsimHero.png\" class=\"img-object-cover\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/RobustModelsAirsimHero.png 393w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/RobustModelsAirsimHero-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2020\/08\/RobustModelsAirsimHero-343x193.png 343w\" sizes=\"auto, (max-width: 393px) 100vw, 393px\" \/>","byline":"Hadi Salman","formattedDate":"August 11, 2020","formattedExcerpt":"Editor\u2019s note: This post and its research are the collaborative efforts of our team, which includes Andrew Ilyas (opens in new tab) (PhD Student, MIT), Logan Engstrom (opens in new tab) (PhD Student, MIT), Aleksander M\u0105dry (opens in new tab) (Professor at MIT), Ashish Kapoor&hellip;","locale":{"slug":"en_us","name":"English","native":"","english":"English"},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/683157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/users\/38838"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/comments?post=683157"}],"version-history":[{"count":79,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/683157\/revisions"}],"predecessor-version":[{"id":696456,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/683157\/revisions\/696456"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media\/684519"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=683157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/categories?post=683157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/tags?post=683157"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=683157"},{"taxonomy":"msr-region","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-region?post=683157"},{"taxonomy":"msr-event-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-event-type?post=683157"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=683157"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=683157"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=683157"},{"taxonomy":"msr-promo-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-promo-type?post=683157"},{"taxonomy":"msr-podcast-series","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-podcast-series?post=683157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}