# SuooL's Blog

Original Paper Reference: Improving Robustness Without Sacrificing Accuracy with Patch Gaussian Augmentation

## Introduction

Research in neural network robustness has tried to quantify the problem by establishing benchmarks that directly measure it and comparing the performance of humans and neural networks.
Others have tried to understand robustness by highlighting systemic failure modes of current learning methods. For instance, networks exhibit excessive invariance to visual features, texture bias, sensitivity to worst-case (adversarial) perturbations, and a propensity to rely solely on non-robust, but highly predictive features for classification. Of particular relevance to our work, Ford et al show that in order to get adversarial robustness, one needs robustness to noise-corrupted data.
Another line of work has attempted to increase model robustness performance, either by directly projecting out superficial statistics, via architectural improvements, pre-training schemes, or through the use of data augmentations. Data augmentation increases the size and diversity of the training set, and provides a simple method for learning invariances that are challenging to encode architecturally. Recent work in this area includes learning better transformations, inferring combinations of transformations, unsupervised methods, theory of data augmentation, and applications for one-shot learning.

## Preliminaries

The former sets a random patch of the input images to a constant (the mean pixel in the dataset) and is successful at improving clean accuracy. The latter works by adding independent Gaussian noise to each pixel of the input image, which can increase robustness to Gaussian noise directly

Cutout and Gaussian augmentations 在鲁棒性和准确性之间的平衡妥协状况。说实话，这个图我没怎么看明白，也不能理解文章单独这一章节的意义和必要性在哪里。

## Method

Here, robustness is defined as average accuracy of the model, when tested on data corrupted by various σ (0.1, 0.2, 0.3, 0.5, 0.8, 1.0) of Gaussian noise, relative to the clean accuracy. This metric is correlated with mCE, so it ensures model robustness is generally useful beyond Gaussian corruptions. By picking models based on their Gaussian noise robustness, we ensure that our selection process does not overfit to the Common Corruptions benchmark.

## Results

Patch Gaussian overcomes this trade-off and improves both accuracy and robustness

Training with Patch Gaussian leads to improved Common Corruption robustness

The Common Corruptions benchmark: This benchmark, also referred to as CIFAR-C and ImageNet-C, is composed of images transformed with 15 corruptions, at 5 severities each. The corruptions are designed to model those commonly found in real-world settings, such as brightness, different weather conditions, and different kinds of noise.

Patch Gaussian can be combined with other regularization strategies

find that while label smoothing improves clean accuracy, it weakens the robustness in all corruption metrics we have considered. This agrees with the theoretical prediction from, which argued that increasing the confidence of models would improve robustness, whereas label smoothing reduces the confidence of predictions. We find that increasing the weight decay from the default value used in all models does not improve clean accuracy or robustness.

Patch Gaussian can be combined with AutoAugment policies for improved results

Patch Gaussian improves performance in object detection

## Discussion

First, we perturb each image in the dataset with noise sampled at each orientation and frequency in Fourier space. Then, we measure changes in the network activations and test error when evaluated with these Fourier-noise-corrupted images: we measure the change in ?2norm of the tensor directly after the first convolution, as well as the absolute test error. This procedure yields a heatmap, which indicates model sensitivity to different frequency and orientation perturbations in the Fourier domain.