A Connection Between Adversarial Transferability and Non-Robust Features
A figure in Ilyas, et al. (2019) that struck me as particularly interesting was the following graph showing a correlation between adversarial transferability between architectures and their tendency to learn similar non-robust features.
Understanding the Graph
One way to interpret this graph is that it shows how well a particular architecture is able to capture non-robust features in an image. The non-robust features are defined by the non-robust features ResNet-50 captures, NRF_resnet. This graph really shows how well an architecture captures NRF_resnet.
Applying the Insight to Style Transfer
Notice how far back VGG is compared to the other models. This phenomenon is discussed at length in this Reddit thread. The above interpretation of the graph provides an alternative explanation for this phenomenon. Since VGG is unable to capture non-robust features as well as other architectures, the outputs for style transfer actually look more correct to humans!
A Quick Experiment
Testing our hypothesis is fairly straightforward: Use an adversarially robust classifier for neural style transfer (Gatys et al., 2015) and see what happens.
Evaluating the Results
I evaluated a regularly trained (non-robust) ResNet-50 with a robustly trained ResNet-50 from Engstrom, et al. (2019) on their performance on neural style transfer (Gatys et al., 2015). For comparison, I performed the same algorithm with a regular VGG-19 (Simonyan et al., 2014).
A Surprising Result
Here, it becomes clear that, the first few layers of VGG and AlexNet are actually almost as robust as the first few layers of the robust ResNet! This is perhaps a more convincing indication that robustness might have something to do with VGG’s success in style transfer after all.
Style Transfer and Robustness
Suppose we restrict style transfer to only use a single layer of the network when computing the style loss. Again, the more robust layers seem to indeed work better for style transfer! Since all of the layers in the robust ResNet are robust, style transfer yields non-trivial results even using the last layer alone. Conversely, VGG and AlexNet seem to excel in the earlier layers (where they are non-trivially robust) but fail when using exclusively later (non-robust) layers:
Conclusion
Of course, there is much more work to be done here, but we are excited to see further work into understanding the role of both robustness and VGG in network-based image manipulation.
FAQs
Q: What is the relationship between adversarial transferability and non-robust features?
A: The graph shows a correlation between adversarial transferability and the tendency to learn similar non-robust features.
Q: Why does VGG perform well in style transfer?
A: VGG’s ability to capture non-robust features may be a contributing factor to its success in style transfer.
Q: How do robust layers perform in style transfer?
A: Robust layers, such as those in the robust ResNet, tend to work well for style transfer, even when used individually.
Q: What is the implication of these findings?
A: These findings suggest that robustness may play a role in the success of certain architectures, such as VGG, in style transfer.
