Out-of-distribution (OOD) generalization has attracted increasing research attention in recent years, due to its promising experimental results in real-world applications. In this paper, we study the confidence set prediction problem in the OOD generalization setting. Split conformal prediction (SCP) is an efficient framework for handling the confidence set prediction problem. However, the validity of SCP requires the examples to be exchangeable, which is violated in the OOD setting. Empirically, we show that trivially applying SCP results in a failure to maintain the marginal coverage when the unseen target domain is different from the source domain. To address this issue, we develop a method for forming confident prediction sets in the OOD setting and theoretically prove the validity of our method. Finally, we conduct experiments on simulated data to empirically verify the correctness of our theory and the validity of our proposed method.
@inproceedings{ZouLiu2024,title={Coverage-Guaranteed Prediction Sets for Out-of-Distribution Data},author={Zou, Xin and Liu, Weiwei},booktitle={AAAI},year={2024},url={https://ojs.aaai.org/index.php/AAAI/article/view/29673},doi={10.1609/aaai.v38i15.29673},number={15},volume={38},pages={17263-17270},dimensions={true}}
Out-of-distribution (OOD) generalization has attracted increasing research attention
in recent years, due to its promising experimental results in real-world applications.
Interestingly, we find that existing OOD generalization methods are vulnerable
to adversarial attacks. This motivates us to study OOD adversarial robustness.
We first present theoretical analyses of OOD adversarial robustness in two different
complementary settings. Motivated by the theoretical results, we design
two algorithms to improve the OOD adversarial robustness. Finally, we conduct
experiments to validate the effectiveness of our proposed algorithms. Our code is
available at https://github.com/ZouXinn/OOD-Adv.
Deep networks are well-known to be fragile to adversarial attacks, and adversarial training is one of the most popular methods used to train a robust model. To take advantage of unlabeled data, recent works have applied adversarial training to contrastive learning (Adversarial Contrastive Learning; ACL for short) and obtain promising robust performance. However, the theory of ACL is not well understood. To fill this gap, we leverage the Rademacher omplexity to analyze the generalization performance of ACL, with a particular focus on linear models and multi-layer neural networks under \ell_p attack (p≥1). Our theory shows that the average adversarial risk of the downstream tasks can be upper bounded by the adversarial unsupervised risk of the upstream task. The experimental results validate our theory.
@article{JMLR:v24:22-0866,author={Zou, Xin and Liu, Weiwei},title={Generalization Bounds for Adversarial Contrastive Learning},journal={JMLR},year={2023},volume={24},number={114},pages={1--54},dimensions={true},}
Although deep neural networks (DNN) have achieved great success, their applications in safety-critical areas are hindered due to their vulnerability to adversarial attacks. Some recent works have accordingly proposed to enhance the robustness of DNN from a dynamic system perspective. Following this line of inquiry, and inspired by the asymptotic stability of the general nonautonomous dynamical system, we propose to make each clean instance be the asymptotically stable equilibrium points of a slowly time-varying system in order to defend against adversarial attacks. We present a theoretical guarantee that if a clean instance is an asymptotically stable equilibrium point and the adversarial instance is in the neighborhood of this point, the asymptotic stability will reduce the adversarial noise to bring the adversarial instance close to the clean instance. Motivated by our theoretical results, we go on to propose a nonautonomous neural ordinary differential equation (ASODE) and place constraints on its corresponding linear time-variant system to make all clean instances act as its asymptotically stable equilibrium points. Our analysis suggests that the constraints can be converted to regularizers in implementation. The experimental results show that ASODE improves robustness against adversarial attacks and outperforms state-of-the-art methods.
@inproceedings{DBLP:conf/nips/LiXL22,author={Li, Xiyuan and Zou, Xin and Liu, Weiwei},title={Defending Against Adversarial Attacks via Neural Dynamic System},booktitle={NeurIPS},year={2022},timestamp={Thu, 11 May 2023 17:08:21 +0200},biburl={https://dblp.org/rec/conf/nips/LiXL22.bib},}