Understanding Robust Overfitting from the Feature Generalization Perspective

TL;DR

This paper investigates robust overfitting in adversarial training from a feature generalization perspective, identifying natural data as the main cause and proposing methods to mitigate it, thereby improving robustness.

Contribution

It introduces a novel feature generalization perspective on robust overfitting and proposes two methods to prevent feature degradation during adversarial training.

Findings

Natural data causes robust overfitting.

Proposed methods effectively mitigate overfitting.

Enhanced adversarial robustness demonstrated on benchmarks.

Abstract

Adversarial training (AT) constructs robust neural networks by incorporating adversarial perturbations into natural data. However, it is plagued by the issue of robust overfitting (RO), which severely damages the model's robustness. In this paper, we investigate RO from a novel feature generalization perspective. Specifically, we design factor ablation experiments to assess the respective impacts of natural data and adversarial perturbations on RO, identifying that the inducing factor of RO stems from natural data. Given that the only difference between adversarial and natural training lies in the inclusion of adversarial perturbations, we further hypothesize that adversarial perturbations degrade the generalization of features in natural data and verify this hypothesis through extensive experiments. Based on these findings, we provide a holistic view of RO from the feature generalization perspective and explain various empirical behaviors associated with RO. To examine our feature generalization perspective, we devise two representative methods, attack strength and data augmentation, to prevent the feature generalization degradation during AT. Extensive experiments conducted on benchmark datasets demonstrate that the proposed methods can effectively mitigate RO and enhance adversarial robustness.