Towards Understanding Dual BN In Hybrid Adversarial Training

TL;DR

A two-task hypothesis is proposed which serves as the empirical foundation and a unified framework for Hybrid-AT improvement and it is revealed that disentangling statistics plays a less role than disentangling affine parameters in model training.

Abstract

There is a growing concern about applying batch normalization (BN) in adversarial training (AT), especially when the model is trained on both adversarial samples and clean samples (termed Hybrid-AT). With the assumption that adversarial and clean samples are from two different domains, a common practice in prior works is to adopt Dual BN, where BN and BN are used for adversarial and clean branches, respectively. A popular belief for motivating Dual BN is that estimating normalization statistics of this mixture distribution is challenging and thus disentangling it for normalization achieves stronger robustness. In contrast to this belief, we reveal that disentangling statistics plays a less role than disentangling affine parameters in model training. This finding aligns with prior work (Rebuffi et al., 2023), and we build upon their research for further investigations. We demonstrate that the domain gap between adversarial and clean samples is not very large, which is counter-intuitive considering the significant influence of adversarial perturbation on the model accuracy. We further propose a two-task hypothesis which serves as the empirical foundation and a unified framework for Hybrid-AT improvement. We also investigate Dual BN in test-time and reveal that affine parameters characterize the robustness during inference. Overall, our work sheds new light on understanding the mechanism of Dual BN in Hybrid-AT and its underlying justification.

Figures (6)

• Figure 1: Clean accuracy and robustness (PGD10 Accuracy) of Cross-AT during training. In Cross-AT, the adversarial samples are normalized by the BN statistics calculated by clean samples. Interestingly, Cross-AT yield comparable robustness to original Self-BN(BN$_{adv}$).
• Figure 2: Cross-AT: Replacing BN$_{adv}$ with BN$_{clean}$ in the adversarial branch. The adversarial samples are normalized by the BN statistics calculated by clean samples.
• Figure 3: Illustration of different BN setups for untwining NS and AP in Dual BN of Hybrid-AT.
• Figure 4: Visualization of normalization statistics (NS) by randomly choosing 20 channels and displaying the NS calculated with different APs. The superscript and subscript of NS refer to the AP and input images when calculating NS, respectively. For example, NS$_{clean}^{adv}$ is computed on clean samples with AP$_{adv}$. NSs calculated by the same AP are close to each other, such as NS$_{adv}^{adv}$ and NS$_{clean}^{adv}$ calculated by AP$_{adv}$, so is similar NS$_{clean}^{clean}$ and NS$_{adv}^{clean}$ calculated by AP$_{clean}$.
• Figure 5: Visualization of affine parameters (AP). Randomly chose 20 channels for visualizing AP$_{clean}$ and AP$_{adv}$. There exists a gap between AP$_{clean}$ and AP$_{adv}$.