Intriguing Properties of Robust Classification
Published in CVPR-workshops, 2025
Despite plenty of research in the last 10 years, we have made limited progress towards generating robust machine learning models. Therefore, in this paper we explore the question, βAre current computer vision datasets are large enough to allow training robust image classifiers?β
π Whatβs the Issue?
Most computer vision models can be fooled by tiny perturbations of the input images. Robust models solve this issue, however, their performance is far below what we might expect. Recent work shows that the robust accuracy of models can be increased by using additional data.
π What We Found
- Theoretical Insights: We first show that, in certain settings, enforcing robustness can require a huge amount of additional training data.
- Empirical Results: On CIFAR-10, doubling the amount of training data consistently increases the performance by about 5%.
- Non-robust Features: We find tiny-magnitude directions that are sufficient for training very accurate models, whilst being useless for robust classification.
π€ Why It Matters
Plenty of research has been done on improving the performance of robust classifiers, but we have made limited progress. We believe that knowing whether the task can be solved with the available data is crucial for directing future research efforts.