Prognostics and health management (PHM) systems increasingly rely on machine learning for reliable bearing fault diagnosis. However, data deletion in PHM remains an open problem. Since retraining a model from scratch is often infeasible, this raises a new challenge. Moreover, in most cases, only the pretrained model and the user-requested data are available. Existing approaches under this constraint often fail to achieve proper unlearning and substantially degrade model performance, thereby disrupting the original embedding space and collapsing the structural integrity of the pretrained model. To address this, we propose adversarial retain-free unlearning (ARU). Our framework integrates adversarial samples generated from the pretrained model with a semantic-driven loss to preserve representational stability. Experiments on public and private bearing datasets demonstrate that ARU achieves unlearning efficacy and structural consistency comparable to Retrain while maintaining diagnostic accuracy. We believe that our proposed framework provides a practical and reliable solution for retain-free unlearning in real-world industrial PHM systems.
@article{yoon2026adversarial,title={Adversarial Retain-Free Unlearning for Bearing Prognostics and Health Management},author={Yoon, Chaewon and Lee, Jiyoung and Kim, Hoki},journal={IEEE Transactions on Industrial Informatics},year={2026},publisher={IEEE},cv_order={5},}
Accurate forecasting of precious metal prices is increasingly critical in modern financial markets, as these metals function as industrial commodities and as strategic financial instruments for portfolio diversification and risk management. Although recent advances in financial technology have produced a range of forecasting approaches from traditional econometric methods to sophisticated deep learning models—the complex dynamics of metal prices continue to challenge existing methodologies. This paper introduces a significant innovation in financial forecasting by revealing and leveraging previously unrecognized pattern relationships in decomposed time series data. Our comprehensive analysis of metal price dynamics reveals distinct grouped patterns in decomposed time series components, challenging the conventional assumption of independence in current forecasting methods. Based on these insights, we propose the pattern-guided forecasting framework (PGFF), which enhances forecasting accuracy by leveraging cross-dimensional pattern relationships in decomposed time series. Our framework employs a novel two-stage approach: first, categorizing decomposed time series based on their temporal characteristics and autocorrelation patterns; then, implementing cross-dimensional forecasting to capture complex market dynamics. Empirical analysis of four major precious metals demonstrates that PGFF consistently outperforms existing forecasting frameworks, offering significant implications for investment decision-making and portfolio management in modern financial markets.
@article{kim2026pattern,title={Pattern-guided forecasting framework for metal price prediction with grouping decomposed series},author={Kim, Dongbin and Lee, Jaewook and Kim, Hoki},year={2026},journal={Financial Innovation},publisher={Springer},volume={12},number={1},pages={45},cv_order={4},}
Unlearning has emerged as a key technique to mitigate harmful content generation in diffusion models. However, existing methods often remove not only the target concept, but also benign co-occurring concepts. Unlearning nudity can unintentionally suppress the concept of person, preventing a model from generating images with person. We define these undesirably suppressed co-occurring concepts that must be preserved co-occurring associated retained concepts). Then, we introduce the CARE score, a general metric that directly quantifies their preservation across unlearning tasks. With this foundation, we propose RECARE(robust erasure for care), a framework that explicitly safeguards CARE while erasing only the target concept. ReCARE automatically constructs the CARE-set, a curated vocabulary of benign co-occurring tokens extracted from target images, and leverages this vocabulary during training for stable unlearning. Extensive experiments across various target concepts demonstrate that ReCARE achieves overall state-of-the-art performance in balancing robust concept erasure, overall utility, and CARE preservation.
@inproceedings{kim2026cooccurring,title={Co-occurring Associated REtained concepts in Diffusion Unlearning},author={Kim, Miso and Lee, Georu and Kim, Yunji and Kim, Hoki and Park, Jinseong and Lee, Woojin},year={2026},booktitle={The Fourteenth International Conference on Learning Representations},}
Machine unlearning aims to remove the influence of specific training samples (i.e., forget data) from a trained model while preserving its performance on the remaining samples (i.e., retain data). Existing approximate unlearning approaches, such as fine-tuning or negative gradient, often suffer from either insufficient forgetting or significant degradation on retain data. In this paper, we introduce Unlearning-Aware Minimization (UAM), a novel min–max optimization framework for machine unlearning. UAM perturbs model parameters to maximize the forget loss and then leverages the corresponding gradients to minimize the retain loss. We derive an efficient optimization method for this min-max problem, which enables effective removal of forget data and uncovers better optima that conventional methods fail to reach. Extensive experiments demonstrate that UAM outperforms existing methods across diverse benchmarks, including image classification datasets (CIFAR-10, CIFAR-100, TinyImageNet) and multiple-choice question-answering benchmarks for large language models (WMDP-Bio, WMDP-Cyber).
@inproceedings{kim2025unlearning,title={Unlearning-Aware Minimization},author={Kim, Hoki and Kim, Keonwoo and Chae, Sungwon and Yoon, Sangwon},year={2025},booktitle={Thirty-ninth Conference on Neural Information Processing Systems},cv_order={3},cv_text_en={Top-tier AI Conf.},cv_text_ko={AI 최우수 학회},}
Recent advancements in deep learning have led to a rise in studies aimed at helping golfers improve their shot precision. However, current research has not quantitatively determined a relationship between swing posture and ball trajectory, limiting their effectiveness in offering golfers precise recommendations for correcting swing issues. In this paper, we propose a new dataset called CaddieSet, which contains joint information and various ball information from a single shot. CaddieSet extracts joint information from a single swing video divided into eight swing phases and includes information on various balls for a single shot. Based on expert golf domain knowledge, we define swing-related features using a computer vision-based approach. 15 metrics are defined that affect a golf swing and make it possible to interpret the results of the swing from the joint information. The dataset includes these features extracted from eight golfers, along with ball information as the result of each swing. In the experiments, we demonstrated the feasibility of CaddieSet for predicting ball trajectories using various benchmarks. In particular, we focus on interpretable models among several benchmarks and verify that swing feedback using our joint features is quantitatively consistent with existing domain knowledge. It is expected that this will provide a new perspective on golf swing analysis to both the academic and sports worlds.
@inproceedings{jung2025caddieset,title={CaddieSet: A Golf Swing Dataset with Human Joint Features and Ball Information},author={Jung, Seunghyeon and Hong, Seoyoung and Jeong, Jiwoo and Jeong, Seungwon and Choi, Jaerim and Kim, Hoki and Lee, Woojin},year={2025},booktitle={Proceedings of the CVPR 2025 Workshop on Computer Vision in Sports (CVSports)},address={Seattle, WA, USA},organization={IEEE},}
In IoT-enabled industrial environments, ensuring the privacy and security of operational data is paramount for fault diagnosis systems. This study presents a novel framework that seamlessly integrates homomorphic encryption (HE) with deep learning to achieve secure and efficient fault diagnosis for industrial bearings. By performing computations directly on encrypted sensor data, the framework guarantees full data confidentiality throughout the diagnostic process without requiring decryption. Key technical contributions of this work include the development of a minimax polynomial approximation for ReLU activations, which enhances diagnostic accuracy while preserving efficiency, and the design of an efficient 1D convolution method that combines two existing HE convolution techniques for optimal performance. Additionally, the framework incorporates frequency-domain optimizations using the Discrete Fourier Transform (DFT), which significantly enhance processing efficiency. The proposed model was trained on the CWRU bearing dataset and validated on a private dataset, achieving a diagnostic accuracy of 95.92%, comparable to state-of-the-art models operating on plaintext data. Furthermore, the DFT-based optimizations reduced inference time by nearly threefold while maintaining superior accuracy, underscoring the framework’s potential to provide secure and efficient fault diagnosis for industrial applications.
@article{kim2025homomorphic,title={Homomorphic encryption-based fault diagnosis in IoT-enabled industrial systems},author={Kim, Hoki and Son, Youngdoo and Byun, Junyoung},year={2025},journal={International Journal of Information Security},publisher={Springer},volume={24},number={3},pages={102},}
Meme stocks, driven by viral social media trends, have added new complexities to financial markets. Prior studies have explored meme stock price dynamics and investor sentiment, but the interplay between social media activity and market movements, along with the structural and linguistic features of online discussions, remains understudied. To address this, we integrate econometric and NLP-based techniques, combining correlation analysis, Granger causality testing, BSADF-based bubble detection, and textual analysis. Our results reveal a strong correlation between trading volume and social media engagement, with Granger causality confirming a feedback loop between market fluctuations and online discussions. BSADF analysis demonstrates that social media-based detection complements price-based methods by identifying explosive periods they may miss. Additionally, network analysis indicates that meme stock discussions exhibit distinct structural patterns, while linguistic analysis highlights unique word choices and emoji usage. Sentiment analysis shows that bullish sentiment dominates during speculative surges, reinforcing the emotionally driven nature of meme stock trading. These findings provide investors with a complementary tool for risk assessment by integrating sentiment with traditional market indicators, while helping regulators monitor online sentiment to identify early signs of speculative excess and market instability.
@article{lee2025statistical,title={A Statistical Analysis of the Relationship between Meme Stocks and Social Media},author={Lee, Seungju and Lee, Yunyoung and Lee, Jaewook and Kim, Hoki},year={2025},journal={IEEE Access},publisher={IEEE},}
Although deep learning models have shown superior performance for time series classification, prior studies have recently discovered that small perturbations can fool various time series models. This vulnerability poses a serious threat that can cause malfunctions in real-world systems, such as Internet-of-Things (IoT) devices and industrial control systems. To defend these systems against adversarial time series, recent studies have proposed a detection method using time series characteristics. In this paper, however, we reveal that this detection-based defense can be easily circumvented. Through an extensive investigation into existing adversarial attacks and generated adversarial time series examples, we discover that they tend to ignore the trends in local areas and add excessive noise to the original examples. Based on the analyses, we propose a new adaptive attack, called trend-adaptive interval attack (TIA), that generates a hardly detectable adversarial time series by adopting trend-adaptive loss and gradient-based interval selection. Our experiments demonstrate that the proposed method successfully maintains the important features of the original time series and deceives diverse time series models without being detected.
@article{kim2025towards,title={Towards undetectable adversarial attack on time series classification},author={Kim, Hoki and Lee, Yunyoung and Lee, Woojin and Lee, Jaewook},year={2025},journal={Information Sciences},publisher={Elsevier},pages={122216},}
Deep learning has significantly impacted prognostic and health management, but its susceptibility to adversarial attacks raises security risks for fault diagnosis systems. Previous research on the adversarial robustness of these systems is limited by unrealistic assumptions about prior model knowledge, which is often unobtainable in the real world, and by a lack of integration of domain-specific knowledge, particularly frequency information crucial for identifying unique characteristics for machinery states. To address these limitations and enhance robustness assessments, we propose a novel adversarial attack method that exploits frequency distortion. Our approach corrupts both frequency components and waveforms of vibration signals from rotating machinery, enabling a more thorough evaluation of system vulnerability without requiring access to model information. Through extensive experiments on two bearing datasets, including a self-collected dataset, we demonstrate the effectiveness of the proposed method in generating malicious yet imperceptible examples that remarkably degrade model performance, even without access to model information. In realistic attack scenarios for fault diagnosis systems, our approach produces adversarial examples that mimic unique frequency components associated with the deceived machinery states, leading to average performance drops of approximately 13 and 19 percentage points higher than existing methods on the two datasets, respectively. These results reveal potential risks for deep learning models embedded in fault diagnosis systems, highlighting the need for enhanced robustness against adversarial attacks.
@article{lee2025black,title={Black-box adversarial examples via frequency distortion against fault diagnosis systems},author={Lee, Sangho and Kim, Hoki and Lee, Woojin and Son, Youngdoo},year={2025},journal={Applied Soft Computing},publisher={Elsevier},pages={112828},}
This study aims to explain the determinants of bank failures by evaluating existing prediction models. We reveal that existing machine learning models often result in inconsistent explanations within the financial domain, leading to flawed conclusions and suboptimal decision-making. Therefore, we propose the use of a neural additive model that combines the transparency of a general additive model with the high performance of a neural network. Our findings show that this approach enhances the interpretation of explanatory variables in bank failure predictions, offering valuable insights for improving financial risk assessment.
@article{son2025explaining,title={Explaining determinants of bank failure prediction via neural additive model},author={Son, Bumho and Lee, Jaewook and Kim, Hoki},year={2025},journal={Applied Economics Letters},publisher={Taylor \& Francis},pages={1--6},}
Time series forecasting is crucial for applications across multiple domains and various scenarios. Although Transformer models have dramatically shifted the landscape of forecasting, their effectiveness remains debated. Recent findings have indicated that simpler linear models might outperform complex Transformer-based approaches, highlighting the potential for more streamlined architectures. In this paper, we shift focus from the overall architecture of the Transformer to the effectiveness of self-attentions for time series forecasting. To this end, we introduce a new architecture, Cross-Attention-only Time Series transformer (CATS), that rethinks the traditional Transformer framework by eliminating self-attention and leveraging cross-attention mechanisms instead. By establishing future horizon-dependent parameters as queries and enhanced parameter sharing, our model not only improves long-term forecasting accuracy but also reduces the number of parameters and memory usage. Extensive experiment across various datasets demonstrates that our model achieves superior performance with the lowest mean squared error and uses fewer parameters compared to existing models.
@inproceedings{kim2024self,title={Are Self-Attentions Effective for Time Series Forecasting?},author={Kim, Dongbin and Park, Jinseong and Lee, Jaewook and Kim, Hoki},year={2024},booktitle={Thirty-eighth Conference on Neural Information Processing Systems},}
Diffusion models have shown their effectiveness in generation tasks by well-approximating the underlying probability distribution. However, diffusion models are known to suffer from an amplified inherent bias from the training data in terms of fairness. While the sampling process of diffusion models can be controlled by conditional guidance, previous works have attempted to find empirical guidance to achieve quantitative fairness. To address this limitation, we propose a fairness-aware sampling method called \textitattribute switching mechanism for diffusion models. Without additional training, the proposed sampling can obfuscate sensitive attributes in generated data without relying on classifiers. We mathematically prove and experimentally demonstrate the effectiveness of the proposed method on two key aspects: (i) the generation of fair data and (ii) the preservation of the utility of the generated data.
@inproceedings{choi2024fair,title={Fair Sampling in Diffusion Models through Switching Mechanism},author={Choi, Yujin and Park, Jinseong and Kim, Hoki and Lee, Jaewook and Park, Saerom},year={2024},booktitle={Proceedings of the AAAI Conference on Artificial Intelligence},volume={38},number={20},pages={21995--22003},}
While machine learning models have shown superior performance in fault diagnosis systems, researchers have revealed their vulnerability to subtle noises generated by adversarial attacks. Given that this vulnerability can lead to misdiagnosis or unnecessary maintenance, the assessment of the practical robustness of fault diagnosis models is crucial for their deployment and use in real-world scenarios. However, research on the practical adversarial robustness of fault diagnosis models remains limited. In this work, we present a comprehensive analysis on rotating machinery diagnostics and discover that existing attacks often over-estimate the robustness of these models in practical settings. In order to precisely estimate the practical robustness of models, we propose a novel method that unveils the hidden risks of fault diagnosis models by manipulating the spectrum of signal frequencies—an area that has been rarely explored in the domain of adversarial attacks. Our proposed attack, Spectrogram-Aware Ensemble Method (SAEM), the hidden vulnerability of fault diagnosis systems through achieving a higher attack performance in practical black-box settings. Through experiments, we reveal the potential dangers of employing non-robust fault diagnosis models in real-world applications and suggest directions for future research in industrial applications.
@article{kim2024evaluating,title={Evaluating practical adversarial robustness of fault diagnosis systems via spectrogram-aware ensemble method},author={Kim, Hoki and Lee, Sangho and Lee, Jaewook and Lee, Woojin and Son, Youngdoo},journal={Engineering Applications of Artificial Intelligence},volume={130},pages={107980},year={2024},publisher={Elsevier},}
Adversarial training has become the de-facto standard method for improving the robustness of models against adversarial examples. However, robust overfitting remains a significant challenge, leading to a large gap between the robustness on the training and test datasets. To understand and improve robust generalization, various measures have been developed, including margin, smoothness, and flatness-based measures. In this study, we present a large-scale analysis of robust generalization to empirically verify whether the relationship between these measures and robust generalization remains valid in diverse settings. We demonstrate when and how these measures effectively capture the robust generalization gap by comparing over 1,300 models trained on CIFAR-10 under the norm and further validate our findings through an evaluation of more than 100 models from RobustBench across CIFAR-10, CIFAR-100, and ImageNet. We hope this work can help the community better understand adversarial robustness and motivate the development of more robust defense methods against adversarial attacks.
@inproceedings{kim2023fantastic,title={Fantastic Robustness Measures: The Secrets of Robust Generalization},author={Kim, Hoki and Park, Jinseong and Choi, Yujin and Lee, Jaewook},year={2023},booktitle={Thirty-seventh Conference on Neural Information Processing Systems},cv_order={2},cv_text_en={Top-tier AI Conf.},cv_text_ko={AI 최우수 학회},}
Adversarial robustness is considered a required property of deep neural networks. In this study, we discover that adversarially trained models might have significantly different characteristics in terms of margin and smoothness, even though they show similar robustness. Inspired by the observation, we investigate the effect of different regularizers and discover the negative effect of the smoothness regularizer on maximizing the margin. Based on the analyses, we propose a new method called bridged adversarial training that mitigates the negative effect by bridging the gap between clean and adversarial examples. We provide theoretical and empirical evidence that the proposed method provides stable and better robustness, especially for large perturbations.
@article{kim2023bridged,title={Bridged Adversarial Training},author={Kim, Hoki and Lee, Woojin and Lee, Sungyoon and Lee, Jaewook},year={2023},journal={Neural Networks},publisher={Elsevier},volume={167},pages={266--282},}
Despite the success of deep neural networks, the existence of adversarial attacks has revealed the vulnerability of neural networks in terms of security. Adversarial attacks add subtle noise to the original example, resulting in a false prediction. Although adversarial attacks have been mainly studied in the image domain, a recent line of research has discovered that speech classification systems are also exposed to adversarial attacks. By adding inaudible noise, an adversary can deceive speech classification systems and cause fatal issues in various applications, such as speaker identification and command recognition tasks. However, research on the transferability of audio adversarial examples is still limited. Thus, in this study, we first investigate the transferability of audio adversarial examples with different structures and conditions. Through extensive experiments, we discover that the transferability of audio adversarial examples is related to their noise sensitivity. Based on the analyses, we present a new adversarial attack called noise injected attack that generates highly transferable audio adversarial examples by injecting additive noise during the gradient ascent process. Our experimental results demonstrate that the proposed method outperforms other adversarial attacks in terms of transferability.
@article{kim2023generating,title={Generating Transferable Adversarial Examples for Speech Classification},author={Kim, Hoki and Park, Jinseong and Lee, Jaewook},year={2023},journal={Pattern Recognition},publisher={Elsevier},volume={137},pages={109286},}
Various deep learning architectures have been developed to capture long-term dependencies in time series data, but challenges such as overfitting and computational time still exist. The recently proposed optimization strategy called Sharpness-Aware Minimization (SAM) optimization prevents overfitting by minimizing a perturbed loss within the nearby parameter space. However, SAM requires doubled training time to calculate two gradients per iteration, hindering its practical application in time series modeling such as real-time assessment. In this study, we demonstrate that sharpness-aware training improves generalization performance by capturing trend and seasonal components of time series data. To avoid the computational burden of SAM, we leverage the periodic characteristics of time series data and propose a new fast sharpness-aware training method called Periodic Sharpness-Aware Time series Training (PSATT) that reuses gradient information from past iterations. Empirically, the proposed method achieves both generalization and time efficiency in time series classification and forecasting without requiring additional computations compared to vanilla optimizers.
@article{park2023fast,title={Fast Sharpness-Aware Training for Periodic Time Series Classification and Forecasting},author={Park, Jinseong and Kim, Hoki and Choi, Yujin and Lee, Woojin and Lee, Jaewook},year={2023},journal={Applied Soft Computing},publisher={Elsevier},pages={110467},}
Although deep learning models have exhibited excellent performance in various domains, recent studies have discovered that they are highly vulnerable to adversarial attacks. In the audio domain, malicious audio examples generated by adversarial attacks can cause significant performance degradation and system malfunctions, resulting in security and safety concerns. However, compared to recent developments in the audio domain, the properties of the adversarial audio examples and defenses against them still remain largely unexplored. In this study, to provide a deeper understanding of the adversarial robustness in the audio domain, we first investigate traditional and recent feature extractions in terms of adversarial attacks. We show that adversarial audio examples generated from different feature extractions exhibit different noise patterns, and thus can be distinguished by a simple classifier. Based on the observation, we extend existing adversarial detection methods by proposing a new detection method that detects adversarial audio examples using an ensemble of diverse feature extractions. By combining the frequency and self-supervised feature representations, the proposed method provides a high detection rate against both white-box and black-box adversarial attacks. Our empirical results demonstrate the effectiveness of the proposed method in speech command classification and speaker recognition.
@article{choi2023exploring,title={Exploring Diverse Feature Extractions for Adversarial Audio Detection},author={Choi, Yujin and Park, Jinseong and Lee, Jaewook and Kim, Hoki},year={2023},journal={IEEE Access},publisher={IEEE},volume={11},pages={2351--2360},}
@article{kim2023stability,title={Stability Analysis of Sharpness-Aware Minimization},author={Kim, Hoki and Park, Jinseong and Choi, Yujin and Lee, Jaewook},year={2023},journal={arXiv preprint arXiv:2301.06308},}
@article{kim2023exploring,title={Exploring the Effect of Multi-step Ascent in Sharpness-Aware Minimization},author={Kim, Hoki and Park, Jinseong and Choi, Yujin and Lee, Woojin and Lee, Jaewook},year={2023},journal={arXiv preprint arXiv:2302.10181},}
Training deep learning models with differential privacy (DP) results in a degradation of performance. The training dynamics of models with DP show a significant difference from standard training, whereas understanding the geometric properties of private learning remains largely unexplored. In this paper, we investigate sharpness, a key factor in achieving better generalization, in private learning. We show that flat minima can help reduce the negative effects of per-example gradient clipping and the addition of Gaussian noise. We then verify the effectiveness of Sharpness-Aware Minimization (SAM) for seeking flat minima in private learning. However, we also discover that SAM is detrimental to the privacy budget and computational time due to its two-step optimization. Thus, we propose a new sharpness-aware training method that mitigates the privacy-optimization trade-off. Our experimental results demonstrate that the proposed method improves the performance of deep learning models with DP from both scratch and fine-tuning.
@inproceedings{park2023differrentially,title={Differentially Private Sharpness-Aware Training},author={Park, Jinseong and Kim, Hoki and Choi, Yujin and Lee, Woojin and Lee, Jaewook},year={2023},journal={International Conference on Machine Learning},organization={PMLR},}
Deep learning is vulnerable to adversarial examples. Many defenses based on randomized neural networks have been proposed to solve the problem, but fail to achieve robustness against attacks using proxy gradients such as the Expectation over Transformation (EOT) attack. We investigate the effect of the adversarial attacks using proxy gradients on randomized neural networks and demonstrate that it highly relies on the directional distribution of the loss gradients of the randomized neural network. We show in particular that proxy gradients are less effective when the gradients are more scattered. To this end, we propose Gradient Diversity (GradDiv) regularizations that minimize the concentration of the gradients to build a robust randomized neural network. Our experiments on MNIST, CIFAR10, and STL10 show that our proposed GradDiv regularizations improve the adversarial robustness of randomized neural networks against a variety of state-of-the-art attack methods. Moreover, our method efficiently reduces the transferability among sample models of randomized neural networks.
@article{lee2022graddiv,title={Graddiv: Adversarial Robustness of Randomized Neural Networks via Gradient Diversity Regularization},author={Lee, Sungyoon and Kim, Hoki and Lee, Jaewook},year={2022},journal={IEEE Transactions on Pattern Analysis and Machine Intelligence},publisher={IEEE},}
Imputation of missing data is an important but challenging issue because we do not know the underlying distribution of the missing data. Previous imputation models have addressed this problem by assuming specific kinds of missing distributions. However, in practice, the mechanism of the missing data is unknown, so the most general case of missing pattern needs to be considered for successful imputation. In this paper, we present cycle-consistent imputation adversarial networks to discover the underlying distribution of missing patterns closely under some relaxations. Using adversarial training, our model successfully learns the most general case of missing patterns. Therefore our method can be applied to a wide variety of imputation problems. We empirically evaluated the proposed method with numerical and image data. The result shows that our method yields the state-of-the-art performance quantitatively and qualitatively on standard datasets.
@article{lee2022variational,title={Variational Cycle-consistent Imputation Adversarial Networks for General Missing Patterns},author={Lee, Woojin and Lee, Sungyoon and Byun, Junyoung and Kim, Hoki and Lee, Jaewook},year={2022},journal={Pattern Recognition},publisher={Elsevier},volume={129},pages={108720},}
Neural network-based models have recently shown excellent performance in various kinds of tasks. However, a large amount of labeled data is required to train deep networks, and the cost of gathering labeled training data for every kind of domain is prohibitively expensive. Domain adaptation tries to solve this problem by transferring knowledge from labeled source domain data to unlabeled target domain data. Previous research tried to learn domain-invariant features of source and target domains to address this problem, and this approach has been used as a key concept in various methods. However, domain-invariant features do not mean that a classifier trained on source data can be directly applied to target data because it does not guarantee that data distribution of the same classes will be aligned across two domains. In this paper, we present novel generalization upper bounds for domain adaptation that motivates the need for class-conditional domain invariant learning. Based on this theoretical framework, we then propose a class-conditional domain invariant learning method that can learn a feature space in which features in the same class are expected to be mapped nearby. We empirically experimented that our model showed state-of-the-art performance on standard datasets and showed effectiveness by visualization of latent space.
@article{lee2021compact,title={Compact Class-conditional Domain Invariant Learning for Multi-class Domain Adaptation},author={Lee, Woojin and Kim, Hoki and Lee, Jaewook},year={2021},journal={Pattern Recognition},publisher={Elsevier},volume={112},pages={107763},}
Although fast adversarial training has demonstrated both robustness and efficiency, the problem of "catastrophic overfitting" has been observed. This is a phenomenon in which, during single-step adversarial training, the robust accuracy against projected gradient descent (PGD) suddenly decreases to 0% after a few epochs, whereas the robust accuracy against fast gradient sign method (FGSM) increases to 100%. In this paper, we demonstrate that catastrophic overfitting is very closely related to the characteristic of single-step adversarial training which uses only adversarial examples with the maximum perturbation, and not all adversarial examples in the adversarial direction, which leads to decision boundary distortion and a highly curved loss surface. Based on this observation, we propose a simple method that not only prevents catastrophic overfitting, but also overrides the belief that it is difficult to prevent multi-step adversarial attacks with single-step adversarial training.
@inproceedings{kim2021understanding,title={Understanding Catastrophic Overfitting in Single-step Adversarial Training},author={Kim, Hoki and Lee, Woojin and Lee, Jaewook},year={2021},booktitle={Proceedings of the AAAI Conference on Artificial Intelligence},volume={35},number={9},pages={8119--8127},cv_order={1},cv_text_en={Top-tier AI Conf., cited 164 times},cv_text_ko={AI 최우수 학회, 164회 인용},}
Torchattacks is a PyTorch library that contains adversarial attacks to generate adversarial examples and to verify the robustness of deep learning models.
@article{kim2020torchattacks,title={Torchattacks: A PyTorch Repository for Adversarial Attacks},author={Kim, Hoki},year={2020},journal={arXiv preprint arXiv:2010.01950},}