Understanding Adversarial Training with Energy-based Models

TL;DR

The paper reframes adversarial training through energy-based modeling to diagnose and mitigate overfitting phenomena in robust classifiers. By analyzing energies of natural and adversarial samples, it identifies distinctive energy dynamics associated with catastrophic overfitting and robust overfitting, and introduces Delta Energy Regularizer (DER) to smooth the energy landscape, effectively reducing both CO and RO. It also links AT dynamics to the generative capabilities of robust classifiers, proposing energy-guided, local-subspace initialization to enhance sample diversity while maintaining quality. Overall, the work offers a principled, energy-centric understanding of AT and demonstrates practical gains in robustness and competitive generation quality with minimal changes to training protocols.

Abstract

We aim at using Energy-based Model (EBM) framework to better understand adversarial training (AT) in classifiers, and additionally to analyze the intrinsic generative capabilities of robust classifiers. By viewing standard classifiers through an energy lens, we begin by analyzing how the energies of adversarial examples, generated by various attacks, differ from those of the natural samples. The central focus of our work is to understand the critical phenomena of Catastrophic Overfitting (CO) and Robust Overfitting (RO) in AT from an energy perspective. We analyze the impact of existing AT approaches on the energy of samples during training and observe that the behavior of the ``delta energy' -- change in energy between original sample and its adversarial counterpart -- diverges significantly when CO or RO occurs. After a thorough analysis of these energy dynamics and their relationship with overfitting, we propose a novel regularizer, the Delta Energy Regularizer (DER), designed to smoothen the energy landscape during training. We demonstrate that DER is effective in mitigating both CO and RO across multiple benchmarks. We further show that robust classifiers, when being used as generative models, have limits in handling trade-off between image quality and variability. We propose an improved technique based on a local class-wise principal component analysis (PCA) and energy-based guidance for better class-specific initialization and adaptive stopping, enhancing sample diversity and generation quality. Considering that we do not explicitly train for generative modeling, we achieve a competitive Inception Score (IS) and Fréchet inception distance (FID) compared to hybrid discriminative-generative models.

Figures (10)

• Figure 1: Analysis of $\Delta E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x}) \doteq E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x}) - E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x}^{\star})$, computed on the training set (green, right axis), and error (PGD) on test data (blue, left axis) for CIFAR-10 (left column) and CIFAR-100 (right column) across catastrophic overfitting and robust overfitting. The onset of CO or RO is indicated by the start of the unshaded region. (a) For RS-FGSM, $\Delta E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x})$ increases sharply after CO, aligning with a sudden rise in test error, highlighting the impact of CO on energy dynamics. (b) Comparison of $\Delta E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x})$ in SAT (exhibits RO) and TRADES. In SAT, $\Delta E_{{f}_{\boldsymbol{\theta}}}$ decreases with rising test error, while in TRADES, it stays near zero as test error keeps decreasing.
• Figure 2: Marginal — $E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x})$ — and joint — $E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x},y)$ — energy distributions for natural and adversarial inputs (with $y$ as the ground-truth label), shown for CIFAR-10 (rows 1–2) and ImageNet (rows 3–4) under various untargeted and targeted (-T) attacks. For this analysis, we use non-robust models trained on CIFAR-10 and ImageNet respectively. All attacks are generated with an input deformation constraint of $\ell_{\infty} \leq \epsilon = 8/255$. indicates adversarial data, while indicates natural data.
• Figure 3: Quiver plot illustrates the energy shift between the original and its corresponding adversarial sample. Each arrow, scaled for better visualization, originates from the base—representing $[E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x}), E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x},y)]$—and points to the tip—indicating $[E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x}^{\star}), E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x}^{\star}, y)]$. The arrow color encodes the Euclidean distance between these points, reflecting the intensity of energy change, also written as $\| [\Delta E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x}), \Delta E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x},y)] \|_2$. Results are shown for a subset of CIFAR-10 training data at different stages --- note the axes across figures have different ranges for clarity. The dashed black line represents zero cross-entropy, where $E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x}) = E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x},y)$. RS-FGSM is shown just before and after CO, while TRADES and SAT are shown at epochs 50, 80, and 100.
• Figure 4: (a, b) Mean $\Delta E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x})$ values (left axis) and mean energy values for original samples $E_{{f}_{\boldsymbol{\theta}}}(\mathbf{x})$ (right axis) across training epochs for AAEs and NAEs, respectively. (c) The number of AAEs (left axis) and the distribution of their losses (right axis) are tracked over the course of training. The dashed line indicates the onset of CO and we compare RS-FGSM (which suffers from CO) and AAER. (d) Robust accuracy (PGD) on the test set (left axis) and number of AAEs (right axis) over training. (e) Quiver plot of AAEs generated when training with HE ($\lambda = 0.2$) at later epochs, showing high-energy, high-loss AAEs that do not lead to CO. All analyses are conducted on CIFAR-10.
• Figure 5: Quiver plot now only showing all the AAEs present in the training set. For RS-FGSM, just before CO, AAEs appear at high energy levels with increased loss, deviating from the dashed line. In contrast, for methods that do not undergo CO, AAEs consistently exhibit low energy and loss.