research-article

Free Access

Doubly Robust AUC Optimization against Noisy and Adversarial Samples

Authors:
Chenkang Zhang

Nanjing University of Information Science and Technology, Nanjing, China

Nanjing University of Information Science and Technology, Nanjing, China

0000-0003-0918-518X
View Profile

,
Wanli Shi

Nanjing University of Information Science and Technology, Nanjing, China

Nanjing University of Information Science and Technology, Nanjing, China

0000-0002-4895-4060
View Profile

,
Lei Luo

Nanjing University of Science and Technology, Nanjing, China

Nanjing University of Science and Technology, Nanjing, China

0000-0002-9976-0442
View Profile

,
Bin Gu

Nanjing University of Information Science and Technology & Mohamed bin Zayed University of Artificial Intelligence, Nanjing, China

Nanjing University of Information Science and Technology & Mohamed bin Zayed University of Artificial Intelligence, Nanjing, China

0000-0001-8653-1117
View Profile

KDD '23: Proceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data MiningAugust 2023Pages 3195–3205https://doi.org/10.1145/3580305.3599316

Published:04 August 2023Publication History

KDD '23: Proceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

Pages 3195–3205

ABSTRACT

Area under the ROC curve (AUC) is an important and widely used metric in machine learning especially for imbalanced datasets. In current practical learning problems, not only adversarial samples but also noisy samples seriously threaten the performance of learning models. Nowadays, there have been a lot of research works proposed to defend the adversarial samples and noisy samples separately. Unfortunately, to the best of our knowledge, none of them with AUC optimization can secure against the two kinds of harmful samples simultaneously. To fill this gap and also address the challenge, in this paper, we propose a novel doubly robust dAUC optimization (DRAUC) algorithm. Specifically, we first exploit the deep integration of self-paced learning and adversarial training under the framework of AUC optimization, and provide a statistical upper bound to the AUC adversarial risk. Inspired by the statistical upper bound, we propose our optimization objective followed by an efficient alternatively stochastic descent algorithm, which can effectively improve the performance of learning models by guarding against adversarial samples and noisy samples. Experimental results on several standard datasets demonstrate that our DRAUC algorithm has better noise robustness and adversarial robustness than the state-of-the-art algorithms.

Supplemental Material

rtfp1185-2min-promo.mp4

mp4

36.4 MB

Download

References

Talha Burak Alakus and Ibrahim Turkoglu. 2020. Comparison of deep learning approaches to predict COVID-19 infection. Chaos, Solitons & Fractals , Vol. 140 (2020), 110120.Google ScholarCross Ref
Saeid Asgari Taghanaki, Kumar Abhishek, Joseph Paul Cohen, Julien Cohen-Adad, and Ghassan Hamarneh. 2021. Deep semantic segmentation of natural and medical images: a review. Artificial Intelligence Review , Vol. 54, 1 (2021), 137--178.Google ScholarDigital Library
Wieland Brendel, Jonas Rauber, Alexey Kurakin, Nicolas Papernot, Behar Veliqi, Sharada P Mohanty, Florian Laurent, Marcel Salathé, Matthias Bethge, Yaodong Yu, et al. 2020. Adversarial vision challenge. In The NeurIPS'18 Competition. Springer, 129--153.Google Scholar
Lei Cai, Jingyang Gao, and Di Zhao. 2020. A review of the application of deep learning in medical image classification and segmentation. Annals of translational medicine , Vol. 8, 11 (2020).Google ScholarCross Ref
Qi-Zhi Cai, Chang Liu, and Dawn Song. 2018. Curriculum adversarial training. In Proceedings of the 27th International Joint Conference on Artificial Intelligence. 3740--3747.Google ScholarCross Ref
Yair Carmon, Aditi Raghunathan, Ludwig Schmidt, John C Duchi, and Percy S Liang. 2019. Unlabeled data improves adversarial robustness. Advances in Neural Information Processing Systems , Vol. 32 (2019).Google Scholar
Gilad Cohen, Guillermo Sapiro, and Raja Giryes. 2020. Detecting adversarial samples using influence functions and nearest neighbors. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 14453--14462.Google ScholarCross Ref
Francesco Croce and Matthias Hein. 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International conference on machine learning. PMLR, 2206--2216.Google Scholar
Zhiyuan Dang, Xiang Li, Bin Gu, Cheng Deng, and Heng Huang. 2020. Large-scale nonlinear auc maximization via triply stochastic gradients. IEEE Transactions on Pattern Analysis and Machine Intelligence (2020).Google ScholarCross Ref
Beno^it Frénay and Michel Verleysen. 2013. Classification in the presence of label noise: a survey. IEEE transactions on neural networks and learning systems, Vol. 25, 5 (2013), 845--869.Google Scholar
Ellen H Fukuda and LM Grana Drummond. 2011. On the convergence of the projected gradient method for vector optimization. Optimization, Vol. 60, 8--9 (2011), 1009--1021.Google ScholarCross Ref
Aritra Ghosh, Himanshu Kumar, and PS Sastry. 2017. Robust loss functions under label noise for deep neural networks. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 31.Google ScholarCross Ref
Tieliang Gong, Qian Zhao, Deyu Meng, and Zongben Xu. 2016. Why curriculum learning & self-paced learning work in big/noisy data: A theoretical perspective. Big Data & Information Analytics , Vol. 1, 1 (2016), 111.Google ScholarCross Ref
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).Google Scholar
Bin Gu, Zhouyuan Huo, and Heng Huang. 2019. Scalable and Efficient Pairwise Learning to Achieve Statistical Accuracy. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 33. 3697--3704.Google ScholarDigital Library
Bin Gu, Zhou Zhai, Xiang Li, and Heng Huang. 2021. Finding age path of self-paced learning. In 2021 IEEE International Conference on Data Mining (ICDM). IEEE, 151--160.Google ScholarCross Ref
Bin Gu, Chenkang Zhang, Huan Xiong, and Heng Huang. 2022. Balanced Self-Paced Learning for AUC Maximization. (2022).Google Scholar
Chuan Guo, Mayank Rana, Moustapha Cisse, and Laurens Van Der Maaten. 2017. Countering adversarial images using input transformations. arXiv preprint arXiv:1711.00117 (2017).Google Scholar
Karimollah Hajian-Tilaki. 2013. Receiver operating characteristic (ROC) curve analysis for medical diagnostic test evaluation. Caspian journal of internal medicine , Vol. 4, 2 (2013), 627.Google Scholar
John Hancock and Taghi M Khoshgoftaar. 2020. Medicare fraud detection using catboost. In 2020 IEEE 21st international conference on information reuse and integration for data science (IRI). IEEE, 97--103.Google ScholarCross Ref
Rongyao Hu, Xiaofeng Zhu, Yonghua Zhu, and Jiangzhang Gan. 2020. Robust SVM with adaptive graph learning. World Wide Web , Vol. 23 (2020), 1945--1968.Google ScholarDigital Library
Mengda Huang, Yang Liu, Xiang Ao, Kuan Li, Jianfeng Chi, Jinghua Feng, Hao Yang, and Qing He. 2022. AUC-oriented Graph Neural Network for Fraud Detection. In Proceedings of the ACM Web Conference 2022. 1311--1321.Google ScholarDigital Library
Alfredo N Iusem. 2003. On the convergence properties of the projected gradient method for convex optimization. Computational & Applied Mathematics , Vol. 22, 1 (2003), 37--52.Google ScholarCross Ref
Tomoharu Iwata, Akinori Fujino, and Naonori Ueda. 2020. Semi-supervised learning for maximizing the partial AUC. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 34. 4239--4246.Google ScholarCross Ref
Lu Jiang, Zhengyuan Zhou, Thomas Leung, Li-Jia Li, and Li Fei-Fei. 2018. Mentornet: Learning data-driven curriculum for very deep neural networks on corrupted labels. In International Conference on Machine Learning. PMLR, 2304--2313.Google Scholar
Jukka-Pekka Kauppi, Melih Kandemir, Veli-Matti Saarinen, Lotta Hirvenkari, Lauri Parkkonen, Arto Klami, Riitta Hari, and Samuel Kaski. 2015. Towards brain-activity-controlled information retrieval: Decoding image relevance from MEG signals. NeuroImage , Vol. 112 (2015), 288--298.Google ScholarCross Ref
Pascal Klink, Hany Abdulsamad, Boris Belousov, and Jan Peters. 2020. Self-paced contextual reinforcement learning. In Conference on Robot Learning. PMLR, 513--529.Google Scholar
Alex Krizhevsky, Geoffrey Hinton, et al. 2009. Learning multiple layers of features from tiny images. (2009).Google Scholar
M Kumar, Benjamin Packer, and Daphne Koller. 2010. Self-paced learning for latent variable models. Advances in neural information processing systems , Vol. 23 (2010).Google Scholar
Yann LeCun, Léon Bottou, Yoshua Bengio, and Patrick Haffner. 1998. Gradient-based learning applied to document recognition. Proc. IEEE, Vol. 86, 11 (1998), 2278--2324.Google ScholarCross Ref
Chao Li, Shangqian Gao, Cheng Deng, De Xie, and Wei Liu. 2019. Cross-modal learning with adversarial samples. Advances in Neural Information Processing Systems , Vol. 32 (2019).Google Scholar
Fangzhou Liao, Ming Liang, Yinpeng Dong, Tianyu Pang, Xiaolin Hu, and Jun Zhu. 2018. Defense against adversarial attacks using high-level representation guided denoiser. In Proceedings of the IEEE conference on computer vision and pattern recognition. 1778--1787.Google ScholarCross Ref
Guanxiong Liu, Issa Khalil, and Abdallah Khreishah. 2021. Using single-step adversarial training to defend iterative adversarial examples. In Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy. 17--27.Google ScholarDigital Library
Shiqi Liu, Zilu Ma, and Deyu Meng. 2018. Understanding self-paced learning under co ve conjugacy theory. arXiv preprint arXiv:1805.08096 (2018).Google Scholar
Fan Ma, Deyu Meng, Qi Xie, Zina Li, and Xuanyi Dong. 2017. Self-paced co-training. In International Conference on Machine Learning. PMLR, 2275--2284.Google Scholar
Xingjun Ma, Bo Li, Yisen Wang, Sarah M Erfani, Sudanthi Wijewickrema, Grant Schoenebeck, Dawn Song, Michael E Houle, and James Bailey. 2018. Characterizing adversarial subspaces using local intrinsic dimensionality. In 6th International Conference on Learning Representations, ICLR 2019.Google Scholar
Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations.Google Scholar
Patrick E McKnight and Julius Najab. 2010. Mann-Whitney U Test. The Corsini encyclopedia of psychology (2010), 1--1.Google Scholar
Sarang Narkhede. 2018. Understanding auc-roc curve. Towards Data Science, Vol. 26, 1 (2018), 220--227.Google Scholar
Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Y Ng. 2011. Reading digits in natural images with unsupervised feature learning. (2011).Google Scholar
Tianyu Pang, Kun Xu, Chao Du, Ning Chen, and Jun Zhu. 2019. Improving adversarial robustness via promoting ensemble diversity. In International Conference on Machine Learning. PMLR, 4970--4979.Google Scholar
Tianyu Pang, Xiao Yang, Yinpeng Dong, Hang Su, and Jun Zhu. 2020. Bag of Tricks for Adversarial Training. In International Conference on Learning Representations.Google Scholar
Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In 2016 IEEE symposium on security and privacy (SP). IEEE, 582--597.Google ScholarCross Ref
Leslie Rice, Eric Wong, and Zico Kolter. 2020. Overfitting in adversarially robust deep learning. In International Conference on Machine Learning. PMLR, 8093--8104.Google Scholar
Ali Shafahi, Mahyar Najibi, Mohammad Amin Ghiasi, Zheng Xu, John Dickerson, Christoph Studer, Larry S Davis, Gavin Taylor, and Tom Goldstein. 2019. Adversarial training for free! Advances in Neural Information Processing Systems , Vol. 32 (2019).Google Scholar
Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017).Google Scholar
Arash Vahdat. 2017. Toward robustness against label noise in training deep discriminative neural networks. Advances in Neural Information Processing Systems , Vol. 30 (2017).Google Scholar
Ben Van Calster, Vanya Van Belle, George Condous, Tom Bourne, Dirk Timmerman, and Sabine Van Huffel. 2008. Multi-class AUC metrics and weighted alternatives. In 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence). IEEE, 1390--1396.Google ScholarCross Ref
Yu Wan, Baosong Yang, Derek F Wong, Yikai Zhou, Lidia S Chao, Haibo Zhang, and Boxing Chen. 2020. Self-Paced Learning for Neural Machine Translation. arXiv preprint arXiv:2010.04505 (2020).Google Scholar
Huaxia Wang and Chun-Nam Yu. 2018. A Direct Approach to Robust Deep Learning Using Adversarial Networks. In International Conference on Learning Representations.Google Scholar
Shijun Wang, Diana Li, Nicholas Petrick, Berkman Sahiner, Marius George Linguraru, and Ronald M Summers. 2015. Optimizing area under the ROC curve using semi-supervised learning. Pattern recognition, Vol. 48, 1 (2015), 276--287.Google Scholar
Xinshao Wang, Yang Hua, Elyor Kodirov, and Neil M Robertson. 2019a. IMAE for Noise-Robust Learning: Mean Absolute Error Does Not Treat Examples Equally and Gradient Magnitude's Variance Matters. arXiv preprint arXiv:1903.12141 (2019).Google Scholar
Yisen Wang, Xingjun Ma, James Bailey, Jinfeng Yi, Bowen Zhou, and Quanquan Gu. 2019b. On the convergence and robustness of adversarial training. In ICML 2019: Proceedings of the 36th International Conference on Machine Learning. PMLR, 11426--11438.Google Scholar
Yisen Wang, Xingjun Ma, James Bailey, Jinfeng Yi, Bowen Zhou, and Quanquan Gu. 2021. On the convergence and robustness of adversarial training. arXiv preprint arXiv:2112.08304 (2021).Google Scholar
Yisen Wang, Xingjun Ma, Zaiyi Chen, Yuan Luo, Jinfeng Yi, and James Bailey. 2019c. Symmetric cross entropy for robust learning with noisy labels. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 322--330.Google ScholarCross Ref
Zhengyang Wang, Meng Liu, Youzhi Luo, Zhao Xu, Yaochen Xie, Limei Wang, Lei Cai, Qi Qi, Zhuoning Yuan, Tianbao Yang, et al. 2022. Advanced graph and sequence neural networks for molecular property prediction and drug discovery. Bioinformatics, Vol. 38, 9 (2022), 2579--2586.Google ScholarCross Ref
Eric Wong, Leslie Rice, and J Zico Kolter. 2020. Fast is better than free: Revisiting adversarial training. arXiv preprint arXiv:2001.03994 (2020).Google Scholar
Huimin Wu, Zhengmian Hu, and Bin Gu. 2021. Fast and scalable adversarial training of kernel SVM via doubly stochastic gradients. In Proceedings of the AAAI conference on artificial intelligence, Vol. 35. 10329--10337.Google ScholarCross Ref
Huimin Wu, William Vazelhes, and Bin Gu. 2022. Efficient Semi-Supervised Adversarial Training without Guessing Labels. In 2022 IEEE International Conference on Data Mining (ICDM). IEEE, 538--547.Google ScholarCross Ref
Tong Xiao, Tian Xia, Yi Yang, Chang Huang, and Xiaogang Wang. 2015. Learning from massive noisy labeled data for image classification. In Proceedings of the IEEE conference on computer vision and pattern recognition. 2691--2699.Google Scholar
Cihang Xie, Mingxing Tan, Boqing Gong, Alan Yuille, and Quoc V Le. 2020. Smooth adversarial training. arXiv preprint arXiv:2006.14536 (2020).Google Scholar
Ziran Xiong, Wanli Shi, and Bin Gu. 2022. End-to-End Semi-Supervised Ordinal Regression AUC Maximization with Convolutional Kernel Networks. In Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. 2140--2150.Google ScholarDigital Library
Weilin Xu, David Evans, and Yanjun Qi. 2017. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155 (2017).Google Scholar
Yilun Xu, Peng Cao, Yuqing Kong, and Yizhou Wang. 2019. L_dmi: A novel information-theoretic loss function for training deep nets robust to label noise. Advances in neural information processing systems , Vol. 32 (2019).Google Scholar
Yiming Ying, Longyin Wen, and Siwei Lyu. 2016. Stochastic online auc maximization. Advances in neural information processing systems , Vol. 29 (2016).Google Scholar
Zhuoning Yuan, Yan Yan, Milan Sonka, and Tianbao Yang. 2021. Large-scale robust deep auc maximization: A new surrogate loss and empirical studies on medical image classification. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 3040--3049.Google ScholarCross Ref
Runtian Zhai, Tianle Cai, Di He, Chen Dan, Kun He, John Hopcroft, and Liwei Wang. 2019. Adversarially robust generalization just requires more unlabeled data. arXiv preprint arXiv:1906.00555 (2019).Google Scholar
Chiyuan Zhang, Samy Bengio, Moritz Hardt, Benjamin Recht, and Oriol Vinyals. 2021. Understanding deep learning (still) requires rethinking generalization. Commun. ACM, Vol. 64, 3 (2021), 107--115.Google ScholarDigital Library
Dinghuai Zhang, Tianyuan Zhang, Yiping Lu, Zhanxing Zhu, and Bin Dong. 2019b. You only propagate once: Accelerating adversarial training via maximal principle. Advances in Neural Information Processing Systems , Vol. 32 (2019).Google Scholar
Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric Xing, Laurent El Ghaoui, and Michael Jordan. 2019a. Theoretically principled trade-off between robustness and accuracy. In International Conference on Machine Learning. PMLR, 7472--7482.Google Scholar
Jingfeng Zhang, Xilie Xu, Bo Han, Gang Niu, Lizhen Cui, Masashi Sugiyama, and Mohan Kankanhalli. 2020a. Attacks which do not kill training make adversarial learning stronger. In International Conference on Machine Learning. PMLR, 11278--11287.Google Scholar
Jingfeng Zhang, Xilie Xu, Bo Han, Gang Niu, Lizhen Cui, Masashi Sugiyama, and Mohan Kankanhalli. 2020b. Attacks which do not kill training make adversarial learning stronger. In International conference on machine learning. PMLR, 11278--11287.Google Scholar
Zhilu Zhang and Mert Sabuncu. 2018. Generalized cross entropy loss for training deep neural networks with noisy labels. Advances in neural information processing systems , Vol. 31 (2018).Google Scholar
Zhengxia Zou, Zhenwei Shi, Yuhong Guo, and Jieping Ye. 2019. Object detection in 20 years: A survey. arXiv preprint arXiv:1905.05055 (2019).Google Scholar
Keneilwe Zuva and Tranos Zuva. 2012. Evaluation of information retrieval systems. AIRCC's International Journal of Computer Science and Information Technology, Vol. 4, 3 (2012), 35--43. ioGoogle ScholarCross Ref

Index Terms

Doubly Robust AUC Optimization against Noisy and Adversarial Samples
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Supervised learning
    2. Machine learning approaches
      1. Neural networks
2. Security and privacy
  1. Software and application security

Recommendations

Boosting adversarial robustness via self-paced adversarial training
Abstract
Adversarial training is considered one of the most effective methods to improve the adversarial robustness of deep neural networks. Despite the success, it still suffers from unsatisfactory performance and overfitting. Considering the intrinsic ...
Read More
Enhancing Model Robustness Against Adversarial Attacks with an Anti-adversarial Module
Pattern Recognition and Computer Vision
Abstract
Due to the rapid development of artificial intelligence technologies, such as deep neural networks in recent years, the subsequent emergence of adversarial samples poses a great threat to the security of deep neural network models. In order to ...
Read More
Attack-less adversarial training for a robust adversarial defense
Abstract
Adversarial examples have proved efficacious in fooling deep neural networks recently. Many researchers have studied this issue of adversarial examples by evaluating neural networks against their attack techniques and increasing the robustness of ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
KDD '23: Proceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining
August 2023
5996 pages
ISBN:9798400701030
DOI:10.1145/3580305
General Chairs:
Ambuj Singh
UC Santa Barbara, USA
,
Yizhou Sun
UC Los Angeles, USA
,
Program Chairs:
Leman Akoglu
Carnegie Mellon University, USA
,
Dimitrios Gunopulos
University of Athens, Greece
,
Xifeng Yan
UC Santa Barbara, USA
,
Ravi Kumar
Google, USA
,
Fatma Ozcan
Google, USA
,
Jieping Ye
Alibaba DAMO Academy
Copyright © 2023 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 4 August 2023
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
adversarial training
auc optimization
self-paced learning
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,133of8,635submissions,13%
Upcoming Conference
KDD '24

Sponsor:

sigkdd

sigkdd

KDD '24: The 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

August 25 - 29, 2024

Barcelona , Spain
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 196
  Total Downloads
- Downloads (Last 12 months)196
- Downloads (Last 6 weeks)19
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Doubly Robust AUC Optimization against Noisy and Adversarial Samples

KDD '23: Proceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Boosting adversarial robustness via self-paced adversarial training

Enhancing Model Robustness Against Adversarial Attacks with an Anti-adversarial Module

Attack-less adversarial training for a robust adversarial defense