The wide-ranging applications of foundation models, espeically in safety-critical areas, necessitates the robust self-supervised learning which can yield strong adversarial robustness in downsteam tasks via fine-tuning. In this repo, we provide a benchmark for robustness transferability of robust pre-training.
The leaderboard is demonstrates in robustssl.github.io.
We consider the following RobustSSL methods:
- AIR (Xu et al., NeurIPS'23a)
- RCS (Xu et al., NeurIPS'23b)
- DynACL (Luo et al., ICLR'23)
- A-InfoNCE (Yu et al., ECCV'22)
- DeAC (Zhang et al., ECCV'22)
- AdvCL (Fan et al., NeruIPS'21)
- ACL (Jiang et al., NeurIPS'20)
- RoCL (Kim et al., NeurIPS'20)
Modle Zoo: We released all the pre-trained checkpoints in Dropbox.
Pre-trained weights of ResNet-18 encoder | ACL (Jiang et al., NeurIPS'20) | AdvCL (Fan et al., NeurIPS'21) | A-InfoNCE (Yu et al., ECCV'22) | DeACL (Zhang et al., ECCV'22) | DynACL (Luo et al., ICLR'23) | DynACL++ (Luo et al., ICLR'23) | DynACL-AIR (Xu et al., NeurIPS'23a) | DynACL-AIR++ (Xu et al., NeurIPS'23a) | DynACL-RCS (Xu et al., NeurIPS'23b) |
---|---|---|---|---|---|---|---|---|---|
CIFAR-10 | link* | link | link | link* | link* | link* | link | link | link |
CIFAR-100 | link* | link | link | - | link* | link* | link | link | link |
STL10 | link | - | - | - | link* | link* | link | link | link |
Acknowledgements: The superscript *
denotes that the pre-trained encoders haved been provided in their GitHub and we copied them into our Dropbox directory; otherwise, the encoders were pre-trained by us.
To provide a comprehensive benchmark, we welcome incoraporating new self-supervised robust pre-training methods into our repo!
Here, we provide two kinds of fine-tuning methods:
- Vanilla Fine-tuning: You need to specify the hyper-parameters such as the learning rate and the batch size for each pre-trained models. We provide all the scripts for finetuning and evalution in the file
run_vanilla_tune.sh
.
- AutoLoRa (Xu et al., ArXiv'23): It is a parameter-free and automated robust fine-tuning framework. You DO NOT need to search for the appropriate hyper-parameters. We provide all the scripts for finetuning and evalution in the file
run_autolora.sh
.
To provide a comprehensive benchmark, we welcome incoraporating new robust fine-tuning methods into our repo!
We consider the following three fine-tuning modes:
- Standard linear fine-tuning (SLF): only standardly fine-tuning the classifier while freezing the encoder.
- Adversarial linear fine-tuning (ALF): only adversarially fine-tuning the classifier while freezing the encoder.
- Adversarial full fine-tuning (AFF): adversarially fine-tuning both the encoder and the classifier.
- Python 3.8
- Pytorch 1.13
- CUDA 11.6
- AutoAttack (Install AutoAttack via
pip install git+https://github.com/fra31/auto-attack
) - robustbench (Install robustbench via
pip install git+https://github.com/RobustBench/robustbench.git
)
If you fine the code is useful to you, please cite the following papers by copying the following BibTeX.
@article{xu2023autolora,
title={AutoLoRa: A Parameter-Free Automated Robust Fine-Tuning Framework},
author={Xu, Xilie and Zhang, Jingfeng and Kankanhalli, Mohan},
journal={arXiv preprint arXiv:2310.01818},
year={2023}
}
@inproceedings{xu2023RCS,
title={Efficient Adversarial Contrastive Learning via Robustness-Aware Coreset Selection},
author={Xu, Xilie and Zhang, Jingfeng and Liu, Feng and Sugiyama, Masashi and Kankanhalli, Mohan},
booktitle={NeurIPS},
year={2023}
}
@inproceedings{xu2023AIR,
title={Enhancing Adversarial Contrastive Learning via Adversarial Invariant Regularization},
author={Xu, Xilie and Zhang, Jingfeng and Liu, Feng and Sugiyama, Masashi and Kankanhalli, Mohan},
booktitle={NeurIPS},
year={2023}
}
@inproceedings{luo2023DynACL,
title={Rethinking the Effect of Data Augmentation in Adversarial Contrastive Learning},
author={Rundong Luo and Yifei Wang and Yisen Wang},
booktitle={The Eleventh International Conference on Learning Representations},
year={2023},
url={https://openreview.net/forum?id=0qmwFNJyxCL}
}
@inproceedings{zhang2022DeACL,
title={Decoupled Adversarial Contrastive Learning for Self-supervised Adversarial Robustness},
author={Zhang, Chaoning and Zhang, Kang and Zhang, Chenshuang and Niu, Axi and Feng, Jiu and Yoo, Chang D and Kweon, In So},
booktitle={ECCV 2022},
pages={725--742},
year={2022},
organization={Springer}
}
@inproceedings{yu2022AInfoNCE,
title={Adversarial Contrastive Learning via Asymmetric InfoNCE},
author={Yu, Qiying and Lou, Jieming and Zhan, Xianyuan and Li, Qizhang and Zuo, Wangmeng and Liu, Yang and Liu, Jingjing},
booktitle={European Conference on Computer Vision},
pages={53--69},
year={2022},
organization={Springer}
}
@article{fan2021AdvCL,
title={When Does Contrastive Learning Preserve Adversarial Robustness from Pretraining to Finetuning?},
author={Fan, Lijie and Liu, Sijia and Chen, Pin-Yu and Zhang, Gaoyuan and Gan, Chuang},
journal={Advances in Neural Information Processing Systems},
volume={34},
pages={21480--21492},
year={2021}
}
@article{jiang2020ACL,
title={Robust pre-training by adversarial contrastive learning},
author={Jiang, Ziyu and Chen, Tianlong and Chen, Ting and Wang, Zhangyang},
journal={Advances in Neural Information Processing Systems},
volume={33},
pages={16199--16210},
year={2020}
}
@article{kim2020RoCL,
title={Adversarial self-supervised contrastive learning},
author={Kim, Minseon and Tack, Jihoon and Hwang, Sung Ju},
journal={Advances in Neural Information Processing Systems},
volume={33},
pages={2983--2994},
year={2020}
}
Please contact [email protected] and [email protected] if you have any question on the codes.