Zero-cost Proxy for Adversarial Robustness Evaluation

The performance of the black-box and white-box attacks is demonstrated using a single dataset (CIFAR-10) in Tables 1 and 2. The authors should consider providing performance comparisons across multiple datasets for the chosen baselines in both tables. Additionally, Table 2 should clearly present a comparison of search efficiency.

We totally agree with your suggestion, and have provided performance comparisons on CIFAR-100 and ImageNet under white-box and black-box attacks, along with the comparison of search efficiency in Table 2.

• In terms of the comparison under white-box attacks, we choose the models in Table 1 as the peer competitors, and the results of the performance comparison are shown in the following two tables. As can be seen, our derived architectures achieve the state-of-the-art adversarial robustness among all the models chosen for comparison. Meanwhile, our derived architectures achieve the second-best and the best natural accuracy on CIFAR-100 and ImageNet, respectively. These results demonstrate that the proposed zero-cost proxy is effective across multiple datasets under white-box attacks. In this revision, these results and the corresponding summarizations are added to Section B.1 of Appendix.

Performance comparisons on CIFAR-100 under white-box attacks:

Performance comparisons on ImageNet under white-box attacks:

• In terms of the comparison under black-box attacks, we choose the models in Table 2 and two more recent models (i.e., WsrNet and CroZe) for the performance comparison on CIFAR-100 and ImageNet. The experimental results are shown in the following two tables. As can be seen, our model achieves the highest attack success rate (100% - the test accuracy, highlighted in bold) for all the target models except RACL on CIFAR-100. Meanwhile, our model also achieves the highest attack success rate for all the models on ImageNet. Furthermore, when our model is set as the target model, it demonstrates the best adversarial robustness among all the baselines chosen. These results demonstrate that the proposed zero-cost proxy is effective across multiple datasets under black-box attacks. In this revision, these results and the corresponding summarizations are added to Section B.3 of Appendix.

Performance comparisons on CIFAR-100 under black-box attacks:

Performance comparisons on ImageNet under black-box attacks:

• In this revision, the search efficiency has been compared and added to Table 2. As shown in the table below, the search cost of the proposed zero-cost proxy is significantly lower than that of the peer competitors in Table 2.

I am curious about the rationale for selecting only specific models (ResNet-18 and PDARTS) for comparison in Table 3. Would it be possible to include models from Table 1 to evaluate their transferability in Table 3?

Thank you for pointing this out. The reason for choosing specific models (i.e., ResNet-18 and PDARTS) mainly comes from two aspects. First, it is a convention in the robust NAS community to only select specific models for the evaluation of transferability instead of all the peer competitors [2], [3]. Second, ResNet-18 and PDARTS are commonly selected models for the comparison in terms of the transferability [2], [3].

In response to your comment, we have taken models from Table 1 to evaluate their transferability on SVHN and Tiny-ImageNet-200. Specifically, these models are directly transferred and adversarially trained on both datasets for evaluation. As can be seen from the following two tables, comparing with these models, our model still achieves decent natural accuracy and adversarial robustness, demonstrating superior transferability. In this revision, these results and the corresponding summarizations are added to Section B.4 of Appendix.

Experimental results of transferability on SVHN:

Experimental results of transferability on Tiny-ImageNet-200:

There is inadequate justification for why their approach exhibits better transferability in Table 3. It would be beneficial to provide justification grounded in their theoretical contributions, particularly highlighting the unique advantages that their proposed techniques offer to enhance transferability.

Thanks for the valuable suggestion. The transferability of the proposed zero-cost proxy can be attribute to the design of the zero-cost proxy. In particular, when evaluating the adversarial robustness $R$ of the architecture, the input samples $x$ are not specified. Meanwhile, the initial weights $\theta_0$ of the network is randomly determined, without any specific constraints. Consequently, the proposed zero-cost proxy can find the inherently robust neural architectures, without the dependence on specific data or weights. As a result, the architecture derived on a certain dataset based on the proposed zero-cost proxy can be well transferred to other datasets. In this revision, the above justification is added to Section B.4 of Appendix.

The authors should discuss the assumptions made in their analysis and their validity within the context of the study. For instance, when transforming from Equation 1 to Equation 3, it would be helpful to clarify the assumptions involved and how they apply in their setting. Specifically, I am uncertain whether the assumption of infinite-width DNN parameters is valid; if it is not, what implications does that have for this paper? I encourage the authors to include these details, even if they are standard, as doing so would enhance the paper's readability and facilitate the assessment process.

Thank you for the nice suggestion. We have discussed the assumption in terms of the infinite-width DNN parameters. In particular, when transferring Eq.(1) to Eq.(3), the assumption of infinite-width DNN parameters is valid. As evidenced by the previous literature [4], in the infinite-width limit, the NTK becomes deterministic at initialization and stays constant during training. Consequently, when replacing $\Theta_{\theta_t}$ in Eq.(1) with $\Theta_{\theta_0}$ in Eq.(3), because of the invariance of NTK in the infinite-width limit, these two NTKs can be directly replaced by each other. Therefore, the transformation from Eq.(1) to Eq.(3) keeps valid for the infinite-width DNN parameters. In this revision, the above discussions are added to Section A.1 of Appendix.

References

[1] Demystifying the neural tangent kernel from a practical perspective: Can it be trusted for neural architecture search without training?, CVPR 2022.

[2] When NAS meets robustness: In search of robust architectures against adversarial attacks, CVPR 2020.

[3] AdvRush: Searching for Adversarially robust neural architectures, ICCV 2021.

[4] Neural tangent kernel: Convergence and generalization in neural networks, NeurIPS 2018.

We are immensely grateful for your effort in reviewing our work, as well as for your constructive suggestions and insightful questions. In the following, we will address each of your suggestions and concerns point-by-point.

In the theoretical analysis section, $\lambda_{min}(\hat{\Theta_{\theta_{0}}})$ is approximated based on empirical observations to $-\lambda_{min}(\Theta_{\theta_{0}})$, which weakens the theoretical foundation of the work. I wonder if the authors could establish the relationship between the two NTKs in strict mathematical terms, such as showing that the approximation holds true within a specific margin of error with a certain probability. Currently, the analysis relies on an empirically driven approximation, which undermines its theoretical robustness.

Thanks for the insightful comment. We establish the relationship between the two NTKs in strict mathematical terms as follows, in order to theoretically justify the validity of the approximation:

Suppose $x$ and $y$ denote image samples and the corresponding label vector, and $\hat{x}$ denotes the adversarial examples generated based on the input samples $x$. We can obtain the lower bound of $\lambda_{min}(\Theta_{\theta_{0}})$ based on $\Vert y-f_{\theta_{t}}(x)\Vert_{2}^{2} \leq \exp(-\lambda_{min}(\Theta_{\theta_{0}})t)\Vert y-f_{\theta_{0}}(x)\Vert_{2}^{2}$:

$\lambda_{min}(\Theta_{\theta_{0}}) \geq \frac{1}{t} \ln \frac{\Vert y - f_{\theta_0}(x) \Vert^2_2}{\Vert y - f_{\theta_t}(x) \Vert^2_2}.$ (1)

Similarly, the lower bound of $\lambda_{min}(\hat{\Theta_{\theta_{0}}})$ can be obtained based on $\Vert y-f_{\theta_{t}}(\hat{x})\Vert_{2}^{2}\le \exp(-\lambda_{min}(\hat{\Theta_{\theta_{0}}})t)\Vert y-f_{\theta_{0}}(\hat{x})\Vert_{2}^{2}$:

$\lambda_{min}(\hat{\Theta_{\theta_{0}}}) \geq \frac{1}{t} \ln \frac{\Vert y - f_{\theta_0}(\hat{x}) \Vert^2_2}{\Vert y - f_{\theta_t}(\hat{x}) \Vert^2_2}.$ (2)

Based on Eq.(1) and Eq.(2), we can obtain the inequality of $\lambda_{min}(\Theta_{\theta_{0}})$ and $\lambda_{min}(\hat{\Theta_{\theta_{0}}})$ by adding the two inequalities together:

$\lambda_{min}(\Theta_{\theta_{0}}) + \lambda_{min}(\hat{\Theta_{\theta_{0}}}) \geq \frac{1}{t} \ln \frac{\Vert y - f_{\theta_0}(x) \Vert^2_2 \Vert y - f_{\theta_0}(\hat{x}) \Vert^2_2}{\Vert y - f_{\theta_t}(x) \Vert^2_2 \Vert y - f_{\theta_t}(\hat{x}) \Vert^2_2}.$ (3)

To form the equivalence of $\lambda_{min}(\Theta_{\theta_{0}})$ and $\lambda_{min}(\hat{\Theta_{\theta_{0}}})$, we introduce a margin $\xi \geq 0$, and then the equivalence of $\lambda_{min}(\Theta_{\theta_{0}})$ and $\lambda_{min}(\hat{\Theta_{\theta_{0}}})$ can be formed as Eq.(4) based on Eq.(3):

$\lambda_{min}(\hat{\Theta_{\theta_{0}}}) = -\lambda_{min}(\Theta_{\theta_{0}}) + \frac{1}{t} \ln \frac{\Vert y - f_{\theta_0}(x) \Vert^2_2 \Vert y - f_{\theta_0}(\hat{x}) \Vert^2_2}{\Vert y - f_{\theta_t}(x) \Vert^2_2 \Vert y - f_{\theta_t}(\hat{x}) \Vert^2_2} + \xi.$ (4)

According to the theoretical findings in [1], $\lambda_{min}(\Theta_{\theta_{0}})$ and $\lambda_{min}(\hat{\Theta_{\theta_{0}}})$ satisfy the upper bound shown in Eq.(5) and Eq.(6):

$\lambda_{min}(\Theta_{\theta_{0}}) \leq \sqrt{\sum_k |\lambda_k(\Theta_{\theta_{0}})|^2},$ (5)

$\lambda_{min}(\hat{\Theta_{\theta_{0}}}) \leq \sqrt{\sum_k |\lambda_k(\hat{\Theta_{\theta_{0}}})|^2},$ (6)

where $k$ denotes the number of eigenvalues. Meanwhile, because the loss of the network with trained weights $\theta_t$ is often smaller than that of the network with randomly initialized weights $\theta_0$ because of the training, the losses $\Vert y - f_{\theta_0}(x) \Vert^2_2$ and $\Vert y - f_{\theta_0}(\hat{x}) \Vert^2_2$ are often larger than $\Vert y - f_{\theta_t}(x) \Vert^2_2$ and $\Vert y - f_{\theta_t}(\hat{x}) \Vert^2_2$. Consequently, $\frac{1}{t} \ln \frac{\Vert y - f_{\theta_0}(x) \Vert^2_2 \Vert y - f_{\theta_0}(\hat{x}) \Vert^2_2}{\Vert y - f_{\theta_t}(x) \Vert^2_2 \Vert y - f_{\theta_t}(\hat{x}) \Vert^2_2}$ is often larger than 0. Therefore, the upper bound of $\xi$ can be formulated as Eq.(7):

$\xi \leq \sqrt{\sum_k |\lambda_k(\Theta_{\theta_{0}})|^2} + \sqrt{\sum_k |\lambda_k(\hat{\Theta_{\theta_{0}}})|^2}.$ (7)

Based on Eq.(4) and Eq.(7), we can conclude that there exists a margin $\xi$ satisfying $0 \leq \xi \leq \sqrt{\sum_k |\lambda_k(\Theta_{\theta_{0}})|^2} + \sqrt{\sum_k |\lambda_k(\hat{\Theta_{\theta_{0}}})|^2}$ such that $\lambda_{min}(\hat{\Theta_{\theta_{0}}})$ and $\lambda_{min}(\Theta_{\theta_{0}})$ negatively correlated. Therefore, the validity of approximating $-\lambda_{min}(\hat{\Theta_{\theta_{0}}})$ with $\lambda_{min}(\Theta_{\theta_{0}})$ is justified.

In this revision, the above theoretical justification is added to Section A.2 of Appendix.

Thank you sincerely for the encouragement and the recognition in our work. We appreciate your great effort and address your comments in detail below.

While the contribution in terms of speed reduction is significant for the proposed method, my concern is the increase in adversarial robustness as compared to the baselines is very minimal in the majority of the cases (less than 1% in most cases for Tables 1 and 4).

Thank you for your insightful comment. We address your concern from two aspects:

• First, please kindly note that the main contribution of this paper is to accelerate the adversarial robustness evaluation while maintaining the adversarial robustness. As can be seen from Table 1, the proposed zero-cost proxy achieves more than 20$\times$ speedup comparing with the state-of-the-art robust NAS methods, and the adversarial robustness also demonstrates slight improvement. Based on these results, the main contribution of this work has already been well supported even though the increase in adversarial robustness is not significant.

• Second, we have provided additional experimental results on CIFAR-100 beyond CIFAR-10 (Table 1) and ImageNet (Table 4). As shown in the table below, the proposed zero-cost proxy achieves the improvements of 3%-4% under the PGD$^{20}$, PGD$^{100}$, and AA attacks, demonstrating the proposed zero-cost proxy is still potential for a relatively large increase in adversarial robustness. The results in the table below and the corresponding summarizations have been added to Section B.1 of Appendix in this revision.

Minor typos: "8/2550" instead of "8/255" on line 301, "We" instead of "we" on line 63.

Thank you for your meticulous review. In this revision, we have fixed the mentioned typo in line 63. As for the word "8/255" in line 301, please kindly note that this is the correct setting of our experiments instead of a typo. Specifically, the total perturbation scale of the PGD$^7$ attack is set to 8/255 by following the convention [1]. Meanwhile, the step size of each step in the PGD attack is set to 8/2550, which also follows the convention [1] to ensure the fair comparison.

Reference

[1] Generalizable lightweight proxy for robust NAS against diverse perturbations, NeurIPS 2023.

We sincerely thank you for the time and effort you have invested in reviewing our paper. Your comments and questions are very insightful and highly valuable for us to enhance the paper. Your concerns are addressed point-by-point in the following.

Weaknesses

RQ1 and RQ2 looks a bit similar before looking at the experimental results.

Actually, the two points (i.e., the superiority in terms of cost-efficiency and robust accuracy) mentioned by the reviewer are both included in experiments for RQ1. Specifically, RQ1 mainly focus on the effectiveness of the proposed zero-cost proxy in terms of searching for architectures. To demonstrate the superiority of the proposed zero-cost proxy in this setting, both cost-efficiency and robust accuracy of the derived architecture need to be contained following the convention [1]. Moreover, RQ2 mainly focus on the superiority of the proposed zero-cost proxy in terms of evaluating the adversarial robustness of architectures, which is a different emphasis than that of RQ1.

To avoid the confusion, we have revised RQ1 and RQ2 in lines 260 and 261 for further clarification:

RQ1: Is the proposed zero-cost proxy superior in robust accuracy and cost-efficiency?

RQ2: Is the proposed zero-cost proxy superior in evaluating adversarial robustness of architectures?

The cost-efficiency related explanation is slightly short.

In response to this comment made by the reviewer, we have explained the reason for choosing to iterate samples over generating adversarial examples. Specifically, the NTK is calculated only based on different samples $x$ and $x'$ as shown in Equation (2). This means that we only need to ensure the samples are different, and it does not matter whether they are natural data or adversarial examples. Consequently, we can obtain the different samples by simply iterating samples in a batch, without the need to generate adversarial examples. Because simply iterating samples does not introduce much computational cost, and the repetitive calculation for the gradient or the time-consuming optimization for the adversarial example generation are no longer needed, the proposed zero-cost proxy demonstrates superior efficiency. These detailed explanations have been added to Section 3.2 (lines 182-190) in this revision.

Questions

The formulation is a bit awkward in Section 3.1.

We are sorry for confusing the reviewer on this point. Actually, the output of the function $f_{\theta_t}$ is a prediction label vector instead of a single scalar. This is because the input $x$ of $f_{\theta_t}$ is a batch of image samples. Suppose the number of samples is $N$, $x$ can be denoted as $\{x_1, x_2, \ldots, x_N\}$, and the output of $f_{\theta_t}$ can be denoted as $\{f_{\theta_t}(x_1), f_{\theta_t}(x_2), \ldots, f_{\theta_t}(x_N)\}$, which is a prediction label vector. Then, the $L_2$ distance between the output of $f_{\theta_t}$ and the corresponding label vector $\{y_1, y_2, \ldots, y_N\}$ of $x$ is calculated.

In this revision, we have added the clarification "$x$ and $y$ denote image samples and the corresponding label vector" in line 145 to avoid the confusion.

The Kendall's tau seems to be not high in Figures 2 and 4.

The phenomenon mentioned by the reviewer can be explained by the different size of the architectural benchmarks. As can be seen from Figure 2, the highest value of Kendall's tau reaches 0.47 under the FGSM attack on the NAS-Bench-201-R benchmark (containing 6,466 architectures naturally trained). Furthermore, because the Tiny-RobustBench benchmark (containing 223 architectures adversarially trained) is smaller than NAS-Bench-201-R, it cannot represent the distribution of all architectures in the search space very exactly. As a result, the value of the Kendall's tau becomes lower. However, the Kendall's tau of the proposed zero-cost proxy is still the highest among all the competitors.

In addition, the above claim can also be supported by the recent study [2]. The experimental results in this study show that when using the whole NAS-Bench-201 (containing 15,625 architectures naturally trained) to test the zero-cost proxies in terms of evaluating the natural accuracy, the value of Kendall's tau becomes larger than 0.5. Consequently, it is further demonstrated that larger benchmarks lead to higher values of the Kendall's tau in absolute terms.

How is the GPU day metric calculated? Under which GPU?

We are sorry for not containing these details in the initial version. The GPU days metric is calculated by "number of GPUs used $\times$ total running time (days)". The type of GPU used for the cost analysis is NVIDIA RTX 2080Ti. These details are added to lines 283-284 in this revision.

References

[1] Generalizable lightweight proxy for robust NAS against diverse perturbations, NeurIPS 2023.

[2] DisWOT: Student architecture search for distillation without training, CVPR 2023.