Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Understanding Generalization in Adversarial Training via the Bias-Variance Decomposition

Yaodong Yu, Zitong Yang, Edgar Dobriban, Jacob Steinhardt, Yi Ma

TL;DR

This paper investigates why adversarial training suffers a generalization gap on clean data by decomposing test risk into bias and variance across the adversarial perturbation radius $\varepsilon$. It discovers that bias increases monotonically with $\varepsilon$ and dominates risk, while variance is unimodal and peaks near the robust interpolation threshold, a pattern robust across datasets and defenses like randomized smoothing. These findings challenge explanations that predict monotone variance growth and demonstrate how bias-variance analysis can validate or refute conceptual models of adversarial training. The work also shows that reducing bias—via pre-training and unlabeled data—offers scalable routes to improve robustness, guiding future architecture and training strategy designs. Overall, the bias-variance lens provides two independent measurements to evaluate theories and suggests practical directions to narrow the adversarial generalization gap.

Abstract

Adversarially trained models exhibit a large generalization gap: they can interpolate the training set even for large perturbation radii, but at the cost of large test error on clean samples. To investigate this gap, we decompose the test risk into its bias and variance components and study their behavior as a function of adversarial training perturbation radii ($\varepsilon$). We find that the bias increases monotonically with $\varepsilon$ and is the dominant term in the risk. Meanwhile, the variance is unimodal as a function of $\varepsilon$, peaking near the interpolation threshold for the training set. This characteristic behavior occurs robustly across different datasets and also for other robust training procedures such as randomized smoothing. It thus provides a test for proposed explanations of the generalization gap. We find that some existing explanations fail this test--for instance, by predicting a monotonically increasing variance curve. This underscores the power of bias-variance decompositions in modern settings-by providing two measurements instead of one, they can rule out more explanations than test accuracy alone. We also show that bias and variance can provide useful guidance for scalably reducing the generalization gap, highlighting pre-training and unlabeled data as promising routes.

Understanding Generalization in Adversarial Training via the Bias-Variance Decomposition

TL;DR

This paper investigates why adversarial training suffers a generalization gap on clean data by decomposing test risk into bias and variance across the adversarial perturbation radius . It discovers that bias increases monotonically with and dominates risk, while variance is unimodal and peaks near the robust interpolation threshold, a pattern robust across datasets and defenses like randomized smoothing. These findings challenge explanations that predict monotone variance growth and demonstrate how bias-variance analysis can validate or refute conceptual models of adversarial training. The work also shows that reducing bias—via pre-training and unlabeled data—offers scalable routes to improve robustness, guiding future architecture and training strategy designs. Overall, the bias-variance lens provides two independent measurements to evaluate theories and suggests practical directions to narrow the adversarial generalization gap.

Abstract

Adversarially trained models exhibit a large generalization gap: they can interpolate the training set even for large perturbation radii, but at the cost of large test error on clean samples. To investigate this gap, we decompose the test risk into its bias and variance components and study their behavior as a function of adversarial training perturbation radii (). We find that the bias increases monotonically with and is the dominant term in the risk. Meanwhile, the variance is unimodal as a function of , peaking near the interpolation threshold for the training set. This characteristic behavior occurs robustly across different datasets and also for other robust training procedures such as randomized smoothing. It thus provides a test for proposed explanations of the generalization gap. We find that some existing explanations fail this test--for instance, by predicting a monotonically increasing variance curve. This underscores the power of bias-variance decompositions in modern settings-by providing two measurements instead of one, they can rule out more explanations than test accuracy alone. We also show that bias and variance can provide useful guidance for scalably reducing the generalization gap, highlighting pre-training and unlabeled data as promising routes.

Paper Structure

This paper contains 54 sections, 1 theorem, 24 equations, 21 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related work
  3. Robustness-accuracy tradeoff.
  4. Adversarially robust generalization.
  5. Adversarial defenses and attacks.
  6. Preliminary
  7. Standard training and adversarial training.
  8. Bias-variance decomposition.
  9. Estimation of bias and variance.
  10. Measuring Bias and Variance for Deep Neural Networks
  11. Adversarially Trained Models
  12. Experimental setup.
  13. Bias-variance behavior.
  14. Early stopping.
  15. Robustness checks.
  16. ...and 39 more sections

Key Result

Proposition 1

The variance for logistic regression defined in eqn:log_variance is non-negative, and equals 0 when the learned parameters $\hat{{\boldsymbol \theta}}_n$ is non-random.

Figures (21)

  • Figure 1: Measuring the performance for $\ell_{\infty}$-adversarial training (with increasing perturbation size) on the CIFAR10 dataset. Standard error means the error rate on clean samples, and robust error means the error rate on adversarially perturbed samples. The vertical dashed line corresponds to the robust training error of the adversarially trained model reaching $2\%$ (i.e., robust interpolation threshold). (Left) Evaluating the bias, variance, and risk for the $\ell_{\infty}$-adversarially trained model (WideResNet-28-10). (Right) Evaluating robust training error, and standard training/test error on the same model.
  • Figure 2: Measuring bias-variance for $\ell_{\infty}$-adversarial training (with increasing perturbation size) on the CIFAR10 / CIFAR100 / ImageNet10 dataset. The vertical dashed line corresponds to the robust training error of the adversarially trained model being larger than $2\%$ (i.e., robust interpolation threshold). (a) CIFAR100 dataset. (b) ImageNet10 dataset. (c) CIFAR10 dataset (evaluated on early stopped models).
  • Figure 3: Measuring bias/variance/risk and train/test error for randomized smoothing training and training on Gaussian-perturbed data on the CIFAR10 dataset using WRN-28-10, varying $\sigma^{2}$. (a) Results for randomized smoothing training, where the dashed line indicates the robust interpolation threshold. (b) Results for training on Gaussian-perturbed data.
  • Figure 4: (a) Visualization of decision boundaries of $\ell_{\infty}$ adversarially trained models on 2D box example. The training datasets are randomly sampled from the same data distribution. (b) Evaluating the bias, variance, and risk for the $\ell_{\infty}$-adversarial training (with increasing perturbation size) on the box dataset with dimension $d=2$ (left) and $d=20$ (right), and the dashed line indicates the robust interpolation threshold.
  • Figure 5: (a)(b): Bias, variance and training error for adversarial logistic regression with mixture of Gaussian (MoG) data. (c)(d): Bias, variance and training error for adversarial logistic regression with the robust feature distribution described in Eq. \ref{['eq:rob_fea_dist']}. For all four figures, the dashed line indicates robust interpolation threshold.
  • ...and 16 more figures

Theorems & Definitions (2)

  • Proposition 1: Non-Negativity of Logistic Variance
  • proof