Interpreting Adversarial Robustness: A View from Decision Surface in Input Space

TL;DR

This paper challenges the traditional view that flat minima in parameter space lead to good generalization, instead highlighting the importance of decision surface geometry in input space for adversarial robustness and proposing a new robustness indicator and training method.

Contribution

It introduces a novel perspective focusing on input space decision surface geometry, along with a robustness indicator and a training method that improves adversarial robustness without adversarial training.

Findings

Decision surface geometry in input space correlates with adversarial robustness.

The proposed indicator effectively evaluates intrinsic robustness.

The training method enhances robustness without adversarial examples.

Abstract

One popular hypothesis of neural network generalization is that the flat local minima of loss surface in parameter space leads to good generalization. However, we demonstrate that loss surface in parameter space has no obvious relationship with generalization, especially under adversarial settings. Through visualizing decision surfaces in both parameter space and input space, we instead show that the geometry property of decision surface in input space correlates well with the adversarial robustness. We then propose an adversarial robustness indicator, which can evaluate a neural network's intrinsic robustness property without testing its accuracy under adversarial attacks. Guided by it, we further propose our robust training method. Without involving adversarial training, our method could enhance network's intrinsic adversarial robustness against various adversarial attacks.