Original Paper Reference: Improving Robustness Without Sacrificing Accuracy with Patch Gaussian Augmentation
这篇文章提供了另一种数据增强的可能方式，将 gaussian 和 patch 结合，达到在不损失准确性的效果下提升模型的鲁棒性。
Research in neural network robustness has tried to quantify the problem by establishing benchmarks that directly measure it and comparing the performance of humans and neural networks.
Others have tried to understand robustness by highlighting systemic failure modes of current learning methods. For instance, networks exhibit excessive invariance to visual features, texture bias, sensitivity to worst-case (adversarial) perturbations, and a propensity to rely solely on non-robust, but highly predictive features for classification. Of particular relevance to our work, Ford et al show that in order to get adversarial robustness, one needs robustness to noise-corrupted data.
Another line of work has attempted to increase model robustness performance, either by directly projecting out superficial statistics, via architectural improvements, pre-training schemes, or through the use of data augmentations. Data augmentation increases the size and diversity of the training set, and provides a simple method for learning invariances that are challenging to encode architecturally. Recent work in this area includes learning better transformations, inferring combinations of transformations, unsupervised methods, theory of data augmentation, and applications for one-shot learning.
这部分内容主要是对论文借鉴对两种方法进行说明，Cutout and Gaussian。
The former sets a random patch of the input images to a constant (the mean pixel in the dataset) and is successful at improving clean accuracy. The latter works by adding independent Gaussian noise to each pixel of the input image, which can increase robustness to Gaussian noise directly
Cutout and Gaussian augmentations 在鲁棒性和准确性之间的平衡妥协状况。说实话，这个图我没怎么看明白，也不能理解文章单独这一章节的意义和必要性在哪里。
这里第一部分是介绍 Patch Gaussian 方法的实现方式，个人感觉本质上是上述两种方法的缝合。
Here, robustness is defined as average accuracy of the model, when tested on data corrupted by various σ (0.1, 0.2, 0.3, 0.5, 0.8, 1.0) of Gaussian noise, relative to the clean accuracy. This metric is correlated with mCE, so it ensures model robustness is generally useful beyond Gaussian corruptions. By picking models based on their Gaussian noise robustness, we ensure that our selection process does not overfit to the Common Corruptions benchmark.
Patch Gaussian overcomes this trade-off and improves both accuracy and robustness
Training with Patch Gaussian leads to improved Common Corruption robustness
The Common Corruptions benchmark: This benchmark, also referred to as CIFAR-C and ImageNet-C, is composed of images transformed with 15 corruptions, at 5 severities each. The corruptions are designed to model those commonly found in real-world settings, such as brightness, different weather conditions, and different kinds of noise.
Patch Gaussian can be combined with other regularization strategies
larger weight decay, label smoothing, and dropblock，其结论是：
find that while label smoothing improves clean accuracy, it weakens the robustness in all corruption metrics we have considered. This agrees with the theoretical prediction from, which argued that increasing the confidence of models would improve robustness, whereas label smoothing reduces the confidence of predictions. We find that increasing the weight decay from the default value used in all models does not improve clean accuracy or robustness.
Patch Gaussian can be combined with AutoAugment policies for improved results
Patch Gaussian improves performance in object detection
First, we perturb each image in the dataset with noise sampled at each orientation and frequency in Fourier space. Then, we measure changes in the network activations and test error when evaluated with these Fourier-noise-corrupted images: we measure the change in ?2norm of the tensor directly after the first convolution, as well as the absolute test error. This procedure yields a heatmap, which indicates model sensitivity to different frequency and orientation perturbations in the Fourier domain.