Relationship Between Nonsmoothness in Adversarial Training, Constraints of Attacks, and Flatness in the Input Space

Relationship Between Nonsmoothness in Adversarial Training, Constraints of Attacks, and Flatness in the Input Space

Adversarial training (AT) is a promising method to improve the robustness against adversarial attacks. However, its performance is not still satisfactory in practice compared with standard training. To reveal the cause of the difficulty of AT, we analyze the smoothness of the loss function in AT, wh...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transaction on neural networks and learning systems 2024-08, Vol.35 (8), p.10817-10831
Hauptverfasser: Kanai, Sekitoshi, Yamada, Masanori, Takahashi, Hiroshi, Yamanaka, Yuki, Ida, Yasutoshi
Format: Artikel
Sprache:eng
Schlagworte:
Adversarial robustness
adversarial training (AT)
Convergence
Deep learning
deep neural network (DNN)
Linear programming
optimization
Robustness
Stability criteria
Training
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 10831
container_issue 8
container_start_page 10817
container_title IEEE transaction on neural networks and learning systems
container_volume 35
creator Kanai, Sekitoshi
Yamada, Masanori
Takahashi, Hiroshi
Yamanaka, Yuki
Ida, Yasutoshi
description Adversarial training (AT) is a promising method to improve the robustness against adversarial attacks. However, its performance is not still satisfactory in practice compared with standard training. To reveal the cause of the difficulty of AT, we analyze the smoothness of the loss function in AT, which determines the training performance. We reveal that nonsmoothness is caused by the constraint of adversarial attacks and depends on the type of constraint. Specifically, the L_{\infty} constraint can cause nonsmoothness more than the L_{2} constraint. In addition, we found an interesting property for AT: the flatter loss surface in the input space tends to have the less smooth adversarial loss surface in the parameter space . To confirm that the nonsmoothness causes the poor performance of AT, we theoretically and experimentally show that smooth adversarial loss by EntropySGD (EnSGD) improves the performance of AT.
doi_str_mv 10.1109/TNNLS.2023.3244172
format Article
fullrecord <record><control><sourceid>proquest_ieee_</sourceid><recordid>TN_cdi_proquest_miscellaneous_2798710948</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10049380</ieee_id><sourcerecordid>2798710948</sourcerecordid><originalsourceid>FETCH-LOGICAL-c368t-8350c53af31151da9c33fb8713101799ebdbe2b18584b0181e87f05921d36e73</originalsourceid><addsrcrecordid>eNpNkMtOwzAQRS0Eoqj0BxBCXrJoix9JbC9LRaFSVSSaBbvISSbUkDghdkH8PSl9iNnMjHTuWVyErigZU0rUXbxcLlZjRhgfcxYEVLATdMFoxEaMS3l6vMVrDw2ceyfdRCSMAnWOelwQJiLFL5B7gVJ7U1u3Ng2-B_8NYPGy-6u69msLzmFj8ST_gtbp1ugSx6021ti3IZ52mN9-3uG6wBPvdfbhhljbHM867SHt14Dnttl4vGp0BpforNClg8F-91E8e4inT6PF8-N8OlmMMh5JP5I8JFnIdcEpDWmuVcZ5kUpBOSVUKAVpngJLqQxlkBIqKUhRkFAxmvMIBO-j2522aevPDTifVMZlUJbaQr1xCROqkxEVyA5lOzRra-daKJKmNZVufxJKkm3dyV_dybbuZF93F7rZ-zdpBfkxcii3A653gAGAf0YSKC4J_wXY7IRV</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2798710948</pqid></control><display><type>article</type><title>Relationship Between Nonsmoothness in Adversarial Training, Constraints of Attacks, and Flatness in the Input Space</title><source>IEEE Electronic Library (IEL)</source><creator>Kanai, Sekitoshi ; Yamada, Masanori ; Takahashi, Hiroshi ; Yamanaka, Yuki ; Ida, Yasutoshi</creator><creatorcontrib>Kanai, Sekitoshi ; Yamada, Masanori ; Takahashi, Hiroshi ; Yamanaka, Yuki ; Ida, Yasutoshi</creatorcontrib><description><![CDATA[Adversarial training (AT) is a promising method to improve the robustness against adversarial attacks. However, its performance is not still satisfactory in practice compared with standard training. To reveal the cause of the difficulty of AT, we analyze the smoothness of the loss function in AT, which determines the training performance. We reveal that nonsmoothness is caused by the constraint of adversarial attacks and depends on the type of constraint. Specifically, the <inline-formula> <tex-math notation="LaTeX">L_{\infty} </tex-math></inline-formula> constraint can cause nonsmoothness more than the <inline-formula> <tex-math notation="LaTeX">L_{2} </tex-math></inline-formula> constraint. In addition, we found an interesting property for AT: the flatter loss surface in the input space tends to have the less smooth adversarial loss surface in the parameter space . To confirm that the nonsmoothness causes the poor performance of AT, we theoretically and experimentally show that smooth adversarial loss by EntropySGD (EnSGD) improves the performance of AT.]]></description><identifier>ISSN: 2162-237X</identifier><identifier>ISSN: 2162-2388</identifier><identifier>EISSN: 2162-2388</identifier><identifier>DOI: 10.1109/TNNLS.2023.3244172</identifier><identifier>PMID: 37027693</identifier><identifier>CODEN: ITNNAL</identifier><language>eng</language><publisher>United States: IEEE</publisher><subject>Adversarial robustness ; adversarial training (AT) ; Convergence ; Deep learning ; deep neural network (DNN) ; Linear programming ; optimization ; Robustness ; Stability criteria ; Training</subject><ispartof>IEEE transaction on neural networks and learning systems, 2024-08, Vol.35 (8), p.10817-10831</ispartof><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c368t-8350c53af31151da9c33fb8713101799ebdbe2b18584b0181e87f05921d36e73</citedby><cites>FETCH-LOGICAL-c368t-8350c53af31151da9c33fb8713101799ebdbe2b18584b0181e87f05921d36e73</cites><orcidid>0000-0001-5102-2830 ; 0000-0002-9527-1721 ; 0000-0003-4383-4454 ; 0000-0003-4279-9503</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10049380$$EHTML$$P50$$Gieee$$Hfree_for_read</linktohtml><link.rule.ids>314,780,784,796,27924,27925,54758</link.rule.ids><backlink>$$Uhttps://www.ncbi.nlm.nih.gov/pubmed/37027693$$D View this record in MEDLINE/PubMed$$Hfree_for_read</backlink></links><search><creatorcontrib>Kanai, Sekitoshi</creatorcontrib><creatorcontrib>Yamada, Masanori</creatorcontrib><creatorcontrib>Takahashi, Hiroshi</creatorcontrib><creatorcontrib>Yamanaka, Yuki</creatorcontrib><creatorcontrib>Ida, Yasutoshi</creatorcontrib><title>Relationship Between Nonsmoothness in Adversarial Training, Constraints of Attacks, and Flatness in the Input Space</title><title>IEEE transaction on neural networks and learning systems</title><addtitle>TNNLS</addtitle><addtitle>IEEE Trans Neural Netw Learn Syst</addtitle><description><![CDATA[Adversarial training (AT) is a promising method to improve the robustness against adversarial attacks. However, its performance is not still satisfactory in practice compared with standard training. To reveal the cause of the difficulty of AT, we analyze the smoothness of the loss function in AT, which determines the training performance. We reveal that nonsmoothness is caused by the constraint of adversarial attacks and depends on the type of constraint. Specifically, the <inline-formula> <tex-math notation="LaTeX">L_{\infty} </tex-math></inline-formula> constraint can cause nonsmoothness more than the <inline-formula> <tex-math notation="LaTeX">L_{2} </tex-math></inline-formula> constraint. In addition, we found an interesting property for AT: the flatter loss surface in the input space tends to have the less smooth adversarial loss surface in the parameter space . To confirm that the nonsmoothness causes the poor performance of AT, we theoretically and experimentally show that smooth adversarial loss by EntropySGD (EnSGD) improves the performance of AT.]]></description><subject>Adversarial robustness</subject><subject>adversarial training (AT)</subject><subject>Convergence</subject><subject>Deep learning</subject><subject>deep neural network (DNN)</subject><subject>Linear programming</subject><subject>optimization</subject><subject>Robustness</subject><subject>Stability criteria</subject><subject>Training</subject><issn>2162-237X</issn><issn>2162-2388</issn><issn>2162-2388</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>ESBDL</sourceid><sourceid>RIE</sourceid><recordid>eNpNkMtOwzAQRS0Eoqj0BxBCXrJoix9JbC9LRaFSVSSaBbvISSbUkDghdkH8PSl9iNnMjHTuWVyErigZU0rUXbxcLlZjRhgfcxYEVLATdMFoxEaMS3l6vMVrDw2ceyfdRCSMAnWOelwQJiLFL5B7gVJ7U1u3Ng2-B_8NYPGy-6u69msLzmFj8ST_gtbp1ugSx6021ti3IZ52mN9-3uG6wBPvdfbhhljbHM867SHt14Dnttl4vGp0BpforNClg8F-91E8e4inT6PF8-N8OlmMMh5JP5I8JFnIdcEpDWmuVcZ5kUpBOSVUKAVpngJLqQxlkBIqKUhRkFAxmvMIBO-j2522aevPDTifVMZlUJbaQr1xCROqkxEVyA5lOzRra-daKJKmNZVufxJKkm3dyV_dybbuZF93F7rZ-zdpBfkxcii3A653gAGAf0YSKC4J_wXY7IRV</recordid><startdate>20240801</startdate><enddate>20240801</enddate><creator>Kanai, Sekitoshi</creator><creator>Yamada, Masanori</creator><creator>Takahashi, Hiroshi</creator><creator>Yamanaka, Yuki</creator><creator>Ida, Yasutoshi</creator><general>IEEE</general><scope>97E</scope><scope>ESBDL</scope><scope>RIA</scope><scope>RIE</scope><scope>NPM</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7X8</scope><orcidid>https://orcid.org/0000-0001-5102-2830</orcidid><orcidid>https://orcid.org/0000-0002-9527-1721</orcidid><orcidid>https://orcid.org/0000-0003-4383-4454</orcidid><orcidid>https://orcid.org/0000-0003-4279-9503</orcidid></search><sort><creationdate>20240801</creationdate><title>Relationship Between Nonsmoothness in Adversarial Training, Constraints of Attacks, and Flatness in the Input Space</title><author>Kanai, Sekitoshi ; Yamada, Masanori ; Takahashi, Hiroshi ; Yamanaka, Yuki ; Ida, Yasutoshi</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c368t-8350c53af31151da9c33fb8713101799ebdbe2b18584b0181e87f05921d36e73</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Adversarial robustness</topic><topic>adversarial training (AT)</topic><topic>Convergence</topic><topic>Deep learning</topic><topic>deep neural network (DNN)</topic><topic>Linear programming</topic><topic>optimization</topic><topic>Robustness</topic><topic>Stability criteria</topic><topic>Training</topic><toplevel>online_resources</toplevel><creatorcontrib>Kanai, Sekitoshi</creatorcontrib><creatorcontrib>Yamada, Masanori</creatorcontrib><creatorcontrib>Takahashi, Hiroshi</creatorcontrib><creatorcontrib>Yamanaka, Yuki</creatorcontrib><creatorcontrib>Ida, Yasutoshi</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE Open Access Journals</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>PubMed</collection><collection>CrossRef</collection><collection>MEDLINE - Academic</collection><jtitle>IEEE transaction on neural networks and learning systems</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Kanai, Sekitoshi</au><au>Yamada, Masanori</au><au>Takahashi, Hiroshi</au><au>Yamanaka, Yuki</au><au>Ida, Yasutoshi</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Relationship Between Nonsmoothness in Adversarial Training, Constraints of Attacks, and Flatness in the Input Space</atitle><jtitle>IEEE transaction on neural networks and learning systems</jtitle><stitle>TNNLS</stitle><addtitle>IEEE Trans Neural Netw Learn Syst</addtitle><date>2024-08-01</date><risdate>2024</risdate><volume>35</volume><issue>8</issue><spage>10817</spage><epage>10831</epage><pages>10817-10831</pages><issn>2162-237X</issn><issn>2162-2388</issn><eissn>2162-2388</eissn><coden>ITNNAL</coden><abstract><![CDATA[Adversarial training (AT) is a promising method to improve the robustness against adversarial attacks. However, its performance is not still satisfactory in practice compared with standard training. To reveal the cause of the difficulty of AT, we analyze the smoothness of the loss function in AT, which determines the training performance. We reveal that nonsmoothness is caused by the constraint of adversarial attacks and depends on the type of constraint. Specifically, the <inline-formula> <tex-math notation="LaTeX">L_{\infty} </tex-math></inline-formula> constraint can cause nonsmoothness more than the <inline-formula> <tex-math notation="LaTeX">L_{2} </tex-math></inline-formula> constraint. In addition, we found an interesting property for AT: the flatter loss surface in the input space tends to have the less smooth adversarial loss surface in the parameter space . To confirm that the nonsmoothness causes the poor performance of AT, we theoretically and experimentally show that smooth adversarial loss by EntropySGD (EnSGD) improves the performance of AT.]]></abstract><cop>United States</cop><pub>IEEE</pub><pmid>37027693</pmid><doi>10.1109/TNNLS.2023.3244172</doi><tpages>15</tpages><orcidid>https://orcid.org/0000-0001-5102-2830</orcidid><orcidid>https://orcid.org/0000-0002-9527-1721</orcidid><orcidid>https://orcid.org/0000-0003-4383-4454</orcidid><orcidid>https://orcid.org/0000-0003-4279-9503</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 2162-237X
ispartof IEEE transaction on neural networks and learning systems, 2024-08, Vol.35 (8), p.10817-10831
issn 2162-237X
2162-2388
2162-2388
language eng
recordid cdi_proquest_miscellaneous_2798710948
source IEEE Electronic Library (IEL)
subjects Adversarial robustness
adversarial training (AT)
Convergence
Deep learning
deep neural network (DNN)
Linear programming
optimization
Robustness
Stability criteria
Training
title Relationship Between Nonsmoothness in Adversarial Training, Constraints of Attacks, and Flatness in the Input Space
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-26T15%3A02%3A53IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_ieee_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Relationship%20Between%20Nonsmoothness%20in%20Adversarial%20Training,%20Constraints%20of%20Attacks,%20and%20Flatness%20in%20the%20Input%20Space&rft.jtitle=IEEE%20transaction%20on%20neural%20networks%20and%20learning%20systems&rft.au=Kanai,%20Sekitoshi&rft.date=2024-08-01&rft.volume=35&rft.issue=8&rft.spage=10817&rft.epage=10831&rft.pages=10817-10831&rft.issn=2162-237X&rft.eissn=2162-2388&rft.coden=ITNNAL&rft_id=info:doi/10.1109/TNNLS.2023.3244172&rft_dat=%3Cproquest_ieee_%3E2798710948%3C/proquest_ieee_%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2798710948&rft_id=info:pmid/37027693&rft_ieee_id=10049380&rfr_iscdi=true