NeurIPS 2019
Sun Dec 8th through Sat the 14th, 2019 at Vancouver Convention Center
Paper ID:5993
Title:Unlabeled Data Improves Adversarial Robustness

Reviewer 1

Originality - it's the first time that semi-supervised techniques are shown to effective in the robust learning regime, both theoretically and empirically. Significance - robust models require more samples in order to generalize. Showing that unlabeled data alleviate this problem is crucial because it is much easier (and cheaper) to collect. Quality and Clarity - the paper is well written. The claims and methods are clearly explained.

Reviewer 2

Originality: Previous theoretical work on the subject is to quantify the amount of additional labeled data required to attain non trivial robust error whereas Theorem 2 quantifies the additional unlabeled data required. The contribution due to the meta algorithm is minor since classification with L^stab and L^adv has been studied before. Quality: The theoretical results are sound and the claims are well supported from the experiments Clarity: The paper is well written for the most part. The term certified l2/accuracy is not defined. Line 94 says difficult to learn classifier. For the gaussian model, the classifier must be easy to learn. Isn’t that so? Line 126-128. It is difficult to follow the logic in line “As n grows … goes to 0”. It seems that it is based some unexplained geometry. Same goes for the line with “parameter scaling”. Significance: The theoretical results are for a simple gaussian model, instead of a more realistic one. The results on real datasets might be quite different. Using more datasets for experiments might be more convincing. Furthermore the ratio of positives to negatives 1, which is again a special case. What happens when there is class imbalance?

Reviewer 3

This paper theoretically and empirically shows that guarantee of non-trivial adversarial robustness only requires more unlabeled data. Strengths: 1. The paper theoretically proves that under the Gaussian model, more unlabeled data is enough to certify small robust accuracy (1e-3 in the paper) by their robust self-training algorithm. 2. The paper also empirically shows on cifar10, robust self-training algorithm with unlabeled data can outperform state-of-art models and standard self-training. 3. The paper empirically illustrates on SVHN that robust self-training with unlabeled data almost achieves the same robust accuracy as the robust training with labeled data. 4. The paper is clearly written. It is a pleasure to read it. Weakness: 1. The main concern is that the connection between the theory and the experiment is loose. The theory has very strong assumptions on the true model (Gaussian model). This is totally different from the real world dataset model like cifar10 and SVHN. The authors never addresses the connection anywhere in the paper. Theoretical guarantee for the real world data still remains an open question. 2. The comparison seems to be unfair with the state of art models because robust-self training has extra unlabeled data information. Some empirical analysis of state-of-art model utilizing unlabeled data can be interesting. Minors: 1. Why the state of art model for l_inf attack is different for epsilon = 2/255 and 8/255? Does that mean state-of-art model can only guarantee one specific epsilon? 2. RST standard accuracy 80.7 (Figure 1 b) when epsilon = 2/255 is much lower than standard accuracy 89.7 when epsilon (Table 1). Why is that? Training with small epsilon intuitively should give higher standard accuracy. -------------------------------------------------- Updates after rebuttal -------------------------------------------------- Thanks the authors for providing a super clear rebuttal. My questions are addressed.