Relating Adversarially Robust Generalization to Flat Minima

• URL: http://arxiv.org/abs/2104.04448v1
• Date: Fri, 9 Apr 2021 15:55:01 GMT
• Title: Relating Adversarially Robust Generalization to Flat Minima
• Authors: David Stutz, Matthias Hein, Bernt Schiele
• Abstract summary: Adversarial training (AT) has become the de-facto standard to obtain models robust against adversarial examples. We study the relationship between robust generalization and flatness of the robust loss landscape in weight space.
• Score: 138.59125287276194
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Adversarial training (AT) has become the de-facto standard to obtain models robust against adversarial examples. However, AT exhibits severe robust overfitting: cross-entropy loss on adversarial examples, so-called robust loss, decreases continuously on training examples, while eventually increasing on test examples. In practice, this leads to poor robust generalization, i.e., adversarial robustness does not generalize well to new examples. In this paper, we study the relationship between robust generalization and flatness of the robust loss landscape in weight space, i.e., whether robust loss changes significantly when perturbing weights. To this end, we propose average- and worst-case metrics to measure flatness in the robust loss landscape and show a correlation between good robust generalization and flatness. For example, throughout training, flatness reduces significantly during overfitting such that early stopping effectively finds flatter minima in the robust loss landscape. Similarly, AT variants achieving higher adversarial robustness also correspond to flatter minima. This holds for many popular choices, e.g., AT-AWP, TRADES, MART, AT with self-supervision or additional unlabeled examples, as well as simple regularization techniques, e.g., AutoAugment, weight decay or label noise. For fair comparison across these approaches, our flatness measures are specifically designed to be scale-invariant and we conduct extensive experiments to validate our findings.

Related papers

• The Uncanny Valley: Exploring Adversarial Robustness from a Flatness Perspective [34.55229189445268]
  Flatness of the loss surface not only correlates positively with generalization but is also related to adversarial robustness. In this paper, we empirically analyze the relation between adversarial examples and relative flatness with respect to the parameters of one layer.
  arXiv  Detail & Related papers  (2024-05-27T08:10:46Z)
• Doubly Robust Instance-Reweighted Adversarial Training [107.40683655362285]
  We propose a novel doubly-robust instance reweighted adversarial framework. Our importance weights are obtained by optimizing the KL-divergence regularized loss function. Our proposed approach outperforms related state-of-the-art baseline methods in terms of average robust performance.
  arXiv  Detail & Related papers  (2023-08-01T06:16:18Z)
• Vulnerability-Aware Instance Reweighting For Adversarial Training [4.874780144224057]
  Adversarial Training (AT) has been found to substantially improve the robustness of deep learning classifiers against adversarial attacks. AT exerts an uneven influence on different classes in a training set and unfairly hurts examples corresponding to classes that are inherently harder to classify. Various reweighting schemes have been proposed that assign unequal weights to robust losses of individual examples in a training set. In this work, we propose a novel instance-wise reweighting scheme. It considers the vulnerability of each natural example and the resulting information loss on its adversarial counterpart occasioned by adversarial attacks.
  arXiv  Detail & Related papers  (2023-07-14T05:31:32Z)
• Understanding and Combating Robust Overfitting via Input Loss Landscape Analysis and Regularization [5.1024659285813785]
  Adrial training is prone to overfitting, and the cause is far from clear. We find that robust overfitting results from standard training, specifically the minimization of the clean loss. We propose a new regularizer to smooth the loss landscape by penalizing the weighted logits variation along the adversarial direction.
  arXiv  Detail & Related papers  (2022-12-09T16:55:30Z)
• Boundary Adversarial Examples Against Adversarial Overfitting [4.391102490444538]
  adversarial training approaches suffer from robust overfitting where the robust accuracy decreases when models are adversarially trained for too long. Several mitigation approaches including early stopping, temporal ensembling and weight memorizations have been proposed to mitigate the effect of robust overfitting. In this paper, we investigate if these mitigation approaches are complimentary to each other in improving adversarial training performance.
  arXiv  Detail & Related papers  (2022-11-25T13:16:53Z)
• Fast Adversarial Training with Adaptive Step Size [62.37203478589929]
  We study the phenomenon from the perspective of training instances. We propose a simple but effective method, Adversarial Training with Adaptive Step size (ATAS) ATAS learns an instancewise adaptive step size that is inversely proportional to its gradient norm.
  arXiv  Detail & Related papers  (2022-06-06T08:20:07Z)
• Alleviating Robust Overfitting of Adversarial Training With Consistency Regularization [9.686724616328874]
  Adversarial training (AT) has proven to be one of the most effective ways to defend Deep Neural Networks (DNNs) against adversarial attacks. robustness will drop sharply at a certain stage, always exists during AT. consistency regularization, a popular technique in semi-supervised learning, has a similar goal as AT and can be used to alleviate robust overfitting.
  arXiv  Detail & Related papers  (2022-05-24T03:18:43Z)
• On the Impact of Hard Adversarial Instances on Overfitting in Adversarial Training [70.82725772926949]
  Adversarial training is a popular method to robustify models against adversarial attacks. In this work, we investigate this phenomenon from the perspective of training instances. We show that the decay in generalization performance of adversarial training is a result of fitting hard adversarial instances.
  arXiv  Detail & Related papers  (2021-12-14T12:19:24Z)
• Adversarial Weight Perturbation Helps Robust Generalization [65.68598525492666]
  Adversarial training is the most promising way to improve the robustness of deep neural networks against adversarial examples. We show how the widely used weight loss landscape (loss change with respect to weight) performs in adversarial training. We propose a simple yet effective Adversarial Weight Perturbation (AWP) to explicitly regularize the flatness of weight loss landscape.
  arXiv  Detail & Related papers  (2020-04-13T12:05:01Z)
• Robust and On-the-fly Dataset Denoising for Image Classification [72.10311040730815]
  On-the-fly Data Denoising (ODD) is robust to mislabeled examples, while introducing almost zero computational overhead compared to standard training. ODD is able to achieve state-of-the-art results on a wide range of datasets including real-world ones such as WebVision and Clothing1M.
  arXiv  Detail & Related papers  (2020-03-24T03:59:26Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.