Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the Duality Between Sharpness-Aware Minimization and Adversarial Training

Yihao Zhang, Hangzhou He, Jingyu Zhu, Huanran Chen, Yifei Wang, Zeming Wei

TL;DR

This paper investigates the duality between Sharpness-Aware Minimization (SAM) and Adversarial Training (AT) for robustness. By combining empirical evidence with a theoretical model, it shows that SAM can enhance adversarial robustness without sacrificing clean accuracy, and it analyzes how weight perturbations steer learning toward robust features. The authors derive a robust-feature weight framework in a simple binary model, showing SAM and AT both increase reliance on robust features but via different perturbation mechanisms and strengths. Extensive experiments across image classification, semantic segmentation, and text classification demonstrate SAM’s broad robustness gains, its competitiveness with AT, and the potential of using SAM as a lightweight substitute when accuracy on clean data is critical.

Abstract

Adversarial Training (AT), which adversarially perturb the input samples during training, has been acknowledged as one of the most effective defenses against adversarial attacks, yet suffers from inevitably decreased clean accuracy. Instead of perturbing the samples, Sharpness-Aware Minimization (SAM) perturbs the model weights during training to find a more flat loss landscape and improve generalization. However, as SAM is designed for better clean accuracy, its effectiveness in enhancing adversarial robustness remains unexplored. In this work, considering the duality between SAM and AT, we investigate the adversarial robustness derived from SAM. Intriguingly, we find that using SAM alone can improve adversarial robustness. To understand this unexpected property of SAM, we first provide empirical and theoretical insights into how SAM can implicitly learn more robust features, and conduct comprehensive experiments to show that SAM can improve adversarial robustness notably without sacrificing any clean accuracy, shedding light on the potential of SAM to be a substitute for AT when accuracy comes at a higher priority. Code is available at https://github.com/weizeming/SAM_AT.

On the Duality Between Sharpness-Aware Minimization and Adversarial Training

TL;DR

This paper investigates the duality between Sharpness-Aware Minimization (SAM) and Adversarial Training (AT) for robustness. By combining empirical evidence with a theoretical model, it shows that SAM can enhance adversarial robustness without sacrificing clean accuracy, and it analyzes how weight perturbations steer learning toward robust features. The authors derive a robust-feature weight framework in a simple binary model, showing SAM and AT both increase reliance on robust features but via different perturbation mechanisms and strengths. Extensive experiments across image classification, semantic segmentation, and text classification demonstrate SAM’s broad robustness gains, its competitiveness with AT, and the potential of using SAM as a lightweight substitute when accuracy on clean data is critical.

Abstract

Adversarial Training (AT), which adversarially perturb the input samples during training, has been acknowledged as one of the most effective defenses against adversarial attacks, yet suffers from inevitably decreased clean accuracy. Instead of perturbing the samples, Sharpness-Aware Minimization (SAM) perturbs the model weights during training to find a more flat loss landscape and improve generalization. However, as SAM is designed for better clean accuracy, its effectiveness in enhancing adversarial robustness remains unexplored. In this work, considering the duality between SAM and AT, we investigate the adversarial robustness derived from SAM. Intriguingly, we find that using SAM alone can improve adversarial robustness. To understand this unexpected property of SAM, we first provide empirical and theoretical insights into how SAM can implicitly learn more robust features, and conduct comprehensive experiments to show that SAM can improve adversarial robustness notably without sacrificing any clean accuracy, shedding light on the potential of SAM to be a substitute for AT when accuracy comes at a higher priority. Code is available at https://github.com/weizeming/SAM_AT.
Paper Structure (26 sections, 6 theorems, 48 equations, 13 tables)

This paper contains 26 sections, 6 theorems, 48 equations, 13 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Sharpnes-Aware Minimization (SAM)
  4. Adversarial Robustness and Adversarial Training
  5. Empirical Understanding
  6. Theoretical Insights
  7. A Binary Classification Model
  8. Standard Training (ST)
  9. Adversarial Training (AT)
  10. Sharpness-Aware Minimization (SAM)
  11. Relation between SAM and AT
  12. Experiment
  13. Image Classification
  14. Experimental settings
  15. Experimental results
  16. ...and 11 more sections

Key Result

Theorem 4.1

The robust accuracy ($R_A$) of this model, defined as is a monotonic increasing function of $W_R$ under condition $\epsilon<\eta$ and $0<W_R<W_R^{AT}$(defined in (AT)).

Theorems & Definitions (11)

  • Theorem 4.1
  • Theorem 4.2: Standard training
  • Theorem 4.3: Adversarial training
  • Theorem 4.4: Sharpness-aware minimization
  • Theorem 4.5
  • Theorem 4.6
  • proof
  • proof
  • proof
  • proof
  • ...and 1 more