IB-RAR: Information Bottleneck as Regularizer for Adversarial Robustness

TL;DR

This paper introduces IB-RAR, a method using the Information Bottleneck principle to enhance adversarial robustness in neural networks, improving accuracy against attacks and strengthening non-adversarial models.

Contribution

It applies the Information Bottleneck as a regularizer to improve adversarial robustness and demonstrates its effectiveness across different training methods and datasets.

Findings

Improves adversarial accuracy by 3.07% on CIFAR-10 with VGG16.

Enhances robustness of non-adversarial models.

Achieves 35.86% accuracy against PGD without adversarial training.

Abstract

In this paper, we propose a novel method, IB-RAR, which uses Information Bottleneck (IB) to strengthen adversarial robustness for both adversarial training and non-adversarial-trained methods. We first use the IB theory to build regularizers as learning objectives in the loss function. Then, we filter out unnecessary features of intermediate representation according to their mutual information (MI) with labels, as the network trained with IB provides easily distinguishable MI for its features. Experimental results show that our method can be naturally combined with adversarial training and provides consistently better accuracy on new adversarial examples. Our method improves the accuracy by an average of 3.07% against five adversarial attacks for the VGG16 network, trained with three adversarial training benchmarks and the CIFAR-10 dataset. In addition, our method also provides good robustness for undefended methods, such as training with cross-entropy loss only. Finally, in the absence of adversarial training, the VGG16 network trained using our method and the CIFAR-10 dataset reaches an accuracy of 35.86% against PGD examples, while using all layers reaches 25.61% accuracy.