Seyeon An May 15, 2021

<aside> 🔗 We have reposted this blog on our Medium publication. Read this on Medium.

</aside>

The reverse image search function in Google Images shows that neural networks are capable of recognizing and classifying images. Yet, were they always accurate? Not really. You must have experienced something similar to this: entering a picture of a dog in Google Image, and in return, receiving hundreds of panda pictures. Why does this happen?

Deep neural networks (DNNs) have developed to the point in which it can perform outstandingly on many tasks as computer vision and natural language processing. Development is ongoing, and now we are mostly trying to train these DNNs to improve their accuracy. The main problem regarding accuracy is that neural networks are highly vulnerable to adversarial perturbations.

For instance, take a look at the image below. The two images, before and after adding the noise seem identical to us. But for the neural network, the image on the right seems like a completely different object— as a panda. Here, the noise added to the image would be an adversarial perturbation, and the training method which attempts to solve this problem, via making these neural networks less vulnerable to perturbation, would be referred to as adversarial training.

The image recognition process of the neural network is extremely vulnerable to perturbation.

The deep-seated task of adversarial training— lack of training data— has been partially resolved thanks to the recently proposed data augmentation method using unlabeled-in-distribution (UID) data. Yet there exist some drawbacks: the lack of availability and the dependence on the accuracy of the pseudo-label generator.

<aside> 💡 To compensate with these drawbacks and to improve generalization in both adversarial and standard learning, we propose a data augmentation method using out-of-distribution (OOD) data: out-of-distribution data augmented training (OAT).

</aside>

What is Adversarial Training?

To understand why out-of-distribution data augmented training is needed for better accuracy and efficiency of DNNs, we have to understand what adversarial training is and why it is important.

Adversarial training refers to the training process that includes adversarially attacked images as its training data set. The goal of adversarial training is to make the DNNs more robust— to make machine learning models less vulnerable to perturbations.

• The Semi-Supervised Learning Method In adversarial training, we need much more data sets than standard training. Since it is insufficient to use only labeled data, we use a mixture of labeled and unlabeled data: which refers to the semi-supervised learning method.
  • Supervised Learning : Uses only labeled data as its data set
  • Semi-Supervised Learning : Uses some labeled data and lots of unlabeled data as its data set
  • Unsupervised Learning : Uses only unlabeled data as its data set

We use semi-supervised learning method as our adversarial training methodology.

• Robust and Non-Robust Features As the main task of artificial intelligence is to simulate human intelligence, the image recognition process should also simulate that of humans. Here, it is integral to distinguish in between robust features and non-robust features, which are the two types of useful features in an image.

  • Robust Features : Features humans can perceive; Strongly correlates with the image label.
  • Non-Robust Features : Features humans cannot perceive; Has weak correlation with the image label.

  It has been demonstrated that there is a trade-off relationship between adversarial robustness and standard accuracy. Adversarial training attempts to solve this problem by making non-robust features not used in classification of images.

Out-Of-Distribution Data

The algorithm of the classifier should have the ability to recognize perturbations (a.k.a unusual examples). It is because (1) there is a high possibility of wrongly classifying these perturbed examples and (2) misclassifications are made with high confidence level.

Out-of-distribution (OOD) data are very close to normal data— most of them looking exactly identical in the human eye. These OOD data may be close to normal data (as blurry, adversarially attacked inputs) or even belong to a new class that the DNNs have not yet been trained to classify.

Why is this essential? For example, trained DNNs are often used in bacteria identification based on genomic sequences— which is further used for diagnosis and treatment of fatal diseases. New classes of bacteria have been discovered throughout the past decades, and we want to use our DNNs to classify these bacteria. However, even a classifier with high performance might wrongly classify a certain disease to another, because it is OOD data— from a completely new class that the classifier has not been trained to classify.

Unlike images of dogs or pandas, which obviously doesn't cause great problems even though they're wrongly classified, genomes and bacteria being wrongly classified would cause great problems. Such real-life applications show the importance of OOD detection: as recent studies show, OOD detection is the first step to build classifiers that "fail gracefully."

Out-Of-Distribution Data Augmented Training

We propose Out-of-distribution Augmented Training (OAT), which is the training on the union of the target dataset $D_t$ and the OOD dataset $D_o$ .

Setup of OOD Dataset

• Given a target dataset $\left\{\left(\tilde{\boldsymbol{x}}^{i}, y^{i}\right)\right\}_{i=1}^{n} \subset \mathcal{X} \times\{\pm 1\}$ sampled from a data distribution $\tilde{D}$ , where $\mathcal{X}$ is the input space