{"title": "Image Synthesis with a Single (Robust) Classifier", "book": "Advances in Neural Information Processing Systems", "page_first": 1262, "page_last": 1273, "abstract": "We show that the basic classification framework alone can be used to tackle some of the most challenging tasks in image synthesis. In contrast to other state-of-the-art approaches, the toolkit we develop is rather minimal: it uses a single, off-the-shelf classifier for all these tasks. The crux of our approach is that we train this classifier to be adversarially robust. It turns out that adversarial robustness is precisely what we need to directly manipulate salient features of the input. Overall, our findings demonstrate the utility of robustness in the broader machine learning context.", "full_text": "Image Synthesis with a Single (Robust) Classi\ufb01er\n\nShibani Santurkar\u2217\n\nMIT\n\nshibani@mit.edu\n\ntsipras@mit.edu\n\nDimitris Tsipras\u2217\n\nMIT\n\nAndrew Ilyas\u2217\n\nMIT\n\nailyas@mit.edu\n\nLogan Engstrom\u2217\n\nMIT\n\nengstrom@mit.edu\n\nBrandon Tran\u2217\n\nMIT\n\nbtran115@mit.edu\n\nAleksander M \u02dbadry\n\nMIT\n\nmadry@mit.edu\n\nAbstract\n\nWe show that the basic classi\ufb01cation framework alone can be used to tackle some\nof the most challenging tasks in image synthesis. In contrast to other state-of-the-\nart approaches, the toolkit we develop is rather minimal: it uses a single, off-the-\nshelf classi\ufb01er for all these tasks. The crux of our approach is that we train this\nclassi\ufb01er to be adversarially robust. It turns out that adversarial robustness is pre-\ncisely what we need to directly manipulate salient features of the input. Overall,\nour \ufb01ndings demonstrate the utility of robustness in the broader machine learning\ncontext.2\n\n1\n\nIntroduction\n\nDeep learning has revolutionized the way we tackle computer vision problems. This revolution\nstarted with progress on image classi\ufb01cation [KSH12; He+15; He+16], which then triggered the\nexpansion of the deep learning paradigm to encompass more sophisticated tasks such as image gen-\neration [Kar+18; BDS19] and image-to-image translation [Iso+17; Zhu+17]. Much of this expan-\nsion was predicated on developing complex, task-speci\ufb01c techniques, often rooted in the generative\nadversarial network (GAN) framework [Goo+14]. However, is there a simpler toolkit for solving\nthese tasks?\nIn this work, we demonstrate that basic classi\ufb01cation tools alone suf\ufb01ce to tackle various image syn-\nthesis tasks. These tasks include (cf. Figure 1): generation (Section 3.1), inpainting (Section 3.2),\nimage-to-image translation (Section 3.3), super-resolution (Section 3.4), and interactive image ma-\nnipulation (Section 3.5).\nOur entire toolkit is based on a single classi\ufb01er (per dataset) and involves performing a simple in-\nput manipulation: maximizing predicted class scores with gradient descent. Our approach is thus\ngeneral purpose and simple to implement and train, while also requiring minimal tuning. To high-\nlight the potential of the core methodology itself, we intentionally employ a generic classi\ufb01cation\nsetup (ResNet-50 [He+16] with default hyperparameters) without any additional optimizations (e.g.,\ndomain-speci\ufb01c priors or regularizers). Moreover, to emphasize the consistency of our approach,\nthroughout this work we demonstrate performance on randomly selected examples from the test set.\nThe key ingredient of our method is adversarially robust classi\ufb01ers. Previously, Tsipras et\nal. [Tsi+19] observed that maximizing the loss of robust models over the input leads to realistic\ninstances of other classes. Here we are able to fully leverage this connection to build a versatile\ntoolkit for image synthesis. Our \ufb01ndings thus establish robust classi\ufb01ers as a powerful primitive for\nsemantic image manipulation, despite them being trained solely to perform image classi\ufb01cation.\n\n\u2217Equal contribution\n2Code and models for our experiments can be found at https://git.io/robust-apps.\n\n33rd Conference on Neural Information Processing Systems (NeurIPS 2019), Vancouver, Canada.\n\n\fFigure 1: Image synthesis and manipulation tasks performed using a single (robustly trained) clas-\nsi\ufb01er.\n\n2 Robust Models as a Tool for Input Manipulation\n\nRecently, Tsipras et al. [Tsi+19] observed that optimizing an image to cause a misclassi\ufb01cation\nin an (adversarially) robust classi\ufb01er introduces salient characteristics of the incorrect class. This\nproperty is unique to robust classi\ufb01ers: standard models (trained with empirical risk minimization\n(ERM)) are inherently brittle, and their predictions are sensitive even to imperceptible changes in\nthe input [Sze+14].\nAdversarially robust classi\ufb01ers are trained using the robust optimization objective [Wal45; Mad+18],\nwhere instead of minimizing the expected loss L over the data\n\nwe minimize the worst case loss over a speci\ufb01c perturbation set \u2206\n\n(cid:20)\n\nE(x,y)\u223cD\n\nmax\n\u03b4\u2208\u2206\n\nE(x,y)\u223cD [L(x, y)] ,\n\n(cid:21)\n\nL(x + \u03b4, y)\n\n.\n\n(1)\n\n(2)\n\nTypically, the set \u2206 captures imperceptible changes (e.g., small (cid:96)2 perturbations), and given such a\n\u2206, the problem in (2) can be solved using adversarial training [GSS15; Mad+18].\nFrom one perspective, we can view robust optimization as encoding priors into the model, preventing\nit from relying on imperceptible features of the input [Eng+19]. Indeed, the \ufb01ndings of Tsipras et\nal. [Tsi+19] are aligned with this viewpoint\u2014by encouraging the model to be invariant to small\nperturbations, robust training ensures that changes in the model\u2019s predictions correspond to salient\ninput changes.\nIn fact, it turns out that this phenomenon also emerges when we maximize the probability of a spe-\nci\ufb01c class (targeted attacks) for a robust model\u2014see Figure 2 for an illustration. This indicates that\nrobust models exhibit more human-aligned gradients, and, more importantly, that we can precisely\ncontrol features in the input just by performing gradient descent on the model output. Previously,\nperforming such manipulations has only been possible with more complex and task-speci\ufb01c tech-\nniques [MOT15; RMC16; Iso+17; Zhu+17]. In the rest of this work, we demonstrate that this prop-\nerty of robust models is suf\ufb01cient to attain good performance on a diverse set of image synthesis\ntasks.\n\n3 Leveraging Robust Models for Computer Vision Tasks\n\nDeep learning-based methods have recently made signi\ufb01cant progress on image synthesis and ma-\nnipulation tasks, typically by training speci\ufb01cally-crafted models in the GAN framework [Goo+14;\nISI17; Zhu+17; Yu+18; BDS19], using priors obtained from deep generative models [Ngu+16;\n\n2\n\nPaint-with-FeaturesInpaintingSuper-resolutionTranslationSketch-to-ImageGenerationoriginal+ stripes+ backgroundhorse zebra sketch turtle \u2192 \u2192 \fFigure 2: Maximizing class scores of a robustly trained classi\ufb01er. For each original image, we\nvisualize the result of performing targeted projected gradient descent (PGD) toward different classes.\nThe resulting images actually resemble samples of the target class.\n\nNgu+17; UVL17; Yeh+17], or leveraging standard classi\ufb01ers via sophisticated, task-speci\ufb01c meth-\nods [MOT15; Oyg15; Tyk16; GEB16]. We discuss additional related work in the following subsec-\ntions as necessary.\nIn this section, we outline our methods and results for obtaining competitive performance on these\ntasks using only robust (feed-forward) classi\ufb01ers. Our approach is remarkably simple: all the appli-\ncations are performed using gradient ascent on class scores derived from the same robustly trained\nclassi\ufb01er. In particular, it does not involve \ufb01ne-grained tuning (see Appendix A.4), highlighting the\npotential of robust classi\ufb01ers as a versatile primitive for sophisticated vision tasks.\n\n3.1 Realistic Image Generation\n\nSynthesizing realistic samples for natural data domains (such as images) has been a long standing\nchallenge in computer vision. Given a set of example inputs, we would like to learn a model that\ncan produce novel perceptually-plausible inputs. The development of deep learning-based methods\nsuch as autoregressive models [HS97; Gra13; VKK16], auto-encoders [Vin+10; KW15] and \ufb02ow-\nbased models [DKB14; RM15; DSB17; KD18] has led to signi\ufb01cant progress in this domain. More\nrecently, advancements in generative adversarial networks (GANs) [Goo+14] have made it possible\nto generate high-quality images for challenging datasets [Zha+18; Kar+18; BDS19]. Many of these\nmethods, however, can be tricky to train and properly tune. They are also fairly computationally\nintensive, and often require \ufb01ne-grained performance optimizations.\nIn contrast, we demonstrate that robust classi\ufb01ers, without any special training or auxiliary networks,\ncan be a powerful tool for synthesizing realistic natural images. At a high level, our generation\nprocedure is based on maximizing the class score of the desired class using a robust model. The\npurpose of this maximization is to add relevant and semantically meaningful features of that class to\na given input image. This approach has been previously used on standard models to perform class\nvisualization\u2014synthesizing prototypical inputs of each class\u2014in combination with domain-speci\ufb01c\ninput priors (either hand-crafted [NYC15] and learned [Ngu+16; Ngu+17]) or regularizers [SVZ13;\nMOT15; Oyg15; Tyk16].\nAs the process of class score maximization is deterministic, generating a diverse set of samples\nrequires a random seed as the starting point of the maximization process. Formally, to generate a\nsample of class y, we sample a seed and minimize the loss L of label y\nx0 \u223c Gy,\n\nL(x(cid:48), y),\n\nfor some class-conditional seed distribution Gy, using projected gradient descent (PGD) (experimen-\ntal details can be found in Appendix A). Ideally, samples from Gy should be diverse and statistically\nsimilar to the data distribution. Here, we use a simple (but already suf\ufb01cient) choice for Gy\u2014a\n\nx = arg min\n(cid:107)x(cid:48)\u2212x0(cid:107)2\u2264\u03b5\n\n3\n\ncatdogfrogturtleprimate\ufb01shinsectoriginalTargeted attack\fmultivariate normal distribution \ufb01t to the empirical class-conditional distribution\n\nGy := N (\u00b5y, \u03a3y), where \u00b5y = Ex\u223cDy [x], \u03a3 = Ex\u223cDy [(x \u2212 \u00b5y)(cid:62)(x \u2212 \u00b5y)],\n\nand Dy is the distribution of natural inputs conditioned on the label y. We visualize example seeds\nfrom these multivariate Gaussians in Figure 17.\n\n(a)\n\n(b)\n\nFigure 3: Random samples (of resolution 224\u00d7224) produced using a robustly trained classi\ufb01er. We\nshow: (a) samples from several (random) classes of the ImageNet dataset and (b) multiple samples\nfrom a few random classes of the restricted ImageNet dataset (to illustrate diversity). See Figures 13,\n14, 15, and 16 of Appendix B for additional samples.\n\nThis approach enables us to perform conditional image synthesis given any target class. Samples\n(at resolution 224\u00d7224) produced by our method are shown in Figure 3 (also see Appendix B). The\nresulting images are diverse and realistic, despite the fact that they are generated using targeted PGD\non off-the-shelf robust models without any additional optimizations. 3\n\nDifferent seed distributions.\nIt is worth noting that there is signi\ufb01cant room for improvement\nin designing the distribution Gy. One way to synthesize better samples would be to use a richer\ndistribution\u2014for instance, mixtures of Gaussians per class to better capture multiple data modes.\nAlso, in contrast to many existing approaches, we are not limited to a single seed distribution, and\nwe could even utilize other methods (such as procedural generation) to customize seeds with speci\ufb01c\nstructure or color, and then maximize class scores to produce realistic samples (e.g., see Section 3.5).\n\n3Interestingly, the robust model used to generate these high-quality ImageNet samples is only 45% accurate,\n\nyet has a suf\ufb01ciently rich representation to synthesize semantic features for 1000 classes.\n\n4\n\nhouse \ufb01ncharmadillochowjigsawNorwich terriernotebookcliffanemone \ufb01shmashed potatocoffee potdogbirdprimatecrabinsect\ufb01shturtle\fEvaluating Sample Quality.\nInception Score (IS) [Sal+16] is a popular metric for evaluating\nthe quality of generated image data. Table 1 presents the IS of samples generated using a robust\nclassi\ufb01er.\n\nDataset\n\nTrain Data\n\nBigGAN [BDS19]\n\nCIFAR-10\nImageNet4\n\n11.2 \u00b1 0.2\n331.9 \u00b1 4.9\n\n9.22\n\n233.1 \u00b1 1\n\nWGAN-\n\nGP [Gul+17]\n8.4 \u00b1 0.1\n\n11.6\n\nOur approach\n\n7.5 \u00b1 0.1\n259.0 \u00b1 4\n\nTable 1: Inception Scores (IS) for samples generated using robustly trained classi\ufb01ers compared to\nstate-of-the-art generation approaches [Gul+17; SSA18; BDS19] (cf. Appendix A.7.1 for details).\n\nWe \ufb01nd that our approach improves over state-of-the-art (BigGAN [BDS19]) in terms of Inception\nScore on the ImageNet dataset, yet, at the same time, the Fr\u00e9chet Inception Distance (FID) [Heu+17]\nis worse (36.0 versus 7.4). These results can be explained by the fact that, on one hand, our samples\nare essentially adversarial examples (which are known to transfer across models [Sze+14]) and thus\nare likely to induce highly con\ufb01dent predictions that IS is designed to pick up. On the other hand,\nGANs are explicitly trained to produce samples that are indistinguishable from true data with respect\nto a discriminator, and hence are likely to have a better (lower) FID.\n\n3.2\n\nInpainting\n\nImage inpainting is the task of recovering images with large corrupted regions [EL99; Ber+00;\nHE07]. Given an image x, corrupted in a region corresponding to a binary mask m \u2208 {0, 1}d, the\ngoal of inpainting is to recover the missing pixels in a manner that is perceptually plausible with\nrespect to the rest of the image. We \ufb01nd that simple feed-forward classi\ufb01ers, when robustly trained,\ncan be a powerful tool for such image reconstruction tasks.\nFrom our perspective, the goal is to use robust models to restore missing features of the image. To\nthis end, we will optimize the image to maximize the score of the underlying true class, while also\nforcing it to be consistent with the original in the uncorrupted regions. Concretely, given a robust\nclassi\ufb01er trained on uncorrupted data, and a corrupted image x with label y, we solve\n\nx(cid:48)\n\nL(x(cid:48), y) + \u03bb||(x \u2212 x(cid:48)) (cid:12) (1 \u2212 m)||2\n\nxI = arg min\n\n(3)\nwhere L is the cross-entropy loss, (cid:12) denotes element-wise multiplication, and \u03bb is an appropriately\nchosen constant. Note that while we require knowing the underlying label y for the input, it can\ntypically be accurately predicted by the classi\ufb01er itself given the corrupted image.\nIn Figure 4, we show sample reconstructions obtained by optimizing (3) using PGD (cf. Appendix\nA for details). We can observe that these reconstructions look remarkably similar to the uncorrupted\nimages in terms of semantic content. Interestingly, even when this approach fails (reconstructions\ndiffer from the original), the resulting images do tend to be perceptually plausible to a human, as\nshown in Appendix Figure 12.\n\n3.3\n\nImage-to-Image Translation\n\nAs discussed in Section 2, robust models provide a mechanism for transforming inputs between\nIn computer vision literature, this would be an instance of image-to-image translation,\nclasses.\nwhere the goal is to translate an image from a source to a target domain in a semantic man-\nner [Her+01].\nIn this section, we demonstrate that robust classi\ufb01ers give rise to a new methodology for performing\nsuch image-to-image translations. The key is to (robustly) train a classi\ufb01er to distinguish between\nthe source and target domain. Conceptually, such a classi\ufb01er will extract salient characteristics of\neach domain in order to make accurate predictions. We can then translate an input from the source\ndomain by directly maximizing the predicted score of the target domain.\n\n1For ImageNet, there is a difference in resolution between BigGAN samples (256 \u00d7 256), SAGAN (128 \u00d7\n\n128) and our approach (224 \u00d7 224). BigGAN attains IS of 166.5. at 128 \u00d7 128 resolution.\n\n5\n\n\f(a) random samples\n\n(b) select samples\n\nFigure 4: Image inpainting using robust models \u2013 left: original, middle: corrupted and right: in-\npainted samples. To recover missing regions, we use PGD to maximize the class score predicted for\nthe image while penalizing changes to the uncorrupted regions.\n\nIn Figure 5, we provide sample translations produced by our approach using robust models\u2014each\ntrained only on the source and target domains for the Horse \u2194 Zebra, Apple \u2194 Orange, and Summer\n\u2194 Winter datasets [Zhu+17] respectively. (For completeness, we present in Appendix B Figure 10\nresults corresponding to using a classi\ufb01er trained on the complete ImageNet dataset.) In general, we\n\ufb01nd that this procedure yields meaningful translations by directly modifying characteristics of the\nimage that are strongly tied to the corresponding domain (e.g., color, texture, stripes).\nNote that, in order to manipulate such features, the model must have learned them in the \ufb01rst place\u2014\nfor example, we want models to distinguish between horses and zebras based on salient features\nsuch as stripes. For overly simple tasks, models might extract little salient information (e.g., by\nrelying on backgrounds instead of objects5) in which case our approach would not lead to meaningful\ntranslations. Nevertheless, this not a fundamental barrier and can be addressed by training on richer,\nmore challenging datasets. From this perspective, scaling to larger datasets (which can be dif\ufb01cult\nfor state-of-the-art methods such as GANs) is actually easy and advantageous for our approach.\n\nfor\n\nUnpaired datasets. Datasets\ntranslation tasks often comprise source-target domain\npairs [Iso+17]. For such datasets, the task can be straightforwardly cast into a supervised learn-\ning framework. In contrast, our method operates in the unpaired setting, where samples from the\nsource and target domain are provided without an explicit pairing [Zhu+17]. This is due to the fact\nthat our method only requires a classi\ufb01er capable of distinguishing between the source and target\ndomains.\n\n5In fact, we encountered such an issue with (cid:96)\u221e-robust classi\ufb01ers for horses and zebras (Figure 11). Note\nthat generative approaches also face similar issues, where the background is transformed instead of the ob-\njects [Zhu+17].\n\n6\n\nOriginalCorruptedInpaintedOriginalCorruptedInpaintedOriginalCorruptedInpaintedOriginalCorruptedInpainted\fhorse \u2192 zebra\n\nzebra \u2192 horse\n\nhorse \u2192 zebra\n\nzebra \u2192 horse\n\napple \u2192 orange\n\norange \u2192 apple\n\napple \u2192 orange\n\norange \u2192 apple\n\nsummer \u2192 winter\n\nwinter \u2192 summer\n\nsummer \u2192 winter\n\nwinter \u2192 summer\n\n(a) random samples\n\n(b) select samples\n\nFigure 5: Image-to-image translation on the Horse \u2194 Zebra, Apple \u2194 Orange, and Summer \u2194\nWinter datasets [Zhu+17] using PGD on the input of an (cid:96)2-robust model trained on that dataset. See\nAppendix A for experimental details and Figure 9 for additional input-output pairs.\n\n3.4 Super-Resolution\n\nSuper-resolution refers to the task of recovering high-resolution images given their low resolution\nversion [DFE07; BSH12]. While this goal is underspeci\ufb01ed, our aim is to produce a high-resolution\nimage that is consistent with the input and plausible to a human.\nIn order to adapt our framework to this problem, we cast super-resolution as the task of accentu-\nating the salient features of low-resolution images. This can be achieved by maximizing the score\npredicted by a robust classi\ufb01er (trained on the original high-resolution dataset) for the underlying\nclass. At the same time, to ensure that the structure and high-level content is preserved, we penalize\nlarge deviations from the original low-resolution image. Formally, given a robust classi\ufb01er and a\nlow-resolution image xL belonging to class y, we use PGD to solve\n\n\u02c6xH = arg min\n\n||x(cid:48)\u2212\u2191(xL)||<\u03b5\n\nL(x(cid:48), y)\n\n(4)\n\nwhere \u2191 (\u00b7) denotes the up-sampling operation based on nearest neighbors, and \u03b5 is a small constant.\n\n(a) 7x super-resolution on CIFAR-10\n\n(b) 8x super-resolution on restricted ImageNet\n\nFigure 6: Comparing approaches for super-resolution. Top: random samples from the test set;\nmiddle: upsampling using bicubic interpolation; and bottom: super-resolution using robust models.\nWe obtain semantically meaningful reconstructions that are especially sharp in regions that contain\nclass-relevant information.\n\n7\n\nCIFAR-10OursBicubicImageNetROursBicubicCIFAR-10OursBicubicImageNetROursBicubic\fWe use this approach to upsample random 32 \u00d7 32 CIFAR-10 images to full ImageNet size\n(224 \u00d7 224)\u2014cf. Figure 6a. For comparison, we also show upsampled images obtained from\nbicubic interpolation. In Figure 6b, we visualize the results for super-resolution on random 8-fold\ndown-sampled images from the restricted ImageNet dataset. Since in the latter case we have access\nto ground truth high-resolution images (actual dataset samples), we can compute the Peak Signal-\nto-Noise Ratio (PSNR) of the reconstructions. Over the Restricted ImageNet test set, our approach\nyields a PSNR of 21.53 (95% CI [21.49, 21.58]) compared to 21.30 (95% CI [21.25, 21.35]) from\nbicubic interpolation. In general, our approach produces high-resolution samples that are substan-\ntially sharper, particularly in regions of the image that contain salient class information.\nNote that the pixelation of the resulting images can be attributed to using a very crude upsampling of\nthe original, low-resolution image as a starting point for our optimization. Combining this method\nwith a more sophisticated initialization scheme (e.g., bicubic interpolation) is likely to yield better\noverall results.\n\n3.5\n\nInteractive Image Manipulation\n\nRecent work has explored building deep learning\u2013based interactive tools for image synthesis and\nmanipulation. For example, GANs have been used to transform simple sketches [CH18; Par+19]\ninto realistic images. In fact, recent work has pushed this one step further by building a tool that\nallows object-level composition of scenes using GANs [Bau+19]. In this section, we show how our\nframework can be used to enable similar artistic applications.\n\nSketch-to-image. By performing PGD to maximize the probability of a chosen target class, we\ncan use robust models to convert hand-drawn sketches to natural images. The resulting images\n(Figure 7) appear realistic and contain \ufb01ne-grained characteristics of the corresponding class.\n\nFigure 7: Sketch-to-image using robust model gradients. Top: manually drawn sketches of animals;\nand bottom: result of performing PGD towards a chosen class. The resulting images appear realistic\nlooking while preserving key characteristics of the original sketches6.\n\nFeature Painting. Generative model\u2013based paint applications often allow the user to control more\n\ufb01ne-grained features, as opposed to just the overall class. We now show that we can perform similar\nfeature manipulation through a minor modi\ufb01cation to our basic primitive of class score maximiza-\ntion. Our methodology is based on an observation of Engstrom et al. [Eng+19], wherein manipulat-\ning individual activations within representations7 of a robust model actually results in consistent and\nmeaningful changes to high-level image features (e.g., adding stripes to objects). We can thus build\na tool to paint speci\ufb01c features onto images by maximizing individual activations directly, instead\nof just the class scores.\nConcretely, given an image x, if we want to add a single feature corresponding to component f of\nthe representation vector R(x) in the region corresponding to a binary mask m, we simply apply\nPGD to solve\n\nxI = arg maxx(cid:48) R(x(cid:48))f \u2212 \u03bbP||(x \u2212 x(cid:48)) (cid:12) (1 \u2212 m)||.\n\n(5)\n\n6Sketches were produced by a graduate student without any training in arts.\n7We refer to the pre-\ufb01nal layer of a network as the representation layer. Then, the network prediction can\n\nsimply be viewed as the output of a linear classi\ufb01er on the representation.\n\n8\n\n\fIn Figure 8, we demonstrate progressive addition of features at various levels of granularity (e.g.,\ngrass or sky) to selected regions of the input image. We can observe that such direct maximization\nof individual activations gives rise to a versatile paint tool.\n\nFigure 8: Paint-with-features using a robust model\u2014we present a sequence of images obtained by\nsuccessively adding speci\ufb01c features to select regions of the image by solving (5).\n\n4 Discussion and Conclusions\n\nIn this work, we leverage the basic classi\ufb01cation framework to perform a wide range of image\nsynthesis tasks. In particular, we \ufb01nd that the features learned by a basic classi\ufb01er are suf\ufb01cient\nfor all these tasks, provided this classi\ufb01er is adversarially robust. We then show how this insight\ngives rise to a versatile toolkit that is simple, reliable, and straightforward to extend to other large-\nscale datasets. This is in stark contrast to state-of-the-art approaches [Goo+14; Kar+18; BDS19]\nwhich typically rely on architectural, algorithmic, and task-speci\ufb01c optimizations to succeed at\nIn fact, unlike these approaches, our methods actually bene-\nscale [Sal+16; Das+18; Miy+18].\n\ufb01t from scaling to more complex datasets\u2014whenever the underlying classi\ufb01cation task is rich and\nchallenging, the classi\ufb01er is likely to learn more \ufb01ne-grained features.\nWe also note that throughout this work, we choose to employ the most minimal version of our toolkit.\nIn particular, we refrain from using extensive tuning or task-speci\ufb01c optimizations. This is intended\nto demonstrate the potential of our core framework itself, rather than to exactly match/outperform\nthe state of the art. We fully expect that better training methods, improved notions of robustness,\nand domain knowledge will yield even better results.\nMore broadly, our \ufb01ndings suggest that adversarial robustness might be a property that is desirable\nbeyond security and reliability contexts. Robustness may, in fact, offer a path towards building a\nmore human-aligned machine learning toolkit.\n\nAcknowledgements\n\nWe thank Chris Olah for helpful pointers to related work in class visualization.\nWork supported in part by the NSF grants CCF-1553428, CCF-1563880, CNS-1413920, CNS-\n1815221, IIS-1447786, IIS-1607189, the Microsoft Corporation, the Intel Corporation, the MIT-\nIBM Watson AI Lab research grant, and an Analog Devices Fellowship.\n\nReferences\n\n[Bau+19] David Bau et al. \u201cGAN Dissection: Visualizing and Understanding Generative Adver-\nsarial Networks\u201d. In: International Conference on Learning Representations (ICLR).\n2019.\nAndrew Brock, Jeff Donahue, and Karen Simonyan. \u201cLarge Scale GAN Training for\nHigh Fidelity Natural Image Synthesis\u201d. In: International Conference on Learning Rep-\nresentations (ICLR). 2019.\n\n[BDS19]\n\n[Ber+00] Marcelo Bertalmio et al. \u201cImage inpainting\u201d. In: Computer graphics and interactive\n\ntechniques. 2000.\n\n9\n\nOriginal+ Duck+ Grass+ Sky\f[BSH12]\n\n[CH18]\n\nHarold C Burger, Christian J Schuler, and Stefan Harmeling. \u201cImage denoising: Can\nplain neural networks compete with BM3D?\u201d In: computer vision and pattern recogni-\ntion (CVPR). 2012.\nWengling Chen and James Hays. \u201cSketchygan: Towards diverse and realistic sketch to\nimage synthesis\u201d. In: Proceedings of the IEEE Conference on Computer Vision and\nPattern Recognition. 2018.\n\n[Das+18] Constantinos Daskalakis et al. \u201cTraining GANs with Optimism\u201d. In: International Con-\n\nference on Learning Representations (ICLR). 2018.\nKostadin Dabov, Alessandro Foi, and Karen Egiazarian. \u201cVideo denoising by sparse 3D\ntransform-domain collaborative \ufb01ltering\u201d. In: European Signal Processing Conference.\n2007.\nLaurent Dinh, David Krueger, and Yoshua Bengio. \u201cNice: Non-linear independent com-\nponents estimation\u201d. In: arXiv preprint arXiv:1410.8516. 2014.\nLaurent Dinh, Jascha Sohl-Dickstein, and Samy Bengio. \u201cDensity estimation using real\nNVP\u201d. In: International Conference on Learning Representations (ICLR). 2017.\nAlexei A Efros and Thomas K Leung. \u201cTexture synthesis by non-parametric sampling\u201d.\nIn: conference on computer vision (CVPR). 1999.\nLogan Engstrom et al. \u201cLearning Perceptually-Aligned Representations via Adversarial\nRobustness\u201d. In: ArXiv preprint arXiv:1906.00945. 2019.\nLeon A Gatys, Alexander S Ecker, and Matthias Bethge. \u201cImage style transfer using\nconvolutional neural networks\u201d. In: computer vision and pattern recognition (CVPR).\n2016.\nIan Goodfellow et al. \u201cGenerative adversarial nets\u201d. In: neural information processing\nsystems (NeurIPS). 2014.\nAlex Graves. \u201cGenerating sequences with recurrent neural networks\u201d. In: arXiv preprint\narXiv:1308.0850. 2013.\nIan J Goodfellow, Jonathon Shlens, and Christian Szegedy. \u201cExplaining and Harness-\ning Adversarial Examples\u201d. In: International Conference on Learning Representations\n(ICLR). 2015.\nIshaan Gulrajani et al. \u201cImproved training of wasserstein gans\u201d. In: Neural Information\nProcessing Systems (NeurIPS). 2017.\nKaiming He et al. \u201cDelving deep into recti\ufb01ers: Surpassing human-level performance\non imagenet classi\ufb01cation\u201d. In: international conference on computer vision (ICCV).\n2015.\nKaiming He et al. \u201cDeep Residual Learning for Image Recognition\u201d. In: Conference on\nComputer Vision and Pattern Recognition (CVPR). 2016.\nJames Hays and Alexei A Efros. \u201cScene completion using millions of photographs\u201d. In:\nACM Transactions on Graphics (TOG). 2007.\n\n[DFE07]\n\n[DKB14]\n\n[DSB17]\n\n[EL99]\n\n[Eng+19]\n\n[GEB16]\n\n[Goo+14]\n\n[Gra13]\n\n[GSS15]\n\n[Gul+17]\n\n[He+15]\n\n[He+16]\n\n[HE07]\n\n[HS97]\n\n[ISI17]\n\n[Iso+17]\n\n[Kar+18]\n\n[KD18]\n\n[Kri09]\n\n[Her+01] Aaron Hertzmann et al. \u201cImage analogies\u201d. In: Computer graphics and interactive tech-\n\nniques. 2001.\n\n[Heu+17] Martin Heusel et al. \u201cGans trained by a two time-scale update rule converge to a local\n\nnash equilibrium\u201d. In: Neural Information Processing Systems (NeurIPS). 2017.\nSepp Hochreiter and J\u00fcrgen Schmidhuber. \u201cLong short-term memory\u201d. In: Neural com-\nputation. 1997.\nSatoshi Iizuka, Edgar Simo-Serra, and Hiroshi Ishikawa. \u201cGlobally and Locally Con-\nsistent Image Completion\u201d. In: ACM Trans. Graph. 2017.\nPhillip Isola et al. \u201cImage-to-image translation with conditional adversarial networks\u201d.\nIn: conference on computer vision and pattern recognition (CVPR). 2017.\nTero Karras et al. \u201cProgressive Growing of GANs for Improved Quality, Stability, and\nVariation\u201d. In: International Conference on Learning Representations. 2018.\nDurk P Kingma and Prafulla Dhariwal. \u201cGlow: Generative \ufb02ow with invertible 1x1\nconvolutions\u201d. In: Neural Information Processing Systems (NeurIPS). 2018.\nAlex Krizhevsky. \u201cLearning Multiple Layers of Features from Tiny Images\u201d. In: Tech-\nnical report. 2009.\n\n10\n\n\f[KSH12] Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. \u201cImagenet Classi\ufb01cation with\nDeep Convolutional Neural Networks\u201d. In: Advances in Neural Information Processing\nSystems (NeurIPS). 2012.\nDiederik P. Kingma and Max Welling. \u201cAuto-Encoding Variational Bayes\u201d. In: Inter-\nnational Conference on Learning Representations (ICLR). 2015.\n\n[KW15]\n\n[Mad+18] Aleksander Madry et al. \u201cTowards deep learning models resistant to adversarial at-\n\ntacks\u201d. In: International Conference on Learning Representations (ICLR). 2018.\n\n[Miy+18] Takeru Miyato et al. \u201cSpectral Normalization for Generative Adversarial Networks\u201d.\n\nIn: International Conference on Learning Representations (ICLR). 2018.\n\n[MOT15] Alexander Mordvintsev, Christopher Olah, and Mike Tyka. Inceptionism: Going deeper\ninto neural networks. 2015. URL: https : / / ai . googleblog . com / 2015 / 06 /\ninceptionism-going-deeper-into-neural.html.\n\n[Ngu+16] Anh Nguyen et al. \u201cSynthesizing the preferred inputs for neurons in neural networks\nvia deep generator networks\u201d. In: Neural Information Processing Systems (NeurIPS).\n2016.\n\n[Ngu+17] Anh Nguyen et al. \u201cPlug & play generative networks: Conditional iterative generation\nof images in latent space\u201d. In: Conference on Computer Vision and Pattern Recognition\n(CVPR). 2017.\n\n[Oyg15]\n\n[NYC15] Anh Nguyen, Jason Yosinski, and Jeff Clune. \u201cDeep neural networks are easily fooled:\nHigh con\ufb01dence predictions for unrecognizable images\u201d. In: Conference on computer\nvision and pattern recognition (CVPR). 2015.\nAudun Oygard. Visualizing GoogLeNet Classes. 2015. URL: https://www.auduno.\ncom/2015/07/29/visualizing-googlenet-classes/.\nTaesung Park et al. \u201cSemantic Image Synthesis with Spatially-Adaptive Normaliza-\ntion\u201d. In: Computer Vision and Pattern Recognition (CVPR). 2019.\nDanilo Jimenez Rezende and Shakir Mohamed. \u201cVariational inference with normalizing\n\ufb02ows\u201d. In: International Conference on Machine Learning (ICML). 2015.\n\n[Par+19]\n\n[RM15]\n\n[RMC16] Alec Radford, Luke Metz, and Soumith Chintala. \u201cUnsupervised representation learn-\ning with deep convolutional generative adversarial networks\u201d. In: International Confer-\nence on Learning Representations (ICLR). 2016.\n\n[Rus+15] Olga Russakovsky et al. \u201cImageNet Large Scale Visual Recognition Challenge\u201d. In:\n\nInternational Journal of Computer Vision (IJCV). 2015.\nTim Salimans et al. \u201cImproved techniques for training gans\u201d. In: neural information\nprocessing systems (NeurIPS). 2016.\nKonstantin Shmelkov, Cordelia Schmid, and Karteek Alahari. \u201cHow good is my\nGAN?\u201d In: European Conference on Computer Vision (ECCV). 2018.\nKaren Simonyan, Andrea Vedaldi, and Andrew Zisserman. \u201cDeep inside convolu-\ntional networks: Visualising image classi\ufb01cation models and saliency maps\u201d. In: arXiv\npreprint arXiv:1312.6034 (2013).\nChristian Szegedy et al. \u201cIntriguing properties of neural networks\u201d. In: International\nConference on Learning Representations (ICLR). 2014.\nDimitris Tsipras et al. \u201cRobustness May Be at Odds with Accuracy\u201d. In: International\nConference on Learning Representations (ICLR). 2019.\nMike Tyka. Class visualization with bilateral \ufb01lters. 2016. URL: https://mtyka.\ngithub.io/deepdream/2016/02/05/bilateral-class-vis.html.\n\n[Sal+16]\n\n[SSA18]\n\n[SVZ13]\n\n[Sze+14]\n\n[Tsi+19]\n\n[Tyk16]\n\n[Vin+10]\n\n[UVL17] Dmitry Ulyanov, Andrea Vedaldi, and Victor Lempitsky. \u201cDeep Image Prior\u201d. In: ArXiv\n\npreprint arXiv:1711.10925. 2017.\nPascal Vincent et al. \u201cStacked denoising autoencoders: Learning useful representations\nin a deep network with a local denoising criterion\u201d. In: Journal of machine learning\nresearch (JMLR). 2010.\n\n[VKK16] A\u00e4ron Van Den Oord, Nal Kalchbrenner, and Koray Kavukcuoglu. \u201cPixel recurrent\n\nneural networks\u201d. In: International Conference on Machine Learning (ICML). 2016.\nAbraham Wald. \u201cStatistical Decision Functions Which Minimize the Maximum Risk\u201d.\nIn: Annals of Mathematics. 1945.\n\n[Wal45]\n\n[Yeh+17] Raymond A Yeh et al. \u201cSemantic image inpainting with deep generative models\u201d. In:\n\nComputer Vision and Pattern Recognition (CVPR). 2017.\n\n11\n\n\f[Yu+18]\n\nJiahui Yu et al. \u201cGenerative image inpainting with contextual attention\u201d. In: Computer\nVision and Pattern Recognition (CVPR). 2018.\n\n[Zha+18] Han Zhang et al. \u201cSelf-attention generative adversarial networks\u201d. In: arXiv preprint\n\n[Zhu+17]\n\narXiv:1805.08318. 2018.\nJun-Yan Zhu et al. \u201cUnpaired image-to-image translation using cycle-consistent adver-\nsarial networks\u201d. In: international conference on computer vision(ICCV). 2017.\n\n12\n\n\f", "award": [], "sourceid": 753, "authors": [{"given_name": "Shibani", "family_name": "Santurkar", "institution": "MIT"}, {"given_name": "Andrew", "family_name": "Ilyas", "institution": "MIT"}, {"given_name": "Dimitris", "family_name": "Tsipras", "institution": "MIT"}, {"given_name": "Logan", "family_name": "Engstrom", "institution": "MIT"}, {"given_name": "Brandon", "family_name": "Tran", "institution": "Massachusetts Institute of Technology"}, {"given_name": "Aleksander", "family_name": "Madry", "institution": "MIT"}]}