Revisiting the Trade-off between Accuracy and Robustness via Weight Distribution of Filters

TL;DR

This work addresses the persistent trade-off between clean accuracy and adversarial robustness in deep networks. It shows that static networks inherently struggle to reconcile two distinct weight regimes induced by standard and adversarial training, and it theoretically links this to gradient-regularization effects. To overcome this, the authors propose AW-Net, a sample-wise dynamic network with a filter-level weight-variation mechanism and a multi-head adversarial router, stabilized by MixBN and trained end-to-end via MTARD. Empirically, AW-Net achieves superior Weighted Robust Accuracy across CIFAR-10/100 and Tiny-ImageNet, beating static and several dynamic baselines and exhibiting resilience to adaptive attacks. The approach offers a practical pathway to jointly improve accuracy and robustness by adapting weights to input characteristics rather than forcing a single, compromised weight configuration.

Abstract

Adversarial attacks have been proven to be potential threats to Deep Neural Networks (DNNs), and many methods are proposed to defend against adversarial attacks. However, while enhancing the robustness, the clean accuracy will decline to a certain extent, implying a trade-off existed between the accuracy and robustness. In this paper, to meet the trade-off problem, we theoretically explore the underlying reason for the difference of the filters' weight distribution between standard-trained and robust-trained models and then argue that this is an intrinsic property for static neural networks, thus they are difficult to fundamentally improve the accuracy and adversarial robustness at the same time. Based on this analysis, we propose a sample-wise dynamic network architecture named Adversarial Weight-Varied Network (AW-Net), which focuses on dealing with clean and adversarial examples with a "divide and rule" weight strategy. The AW-Net adaptively adjusts the network's weights based on regulation signals generated by an adversarial router, which is directly influenced by the input sample. Benefiting from the dynamic network architecture, clean and adversarial examples can be processed with different network weights, which provides the potential to enhance both accuracy and adversarial robustness. A series of experiments demonstrate that our AW-Net is architecture-friendly to handle both clean and adversarial examples and can achieve better trade-off performance than state-of-the-art robust models.

Figures (5)

• Figure 1: The distribution versus the means of filters' weights in the second convolution layer in ResNet-18 on CIFAR-10 towards a standard model and three state-of-the-art robust models trained by wang2019improvingzi2021revisitingZhao2022Enhanced. The figure shows filters' weight distribution exists an obvious difference for the standard and robust models.
• Figure 2: The framework of our AW-Net. AW-Net includes two main branches: the dynamic weight sub-network composed of multiple AW-Net blocks and the adversarial router sub-network to discriminate the clean and adversarial examples and generate the regulation signals. In the training period, we utilize the MixBN (including Adv BN and Clean BN) to handle different feature distributions of clean and adversarial examples, respectively. In the testing period, Adv BN and Clean BN are weighted by the prediction of adversarial router.
• Figure 3: The distribution versus the means of filters' weights in the first and second convolution layer in MobileNet-v2, ResNet-50, and WideResNet-34-8 on CIFAR-10 towards standard models and robust models trained by Zhao2022Enhanced.
• Figure 4: The performance of AW-Net with different $\beta$. All the results are the best checkpoints based on $\mathcal{A}_{w}$. $\mathcal{A}_{w}$ is evaluated by AA.
• Figure 5: The performance of AW-Net with different training method. All the results are the best checkpoints based on $\mathcal{A}_{w}$. $\mathcal{A}_{w}$ is evaluated by AA.