Adversarial Defense via Local Flatness Regularization

TL;DR

This paper introduces a novel adversarial defense method called local flatness regularization (LFR), which improves robustness by controlling the loss surface's local flatness, supported by theoretical analysis and empirical validation.

Contribution

The paper proposes a new regularization technique based on local flatness of the loss surface to enhance adversarial robustness, with theoretical insights and experimental evidence.

Findings

LFR effectively reduces adversarial vulnerability.

LFR improves model robustness against attacks.

Theoretical analysis links LFR to existing methods.

Abstract

Adversarial defense is a popular and important research area. Due to its intrinsic mechanism, one of the most straightforward and effective ways of defending attacks is to analyze the property of loss surface in the input space. In this paper, we define the local flatness of the loss surface as the maximum value of the chosen norm of the gradient regarding to the input within a neighborhood centered on the benign sample, and discuss the relationship between the local flatness and adversarial vulnerability. Based on the analysis, we propose a novel defense approach via regularizing the local flatness, dubbed local flatness regularization (LFR). We also demonstrate the effectiveness of the proposed method from other perspectives, such as human visual mechanism, and analyze the relationship between LFR and other related methods theoretically. Experiments are conducted to verify our theory and demonstrate the superiority of the proposed method.