Generalizable Adversarial Training via Spectral Normalization

TL;DR

This paper introduces a spectral normalization technique to improve the robustness and generalization of deep neural networks against adversarial attacks, providing theoretical bounds and practical normalization methods.

Contribution

It extends margin loss to adversarial settings, bounds generalization error, and proposes an efficient spectral normalization method for convolutional layers.

Findings

Spectral normalization improves adversarial robustness across datasets.

Theoretical bounds link spectral normalization to generalization performance.

Empirical results show enhanced robustness with spectral normalization.

Abstract

Deep neural networks (DNNs) have set benchmarks on a wide array of supervised learning tasks. Trained DNNs, however, often lack robustness to minor adversarial perturbations to the input, which undermines their true practicality. Recent works have increased the robustness of DNNs by fitting networks using adversarially-perturbed training samples, but the improved performance can still be far below the performance seen in non-adversarial settings. A significant portion of this gap can be attributed to the decrease in generalization performance due to adversarial training. In this work, we extend the notion of margin loss to adversarial settings and bound the generalization error for DNNs trained under several well-known gradient-based attack schemes, motivating an effective regularization scheme based on spectral normalization of the DNN's weight matrices. We also provide a computationally-efficient method for normalizing the spectral norm of convolutional layers with arbitrary stride and padding schemes in deep convolutional networks. We evaluate the power of spectral normalization extensively on combinations of datasets, network architectures, and adversarial training schemes. The code is available at https://github.com/jessemzhang/dl_spectral_normalization.