Robustness via curvature regularization, and vice versa
This addresses the problem of adversarial robustness in machine learning models, offering a more efficient and principled alternative to adversarial training, though it is incremental in nature.
The paper tackles the vulnerability of state-of-the-art classifiers to adversarial perturbations by showing that adversarial training reduces the curvature of the loss surface, leading to more linear network behavior. It proposes a curvature regularization method that achieves adversarial robustness comparable to adversarial training, confirming the link between low curvature and robustness.
State-of-the-art classifiers have been shown to be largely vulnerable to adversarial perturbations. One of the most effective strategies to improve robustness is adversarial training. In this paper, we investigate the effect of adversarial training on the geometry of the classification landscape and decision boundaries. We show in particular that adversarial training leads to a significant decrease in the curvature of the loss surface with respect to inputs, leading to a drastically more "linear" behaviour of the network. Using a locally quadratic approximation, we provide theoretical evidence on the existence of a strong relation between large robustness and small curvature. To further show the importance of reduced curvature for improving the robustness, we propose a new regularizer that directly minimizes curvature of the loss surface, and leads to adversarial robustness that is on par with adversarial training. Besides being a more efficient and principled alternative to adversarial training, the proposed regularizer confirms our claims on the importance of exhibiting quasi-linear behavior in the vicinity of data points in order to achieve robustness.