Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Easy Path to Robustness: Coreset Selection using Sample Hardness

Pranav Ramesh, Arjun Roy, Deepak Ravikumar, Kaushik Roy, Gopalakrishnan Srinivasan

TL;DR

This paper tackles adversarial robustness from a data-centric viewpoint by introducing EasyCore, a static coreset built from low-AIGN samples to promote smoother decision boundaries. The core idea is that samples with smaller Average Input Gradient Norm, $AIGN$, are prototypical and learned quickly, leading to greater robustness under both standard and TRADES adversarial training. Across CIFAR-10/100 and ImageNet-1K, EasyCore yields up to 7% and 5% improvements in adversarial accuracy, respectively, compared with existing coreset methods. The method is model-agnostic and efficient because AIGN is a dataset property that can be computed once, and EasyCore guides data selection rather than altering training dynamics.

Abstract

Designing adversarially robust models from a data-centric perspective requires understanding which input samples are most crucial for learning resilient features. While coreset selection provides a mechanism for efficient training on data subsets, current algorithms are designed for clean accuracy and fall short in preserving robustness. To address this, we propose a framework linking a sample's adversarial vulnerability to its \textit{hardness}, which we quantify using the average input gradient norm (AIGN) over training. We demonstrate that \textit{easy} samples (with low AIGN) are less vulnerable and occupy regions further from the decision boundary. Leveraging this insight, we present EasyCore, a coreset selection algorithm that retains only the samples with low AIGN for training. We empirically show that models trained on EasyCore-selected data achieve significantly higher adversarial accuracy than those trained with competing coreset methods under both standard and adversarial training. As AIGN is a model-agnostic dataset property, EasyCore is an efficient and widely applicable data-centric method for improving adversarial robustness. We show that EasyCore achieves up to 7\% and 5\% improvement in adversarial accuracy under standard training and TRADES adversarial training, respectively, compared to existing coreset methods.

The Easy Path to Robustness: Coreset Selection using Sample Hardness

TL;DR

This paper tackles adversarial robustness from a data-centric viewpoint by introducing EasyCore, a static coreset built from low-AIGN samples to promote smoother decision boundaries. The core idea is that samples with smaller Average Input Gradient Norm, , are prototypical and learned quickly, leading to greater robustness under both standard and TRADES adversarial training. Across CIFAR-10/100 and ImageNet-1K, EasyCore yields up to 7% and 5% improvements in adversarial accuracy, respectively, compared with existing coreset methods. The method is model-agnostic and efficient because AIGN is a dataset property that can be computed once, and EasyCore guides data selection rather than altering training dynamics.

Abstract

Designing adversarially robust models from a data-centric perspective requires understanding which input samples are most crucial for learning resilient features. While coreset selection provides a mechanism for efficient training on data subsets, current algorithms are designed for clean accuracy and fall short in preserving robustness. To address this, we propose a framework linking a sample's adversarial vulnerability to its \textit{hardness}, which we quantify using the average input gradient norm (AIGN) over training. We demonstrate that \textit{easy} samples (with low AIGN) are less vulnerable and occupy regions further from the decision boundary. Leveraging this insight, we present EasyCore, a coreset selection algorithm that retains only the samples with low AIGN for training. We empirically show that models trained on EasyCore-selected data achieve significantly higher adversarial accuracy than those trained with competing coreset methods under both standard and adversarial training. As AIGN is a model-agnostic dataset property, EasyCore is an efficient and widely applicable data-centric method for improving adversarial robustness. We show that EasyCore achieves up to 7\% and 5\% improvement in adversarial accuracy under standard training and TRADES adversarial training, respectively, compared to existing coreset methods.

Paper Structure

This paper contains 21 sections, 1 theorem, 1 equation, 8 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Methodology
  4. Motivating Example
  5. Coreset Selection using EasyCore
  6. Discussion
  7. Claim 1: Lower AIGN indicates prototypical-ness
  8. Claim 2: Training on high-AIGN examples increases decision boundary curvature
  9. Claim 3: Training on harder samples reduces robustness on easy samples
  10. Claim 4: Adversarial training uses more dimensions to learn features
  11. Results
  12. Comparative Benchmarking of EasyCore under Standard Training
  13. Comparative Benchmarking of EasyCore under Adversarial Training
  14. Comparison with Adversarial Coreset Selection (ACS) hadi
  15. Conclusion
  16. ...and 6 more sections

Key Result

Lemma 1

For any neural network, given a mini-batch of inputs $Z_b = (X_b, Y_b)$, the Frobenius norm of the gradient of the loss $\ell$ with respect to the input is bounded by the norm of the gradient with respect to the network's weights $\vec{w}_t$. Specifically: where $k_g = \frac{\lVert W_t^{(1)} \rVert_F~ \lVert(X_b^\top)^+\rVert_F}{s_P}$ and $s_P$ denotes the smallest singular value of $P = X_b^\to

Figures (8)

  • Figure 1: (a) the 10 easiest examples (least AIGN) and (b) the 10 hardest examples (highest AIGN) of the same class, for five CIFAR-100 classes
  • Figure 2: Visualization of easy and hard samples from the ImageNet peacock class, identified by their average input gradient norm (AIGN). Left: The long-tailed distribution of AIGN scores. Middle: The input gradient norm training trajectory for easy prototypical samples with low AIGN (blue) and hard atypical samples with high AIGN (green). Right: The easy image (bottom) is typical of the class, whereas the hard image (top) is more atypical of the class, and thus is harder to learn.
  • Figure 3: Comparison of normalized average input gradient norm on CIFAR-10 between a VGG-16 and ResNet-18 model
  • Figure 4: A two-class dataset comprising of 1200 points in 2D space. (a) Decision boundary and training points of the entire dataset (b) Decision boundary of a model trained on the easiest 720 points (ordered by AIGN), and the corresponding data points. It can be seen that the decision boundary is more curved and complex in (a) compared to (b).
  • Figure 5: Scatter plot of 10000 images with (a) least AIGN (easy) and (b) highest AIGN (hard) under standard training, and (c) least AIGN (easy) and (d) highest AIGN (hard) under adversarial training, for the CIFAR-10 dataset. Points marked in black denote the centroids of each class label. Points are coloured as per their class labels. It can be seen that the easy images form the core cluster around the centroid for each class, and thus can easily be differentiated compared to hard images.
  • ...and 3 more figures

Theorems & Definitions (3)

  • Definition 1
  • Definition 2
  • Lemma 1: Input gradient norm is bound by weight gradient norm