Going Further: Flatness at the Rescue of Early Stopping for Adversarial   Example Transferability

Martin Gubri; Maxime Cordy; Yves Le Traon

arXiv:2304.02688·cs.LG·February 21, 2024·1 cites

Going Further: Flatness at the Rescue of Early Stopping for Adversarial Example Transferability

Martin Gubri, Maxime Cordy, Yves Le Traon

PDF

Open Access 1 Repo

TL;DR

This paper investigates how flatness in the loss landscape, achieved through sharpness-aware minimization, enhances transferability of adversarial examples, surpassing early stopping methods and providing new insights into model robustness.

Contribution

It demonstrates that sharpness-aware minimizers, especially SAM, improve transferability of adversarial examples more effectively than early stopping, linking flatness to transferability.

Findings

01

SAM outperforms early stopping by up to 28.8 percentage points.

02

Flatness in the loss landscape correlates with higher transferability.

03

Sharpness-aware minimizers are competitive with and complementary to existing methods.

Abstract

Transferability is the property of adversarial examples to be misclassified by other models than the surrogate model for which they were crafted. Previous research has shown that early stopping the training of the surrogate model substantially increases transferability. A common hypothesis to explain this is that deep neural networks (DNNs) first learn robust features, which are more generic, thus a better surrogate. Then, at later epochs, DNNs learn non-robust features, which are more brittle, hence worst surrogate. First, we tend to refute this hypothesis, using transferability as a proxy for representation similarity. We then establish links between transferability and the exploration of the loss landscape in parameter space, focusing on sharpness, which is affected by early stopping. This leads us to evaluate surrogate models trained with seven minimizers that minimize both loss…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Code & Models

Repositories

framartin/rfn-flatness-transferability
noneOfficial

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsIntegrated Circuits and Semiconductor Failure Analysis · VLSI and Analog Circuit Testing

MethodsSegment Anything Model · Early Stopping