Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards Accurate and Robust Architectures via Neural Architecture Search

Yuwei Ou, Yuqi Feng, Yanan Sun

TL;DR

This work tackles the challenge that neural architecture choices constrain robustness under adversarial training. It introduces ARNAS, which combines an Accurate and Robust search space with a differentiable multi-objective optimization (MGDA-based) to jointly minimize natural and adversarial losses during search. Empirical results across CIFAR-10/100, SVHN, and Tiny-ImageNet show ARNAS achieves strong adversarial robustness with competitive natural accuracy and good transferability, outperforming prior robust NAS methods. The findings reveal that deploying different cell types at distinct architectural positions—e.g., Accurate Cells near the input and Robust Cells near the output—can jointly enhance accuracy and robustness, offering practical guidance for robust NAS design.

Abstract

To defend deep neural networks from adversarial attacks, adversarial training has been drawing increasing attention for its effectiveness. However, the accuracy and robustness resulting from the adversarial training are limited by the architecture, because adversarial training improves accuracy and robustness by adjusting the weight connection affiliated to the architecture. In this work, we propose ARNAS to search for accurate and robust architectures for adversarial training. First we design an accurate and robust search space, in which the placement of the cells and the proportional relationship of the filter numbers are carefully determined. With the design, the architectures can obtain both accuracy and robustness by deploying accurate and robust structures to their sensitive positions, respectively. Then we propose a differentiable multi-objective search strategy, performing gradient descent towards directions that are beneficial for both natural loss and adversarial loss, thus the accuracy and robustness can be guaranteed at the same time. We conduct comprehensive experiments in terms of white-box attacks, black-box attacks, and transferability. Experimental results show that the searched architecture has the strongest robustness with the competitive accuracy, and breaks the traditional idea that NAS-based architectures cannot transfer well to complex tasks in robustness scenarios. By analyzing outstanding architectures searched, we also conclude that accurate and robust neural architectures tend to deploy different structures near the input and output, which has great practical significance on both hand-crafting and automatically designing of accurate and robust architectures.

Towards Accurate and Robust Architectures via Neural Architecture Search

TL;DR

This work tackles the challenge that neural architecture choices constrain robustness under adversarial training. It introduces ARNAS, which combines an Accurate and Robust search space with a differentiable multi-objective optimization (MGDA-based) to jointly minimize natural and adversarial losses during search. Empirical results across CIFAR-10/100, SVHN, and Tiny-ImageNet show ARNAS achieves strong adversarial robustness with competitive natural accuracy and good transferability, outperforming prior robust NAS methods. The findings reveal that deploying different cell types at distinct architectural positions—e.g., Accurate Cells near the input and Robust Cells near the output—can jointly enhance accuracy and robustness, offering practical guidance for robust NAS design.

Abstract

To defend deep neural networks from adversarial attacks, adversarial training has been drawing increasing attention for its effectiveness. However, the accuracy and robustness resulting from the adversarial training are limited by the architecture, because adversarial training improves accuracy and robustness by adjusting the weight connection affiliated to the architecture. In this work, we propose ARNAS to search for accurate and robust architectures for adversarial training. First we design an accurate and robust search space, in which the placement of the cells and the proportional relationship of the filter numbers are carefully determined. With the design, the architectures can obtain both accuracy and robustness by deploying accurate and robust structures to their sensitive positions, respectively. Then we propose a differentiable multi-objective search strategy, performing gradient descent towards directions that are beneficial for both natural loss and adversarial loss, thus the accuracy and robustness can be guaranteed at the same time. We conduct comprehensive experiments in terms of white-box attacks, black-box attacks, and transferability. Experimental results show that the searched architecture has the strongest robustness with the competitive accuracy, and breaks the traditional idea that NAS-based architectures cannot transfer well to complex tasks in robustness scenarios. By analyzing outstanding architectures searched, we also conclude that accurate and robust neural architectures tend to deploy different structures near the input and output, which has great practical significance on both hand-crafting and automatically designing of accurate and robust architectures.
Paper Structure (22 sections, 1 theorem, 5 equations, 4 figures, 5 tables, 1 algorithm)

This paper contains 22 sections, 1 theorem, 5 equations, 4 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Adversarial Attacks and Defenses
  4. Neural Architecture Search (NAS)
  5. The Proposed ARNAS Method
  6. ARNAS Overview
  7. Accurate and Robust Search Space
  8. The Characteristics of Accurate and Robust Architectures
  9. The Limitation of Conventional Search Space
  10. The Construction of the Accurate and Robust Search Space
  11. Differentiable Multi-Objective Search Strategy
  12. Experiments
  13. Benchmark Datasets
  14. Peer Competitors
  15. Parameter Settings
  16. ...and 7 more sections

Key Result

Proposition 1

The cells in different positions of the overall architecture may have different effects on the accuracy and the robustness, and the accuracy and the robustness of the neural architectures can be improved simultaneously by placing different cells in different position.

Figures (4)

  • Figure 1: Natural and adversarial accuracy on CIFAR-10. All the architectures are adversarially trained using 7-step PGD, and the adversarial accuracy is evaluated under AutoAttack.
  • Figure 2: An example of the proposed search space for CIFAR-10. LEFT: the full outer structure. RIGHT: cell example.
  • Figure 3: Visualization analysis of architectures in \ref{['tab4']}. Character R refers Robust Cell, character A refers to Accurate Cell, and the subscript of A and R refers to filter settings. For example, R$_{4}$ refers to Robust Cell with the number of filters four times the initial.
  • Figure 4: Statistical analysis on 40 neural architectures searched by the proposed method. The numbers of times of the operations selected by Accurate Cell and Robust Cell are recorded.

Theorems & Definitions (1)

  • Proposition 1