Relationship Between Nonsmoothness in Adversarial Training, Constraints of Attacks, and Flatness in the Input Space

Adversarial training (AT) is a promising method to improve the robustness against adversarial attacks. However, its performance is not still satisfactory in practice compared with standard training. To reveal the cause of the difficulty of AT, we analyze the smoothness of the loss function in AT, which determines the training performance. We reveal that nonsmoothness is caused by the constraint of adversarial attacks and depends on the type of constraint. Specifically, the L-infinity constraint can cause nonsmoothness more than the L-2 constraint. In addition, we found an interesting property for AT: the flatter loss surface in the input space tends to have the less smooth adversarial loss surface in the parameter space. To confirm that the nonsmoothness causes the poor performance of AT, we theoretically and experimentally show that smooth adversarial loss by EntropySGD (EnSGD) improves the performance of AT.

Automated summary

Adversarial training is a method to improve against adversarial attacks, but it still lags behind standard training in practical performance. Our analysis reveals that the non-smoothness of the loss function in adversarial training is caused by the constraint of adversarial attacks, which is dependent on the type of constraint. Furthermore, we find that a flatter loss surface in the input space corresponds to a less smooth adversarial loss surface in the parameter space. We demonstrate that smooth adversarial loss achieved through EntropySGD improves the performance of adversarial training.