Adversarial Robustness through the Lens of Convolutional Filters

TL;DR

This paper investigates how adversarial training affects convolutional filters in deep learning models, revealing that robust models develop more diverse and orthogonal filters, especially in early layers, which help mitigate input perturbations.

Contribution

It provides a detailed analysis of convolutional filters in adversarially-trained models, highlighting differences from standard models across architectures and layers.

Findings

Robust models have more diverse, less sparse, and more orthogonal filters.

Largest differences are in the deepest layers and the first convolution layer.

First layer filters can partially eliminate input perturbations.

Abstract

Deep learning models are intrinsically sensitive to distribution shifts in the input data. In particular, small, barely perceivable perturbations to the input data can force models to make wrong predictions with high confidence. An common defense mechanism is regularization through adversarial training which injects worst-case perturbations back into training to strengthen the decision boundaries, and to reduce overfitting. In this context, we perform an investigation of 3x3 convolution filters that form in adversarially-trained models. Filters are extracted from 71 public models of the linf-RobustBench CIFAR-10/100 and ImageNet1k leaderboard and compared to filters extracted from models built on the same architectures but trained without robust regularization. We observe that adversarially-robust models appear to form more diverse, less sparse, and more orthogonal convolution filters than their normal counterparts. The largest differences between robust and normal models are found in the deepest layers, and the very first convolution layer, which consistently and predominantly forms filters that can partially eliminate perturbations, irrespective of the architecture. Data & Project website: https://github.com/paulgavrikov/cvpr22w_RobustnessThroughTheLens