Improving Robust Generalization by Direct PAC-Bayesian Bound Minimization

TL;DR

This paper introduces a novel regularization method based on a robust PAC-Bayesian bound, which improves adversarial robustness of Vision Transformers with less computational cost by directly minimizing the bound.

Contribution

It proposes a new approach to robust generalization by directly minimizing a robust PAC-Bayesian bound using a Trace of Hessian regularizer, connecting theory with practical robustness improvements.

Findings

TrH regularization improves ViT robustness on CIFAR-10/100 and ImageNet.

The method matches or surpasses state-of-the-art robustness algorithms.

It requires less memory and computational cost than existing approaches.

Abstract

Recent research in robust optimization has shown an overfitting-like phenomenon in which models trained against adversarial attacks exhibit higher robustness on the training set compared to the test set. Although previous work provided theoretical explanations for this phenomenon using a robust PAC-Bayesian bound over the adversarial test error, related algorithmic derivations are at best only loosely connected to this bound, which implies that there is still a gap between their empirical success and our understanding of adversarial robustness theory. To close this gap, in this paper we consider a different form of the robust PAC-Bayesian bound and directly minimize it with respect to the model posterior. The derivation of the optimal solution connects PAC-Bayesian learning to the geometry of the robust loss surface through a Trace of Hessian (TrH) regularizer that measures the surface flatness. In practice, we restrict the TrH regularizer to the top layer only, which results in an analytical solution to the bound whose computational cost does not depend on the network depth. Finally, we evaluate our TrH regularization approach over CIFAR-10/100 and ImageNet using Vision Transformers (ViT) and compare against baseline adversarial robustness algorithms. Experimental results show that TrH regularization leads to improved ViT robustness that either matches or surpasses previous state-of-the-art approaches while at the same time requires less memory and computational cost.