Improving Generalization of Adversarial Training via Robust Critical Fine-Tuning

TL;DR

This paper introduces RiFT, a novel fine-tuning method that improves the generalization and out-of-distribution robustness of adversarially trained neural networks without sacrificing their adversarial robustness.

Contribution

RiFT leverages module robust criticality to identify non-robust-critical modules and fine-tunes them, enhancing model generalization and robustness.

Findings

Significantly improves generalization by around 1.5%.

Maintains or slightly enhances adversarial robustness.

Effective on multiple ResNet architectures and datasets.

Abstract

Deep neural networks are susceptible to adversarial examples, posing a significant security risk in critical applications. Adversarial Training (AT) is a well-established technique to enhance adversarial robustness, but it often comes at the cost of decreased generalization ability. This paper proposes Robustness Critical Fine-Tuning (RiFT), a novel approach to enhance generalization without compromising adversarial robustness. The core idea of RiFT is to exploit the redundant capacity for robustness by fine-tuning the adversarially trained model on its non-robust-critical module. To do so, we introduce module robust criticality (MRC), a measure that evaluates the significance of a given module to model robustness under worst-case weight perturbations. Using this measure, we identify the module with the lowest MRC value as the non-robust-critical module and fine-tune its weights to obtain fine-tuned weights. Subsequently, we linearly interpolate between the adversarially trained weights and fine-tuned weights to derive the optimal fine-tuned model weights. We demonstrate the efficacy of RiFT on ResNet18, ResNet34, and WideResNet34-10 models trained on CIFAR10, CIFAR100, and Tiny-ImageNet datasets. Our experiments show that \method can significantly improve both generalization and out-of-distribution robustness by around 1.5% while maintaining or even slightly enhancing adversarial robustness. Code is available at https://github.com/microsoft/robustlearn.