Task-Distributionally Robust Data-Free Meta-Learning

---

Q: The performance is not verified in a realistic setting with heterogeneous architectures. A: We acknowledge the reviewer's point on the limited scope of our experiments. To address this, we expanded our experimental setup to include diverse architectures. The table below demonstrates the architecture-agnostic nature of our TeaPot. Here, we conduct experiments on CIFAR-FS with various model architectures.

---

Q: Splitting Inverted Dataset for Validation to Avoid TDS. A: Your comments are insightful. However, there are some issues with monitoring the training performance using a split inverted validation set. (i) Compromised performance:

As shown in the table below, using 20% inverted dataset as a validation dataset to monitor the meta-training leads to a reduction in the diversity of meta-training tasks and a consequent performance drop. This is because meta-learning is evaluated on unseen tasks, which means the tasks (classes) in the validation dataset must be unseen during the meta-training. For example, if the class dog is used for validation, it can not be used for meta-training, which is different from traditional supervised learning.

(ii) Additional time costs:

Frequent validation during meta-training adds significant time costs, as shown in the table below. In this experiment, we validate the meta-learner for every 200 meta-iterations. Our method, however, does not involve any validation during meta-training.

(iii) Bias to the validation dataset:

When using an additional validation dataset, there's a risk of bias towards the validation dataset, which may not accurately predict performance on meta-testing tasks, especially due to the distribution gap between inverted validation data and real meta-testing data. Our method, however, does not involve model selection using specific criteria, focusing on maintaining high accuracy over time.

---

Q: Can model-poisoning attacks be detected as OOD by visualizing or embedding data recovered from a pre-trained model into an existing model? A: In the context of our work on Data-Free Meta-Learning (DFML), where a large pool of pre-trained models is used, manually validating each model for out-of-distribution (OOD) content is impractical due to the significant time and resource requirements.

Therefore, manually validating each model might be impractical. The method you mentioned (i) is impractically time-consuming, which involves evaluating a large volume of models, and (ii) assumes the accessibility to additional "reliable" pre-trained networks.

Our proposed Robust Model Selection Policy (ROSY) automatically identifies and selects reliable pre-trained models, thus streamlining the process and enhancing the efficiency of handling large model pools in DFML scenarios.

---

Q: Computational Complexity of ROSY Relative to Baselin?

A: The addition of ROSY to our TeaPot framework increases the computational time minimally, as shown in the table below. The efficiency of ROSY is due to the rapid computation of rewards and the straightforward policy optimization on reliability scores (100 scale weights), which does not involve complex gradient calculation and backpropagation.

Moreover, our method is faster than the SOTA DFML methods, Purer. The table below shows the total time needed to achieve the best performance, which is evaluated on CIFAR-FS 5-way 1-shot learning. Compared to Purer, ours can achieve higher PEAK time while taking less time, which is also shown in Fig.3 in our first submission.

We promise to provide a comprehensive analysis of the complexity in our revised manuscript.

Q: The risk of TDC is avoidable through sanity checks with simple data collection, by simply inputting data obtained from an image search engine or a text image model such as Stable Diffusion without privacy concerns.

A: The concern about the feasibility of sanity checks for avoiding TDC is worthy of consideration. However, our assumption in the context of Data-Free Meta-Learning (DFML) is based on scenarios where an extensive pool of pre-trained models is available. For instance, MAML, a classical meta-learning algorithm, requires over 100K tasks for effective training. Manually conducting sanity checks across such a vast array of models is impractical, both in terms of time and resources. Specifically, (i) gathering specific test data or generating specific images is time-consuming, and (ii) even if we already have the data, evaluating a large volume of models individually can be costly.

In contrast, our solution allows for automatic pre-trained model identification and selection within the meta-training process, which mitigates the need for manual data collection or generation and model evaluation. This is particularly beneficial in scenarios involving constructing large model pools by automatic commands.

---

Q: The replay-based method in TEAPOT has already been well studied in the context of continual learning.

A: The reviewer's observation about the replay-based method's familiarity with continual learning is acknowledged. However, as demonstrated in our paper (Table 3 in our first submission), applying conventional replay methods to Data-Free Meta-Learning (DFML) faces unique challenges. The limited diversity in stored memory tasks does not adequately represent the underlying task distribution required for DFML, e.g. MAML requires 100K tasks for efficient training. Our proposed interpolated task-memory replay technique, as explained in Section 4.1, addresses this by generating diversified tasks from existing memory without exceeding memory constraints, thereby enhancing the meta-learner's generalization capability across a broader range of tasks. Overall, we highlight the challenges faced by existing replay-based methods in the context of data-free meta-learning and propose a simple but effective baseline.

---

Q: Section 4 is misleading because of the mixture of existing and proposed methods. In particular, the second paragraph is almost the same as in the previous study.

A: We understand the reviewer's concern regarding the clarity of Section 4. The loss function we described, which includes a classification loss and a regularization term, is indeed a standard approach in the field of data-free learning, including data-free knowledge distillation [1,2] and model inversion [3]. Our contribution, however, is distinct from existing methods like Purer in addressing the task-distribution shift issue.

We would like to highlight the difference between the existing work Purer and ours.

(i) Our work is designed to alleviate the task-distribution shift issue observed in Purer via introducing memory bank with interpolated task memory replay.

(ii) Purer keeps the dataset trainable, which is adversirially optimized with the meta-learner as illustrated in the equation below.

$\min _{\boldsymbol{\theta}} \max _{\mathcal{D}} \underset{\mathcal{T} \in \mathcal{D}}{\mathbb{E}}\left[-\mathcal{L} _{\text {cls }}(\mathcal{D})+ \mathcal{L} _{\text {meta }}(\mathcal{T} ; \boldsymbol{\theta})\right]$

Unlike Purer, our work instead freezes the generated data and puts it into the memory bank, while only optimizing a generator to generate new data. The usage of a generator is also absent in Purer.

We recognize the importance of distinguishing our work from existing literature. Thus, we will ensure to more explicitly highlight these differences in the revised manuscript.

[1] Yin H, et al. Dreaming to distill: Data-free knowledge transfer via deepinversion, CVPR2020.

[2] Fang G, et al. Contrastive model inversion for data-free knowledge distillation, IJCAI2021.

[3] Hatamizadeh A, et al. Gradvit: Gradient inversion of vision transformers, CVPR2022.

Q: Jargon and Acronyms Usage (TDS, TDC, DFML, RML, RDFML, MPA, PR...).

A: Thank you for pointing out the problems of readability and clarity in our manuscript. We recognize that excessive use of jargon and acronyms can hinder understanding. We will carefully revise the manuscript to minimize the use of acronyms and explain concepts in plain language wherever possible. Our focus will be on clearly defining and using essential acronyms like Data-Free Meta-Learning (DFML), Task-Distribution Shift (TDS), and Task-Distribution Corruption (TDC), ensuring that these are introduced and explained at their first occurrence and used consistently throughout the paper.

---

Q: Model Poisoning Attack Scenario (TDC, MPA) Relevance. Realism of the scenario, detectability of poisoned models, and existence of common black-box model pools.

A: Your concern regarding the detectability of poisoned models is insightful. Our assumption in the context of Data-Free Meta-Learning (DFML) is based on scenarios where an extensive pool of pre-trained models is available. Manually validating each model might be impractical. This is because (i) gathering specific test data for hundreds or thousands of models is not only time-consuming but also potentially hindered by privacy concerns, and (ii) evaluating a large volume of models individually, even with available data or public discussions, can be prohibitively expensive.

The key advantage of our proposed framework is its ability to automate model selection within the meta-training process, mitigating the need for manual, model-specific data collection and evaluation. This approach is particularly beneficial in scenarios involving collecting a large number of models by automatic commands. Besides, we hope our work can inspire future works for more complicated scenarios like meta-learning from black-box API pools [1] such as Cloud Vision API of Google, Amazon AI and TensorFlow Lite APIs.

[1] Zixuan Hu, et al. "Learning to Learn from APIs: Black-Box Data-Free Meta-Learning." ICML 2023.

---

Q: Is the paper meant to be about solving two different problems? It currently feels like two papers combined into one.

A: We promise that we do not combine two papers into one. We organize our paper from the general perspective of task-distributionally robustness, focus on task-distribution shift and corruption issues observed in existing methods. The shift issue is a common problem, while the corruption issue is a more specific problem arising from specific attacks. Our solutions for these two issues are not separated, which can be used together with promising results, as evidenced by the results presented in Table 4 of our initial submission.

---

Q: (minor) Fig 4 is really hard to parse because it tries to combine two axes of variation (shot, MPA) into one. Can't you just have two 2x2 grids side-by-side, where for example the two grids are 1-shot and 5-shot?

A: We appreciate your suggestion regarding Figure 4. Based on your feedback, we will redesign this figure to enhance clarity and comprehension. The revised figure will feature two separate 2x2 grids, one for 1-shot and the other for 5-shot scenarios, to distinctly present the variations in both dimensions.

Q: Details about the interpolated task-memory replay. Could authors clarify how to interpolate the old tasks?

A: We agree that additonal clarifications about this should be provided because it is central to our framework. Interpolated task-memory replay is a simple but effective technique, enabling us to construct interpolated tasks from existing memories. Specifically, given two pre-trained models with label spaces of (lily, sky) and (rose, pine tree), a potential interpolted tasks could be (lily, rose). This tenique enables meta-training on a wider range of tasks without exceeding model and memory budegts. Our experiments in Tab.3 in our first submission demonstrate the efficacy of this simple technique, yielding a 10.09% increase in LAST accuracy and a 2.72% boost in PEAK accuracy with a budget of 100 pre-trained models.

Thanks for your advice, and we promise to include a more detailed explanation and refer to Table 3 in our revised version to further clarify this technique.

---

Q: The paper argues it is a data-free meta-learning, but to aviod the MPA, it still need an additional validataion tasks.

A: Indeed, our approach necessitates a minimal set of validation tasks. However, the number of these tasks (only two in our case) is substantially fewer than the extensive task sets typically required for meta-training in traditional methods (e.g., over 100K tasks for MAML). Our method demonstrates that using a small number of validation tasks is not only practical but also incurs minimal time costs for calculating the reward in policy optimization.

---

Q: To address the TDC and TDS, it essentially needs three stage training. It needs pseudo task recovery, meta-training with task-memory replay, and the policy optimization, and thus the total training time must be long. What's the total time need to take to achieve the performence?

A: Indeed, our methods needs three stage training. However, as illustrated in the table below, integrating policy optimization adds only an additional 0.05 hours for CIFAR-FS 5-way 1-shot learning. This efficiency is due to the rapid computation of rewards (accuracy on a small number validation tasks) and the straightforward policy optimization on reliability scores (100 scale weights), which does not involve complex gradient calculation and backpropagation.

Moreover, our method is faster than the SOTA DFML methods. The table below shows the total time needed to achieve the best performance, which is evaluated on CIFAR-FS 5-way 1-shot learning. Compared to Purer, ours can achieve higher PEAK time while taking less time, which is also shown in Fig.3 in our first submission.

We promise to provide a comprehensive analysis of the complexity in our final manuscript.

---

Q: The key process is pseudo tasks recovery, but the generation performence with classification loss and the regularization term is not figured out. Why does the task generator trained with such two loss function work well? Could the author give a reasonable and foundamental explaination?

A: We acknowledge the need for a more detailed explanation of the pseudo task recovery process.

The classification loss in our approach ensures that the recovered images capture class-specific discriminative features, facilitating accurate classification. Concurrently, the regularization term enhances the realism of these pseudo images by aligning the statistics of their layer-wise feature maps with those of real images. We will provide visualizations of recovered images (w/ and w/o the regularization term) and elaborate on this process in our revised manuscript.

---

Q: Why does the fine-tune performs so bad compared with other methods?

A: Fine-tuning with extremely few-shot examples (1-shot and 5-shot in our cases) can result in severe overfitting, leading to poor performance on query examples. Our methods, utilizing various meta-learning algorithms, effectively facilitates efficient learning of new tasks, by meta-learning a sensitive model initialization (our TeaPot-ANIL) or a task-shared feature extractor (our TeaPot-ProtoNet).

---

---

Q: The distribution of the pesudo tasks is lack of explaination, and the Figure 1 shows the degradation of the meta-testing accuracy, but it may not caused by the task-distribution shift. Could authors figure out the distribution shift happened in the meta-training phase?

A: We plan to expand our discussion on task-distribution shifts in the final version of our manuscript. Previous SOTA work, Purer, uses a learnable pseudo dataset that evolves alongside the meta-learner. This evolution can lead to significant shifts in task distribution, particularly under adversarial training conditions.

The overall objective of Purer is shown in the equation below.

$\min _{\boldsymbol{\theta}} \max _{\mathcal{D}} \underset{\mathcal{T} \in \mathcal{D}}{\mathbb{E}}\left[-\mathcal{L} _{\text {cls }}(\mathcal{D})+ \mathcal{L} _{\text {meta }}(\mathcal{T} ; \boldsymbol{\theta})\right]$

The learnable dataset is optimized with two terms: (i) maximizing the classification loss $-\mathcal{L} _{\text {cls }}$ensures the images inside the pseudo dataset can be correctly classified, and (ii) minimizing $\mathcal{L} _{\text {meta }}$ ensures the tasks constructed from the pseudo dataset will become harder. Therefore, as the learnable dataset gets updated, the distribution of pseudo tasks will change. Such distribution shift could be large when the learnable dataset and the meta-learner get trained adversarially.

We will elucidate this with detailed analysis and illustrations in our revised manuscript to clarify how such shifts impact the meta-training phase and overall performance.