2000 character limit reached
Sharpness-Aware Minimization Alone can Improve Adversarial Robustness (2305.05392v2)
Published 9 May 2023 in cs.LG and cs.AI
Abstract: Sharpness-Aware Minimization (SAM) is an effective method for improving generalization ability by regularizing loss sharpness. In this paper, we explore SAM in the context of adversarial robustness. We find that using only SAM can achieve superior adversarial robustness without sacrificing clean accuracy compared to standard training, which is an unexpected benefit. We also discuss the relation between SAM and adversarial training (AT), a popular method for improving the adversarial robustness of DNNs. In particular, we show that SAM and AT differ in terms of perturbation strength, leading to different accuracy and robustness trade-offs. We provide theoretical evidence for these claims in a simplified model. Finally, while AT suffers from decreased clean accuracy and computational overhead, we suggest that SAM can be regarded as a lightweight substitute for AT under certain requirements. Code is available at https://github.com/weizeming/SAM_AT.
- Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International conference on machine learning, pp. 274–283. PMLR, 2018.
- Sharpness-aware minimization improves language model generalization. arXiv preprint arXiv:2110.08529, 2021.
- Hilbert-based generative defense for adversarial examples. In ICCV, 2019.
- Entropy-sgd: Biasing gradient descent into wide valleys. Journal of Statistical Mechanics: Theory and Experiment, 2019(12):124018, 2019.
- Robust classification via a single diffusion model, 2023a.
- Rethinking model ensemble in transfer-based adversarial attacks, 2023b.
- Efficient sharpness-aware minimization for improved training of neural networks. arXiv preprint arXiv:2110.03141, 2021.
- Computing nonvacuous generalization bounds for deep (stochastic) neural networks with many more parameters than training data. arXiv preprint arXiv:1703.11008, 2017.
- Sharpness-aware minimization for efficiently improving generalization. arXiv preprint arXiv:2010.01412, 2020.
- Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
- Identity mappings in deep residual networks. In European conference on computer vision, pp. 630–645. Springer, 2016.
- Simplifying neural nets by discovering flat minima. Advances in neural information processing systems, 7, 1994.
- Flat minima. Neural computation, 9(1):1–42, 1997.
- Adversarial examples are not bugs, they are features. In Neural Information Processing Systems, 2019.
- Averaging weights leads to wider optima and better generalization. arXiv preprint arXiv:1803.05407, 2018.
- Splash in a flash: Sharpness-aware minimization for efficient liquid splash simulation. 2022.
- On large-batch training for deep learning: Generalization gap and sharp minima. arXiv preprint arXiv:1609.04836, 2016.
- Fisher sam: Information geometry and sharpness aware minimisation. In International Conference on Machine Learning, pp. 11148–11161. PMLR, 2022.
- Learning multiple layers of features from tiny images. 2009.
- Asam: Adaptive sharpness-aware minimization for scale-invariant learning of deep neural networks. In International Conference on Machine Learning, pp. 5905–5914. PMLR, 2021.
- Towards efficient and scalable sharpness-aware minimization. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 12360–12370, 2022.
- Understanding adversarial attacks on deep learning based medical image analysis systems. Pattern Recognition, 2020.
- Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
- Make sharpness-aware minimization stronger: A sparsified perturbation approach. arXiv preprint arXiv:2210.05177, 2022.
- When adversarial training meets vision transformers: Recipes from training to architecture. In NeurIPS, 2022.
- Exploring generalization in deep learning. Advances in neural information processing systems, 30, 2017.
- Distillation as a defense to adversarial perturbations against deep neural networks. In SP, 2016.
- Adversarial training for free! Advances in Neural Information Processing Systems, 32, 2019.
- Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
- Robustness may be at odds with accuracy. arXiv preprint arXiv:1805.12152, 2018.
- Generalist: Decoupling natural and robust generalization. In CVPR, 2023.
- Beta-crown: Efficient bound propagation with per-neuron split constraints for complete and incomplete neural network robustness verification, 2021.
- On the convergence and robustness of adversarial training. In ICML, 2019.
- Cfa: Class-wise calibrated fair adversarial training. In CVPR, 2023a.
- Weighted automata extraction and explanation of recurrent neural networks for natural language tasks, 2023b.
- Adversarial weight perturbation helps robust generalization. In NeurIPS, 2020.
- Feature denoising for improving adversarial robustness. In CVPR, 2019.
- To be robust or to be fair: Towards fairness in adversarial training. In ICML, 2021.
- Robust weight perturbation for adversarial training. arXiv preprint arXiv:2205.14826, 2022a.
- Robust weight perturbation for adversarial training. arXiv preprint arXiv:2205.14826, 2022b.
- Theoretically principled trade-off between robustness and accuracy. In International conference on machine learning, pp. 7472–7482. PMLR, 2019.
- Using z3 for formal modeling and verification of fnn global robustness, 2023.
- Improving sharpness-aware minimization with fisher mask for better generalization on language models. arXiv preprint arXiv:2210.05497, 2022.
Collections
Sign up for free to add this paper to one or more collections.