How do SGD hyperparameters in natural training affect adversarial robustness?

TL;DR

This paper investigates how SGD hyperparameters like learning rate, batch size, and momentum influence both the accuracy and adversarial robustness of neural networks, revealing that certain configurations maintain robustness across batch sizes.

Contribution

It provides empirical insights into the effects of SGD hyperparameters on adversarial robustness, especially highlighting the role of momentum and learning rate to batch size ratio.

Findings

Constant learning rate to batch size ratio maintains robustness across batch sizes.

Momentum enhances robustness more effectively with varying batch sizes.

Robustness remains stable when training with fixed learning rate to batch size ratio.

Abstract

Learning rate, batch size and momentum are three important hyperparameters in the SGD algorithm. It is known from the work of Jastrzebski et al. arXiv:1711.04623 that large batch size training of neural networks yields models which do not generalize well. Yao et al. arXiv:1802.08241 observe that large batch training yields models that have poor adversarial robustness. In the same paper, the authors train models with different batch sizes and compute the eigenvalues of the Hessian of loss function. They observe that as the batch size increases, the dominant eigenvalues of the Hessian become larger. They also show that both adversarial training and small-batch training leads to a drop in the dominant eigenvalues of the Hessian or lowering its spectrum. They combine adversarial training and second order information to come up with a new large-batch training algorithm and obtain robust models with good generalization. In this paper, we empirically observe the effect of the SGD hyperparameters on the accuracy and adversarial robustness of networks trained with unperturbed samples. Jastrzebski et al. considered training models with a fixed learning rate to batch size ratio. They observed that higher the ratio, better is the generalization. We observe that networks trained with constant learning rate to batch size ratio, as proposed in Jastrzebski et al., yield models which generalize well and also have almost constant adversarial robustness, independent of the batch size. We observe that momentum is more effective with varying batch sizes and a fixed learning rate than with constant learning rate to batch size ratio based SGD training.