Relating Adversarially Robust Generalization to Flat Minima

TL;DR

This paper investigates the link between adversarial robustness and flat minima in the loss landscape, showing that flatter minima correlate with better robust generalization and that early stopping can find such minima.

Contribution

It introduces scale-invariant flatness metrics for robust loss landscapes and demonstrates their correlation with robust generalization across various adversarial training methods.

Findings

Flatter minima are associated with improved adversarial robustness.

Early stopping tends to find flatter minima during training.

Multiple regularization techniques also lead to flatter minima and better robustness.

Abstract

Adversarial training (AT) has become the de-facto standard to obtain models robust against adversarial examples. However, AT exhibits severe robust overfitting: cross-entropy loss on adversarial examples, so-called robust loss, decreases continuously on training examples, while eventually increasing on test examples. In practice, this leads to poor robust generalization, i.e., adversarial robustness does not generalize well to new examples. In this paper, we study the relationship between robust generalization and flatness of the robust loss landscape in weight space, i.e., whether robust loss changes significantly when perturbing weights. To this end, we propose average- and worst-case metrics to measure flatness in the robust loss landscape and show a correlation between good robust generalization and flatness. For example, throughout training, flatness reduces significantly during overfitting such that early stopping effectively finds flatter minima in the robust loss landscape. Similarly, AT variants achieving higher adversarial robustness also correspond to flatter minima. This holds for many popular choices, e.g., AT-AWP, TRADES, MART, AT with self-supervision or additional unlabeled examples, as well as simple regularization techniques, e.g., AutoAugment, weight decay or label noise. For fair comparison across these approaches, our flatness measures are specifically designed to be scale-invariant and we conduct extensive experiments to validate our findings.