Second Order Optimization for Adversarial Robustness and Interpretability

TL;DR

This paper introduces a second order regularizer for adversarial training that improves robustness and interpretability of neural networks more efficiently than existing methods, by leveraging curvature information.

Contribution

It proposes a novel second order regularizer based on quadratic approximation of adversarial loss, achieving stronger robustness with lower computational cost.

Findings

Single iteration regularizer outperforms prior methods in robustness.

Method achieves comparable robustness to adversarial training with less training time.

Produces more human-interpretable features than other geometric regularization techniques.

Abstract

Deep neural networks are easily fooled by small perturbations known as adversarial attacks. Adversarial Training (AT) is a technique aimed at learning features robust to such attacks and is widely regarded as a very effective defense. However, the computational cost of such training can be prohibitive as the network size and input dimensions grow. Inspired by the relationship between robustness and curvature, we propose a novel regularizer which incorporates first and second order information via a quadratic approximation to the adversarial loss. The worst case quadratic loss is approximated via an iterative scheme. It is shown that using only a single iteration in our regularizer achieves stronger robustness than prior gradient and curvature regularization schemes, avoids gradient obfuscation, and, with additional iterations, achieves strong robustness with significantly lower training time than AT. Further, it retains the interesting facet of AT that networks learn features which are well-aligned with human perception. We demonstrate experimentally that our method produces higher quality human-interpretable features than other geometric regularization techniques. These robust features are then used to provide human-friendly explanations to model predictions.