Batch Normalization is a Cause of Adversarial Vulnerability
This addresses a critical security issue for machine learning practitioners by revealing a trade-off between training stability and adversarial robustness, with incremental implications for model design.
The paper tackles the problem of adversarial vulnerability in deep neural networks by identifying batch normalization as a cause, showing it reduces robustness to small adversarial perturbations by double-digit percentages on five standard datasets. The result demonstrates that substituting weight decay for batch normalization can nullify the relationship between vulnerability and input dimension.
Batch normalization (batch norm) is often used in an attempt to stabilize and accelerate training in deep neural networks. In many cases it indeed decreases the number of parameter updates required to achieve low training error. However, it also reduces robustness to small adversarial input perturbations and noise by double-digit percentages, as we show on five standard datasets. Furthermore, substituting weight decay for batch norm is sufficient to nullify the relationship between adversarial vulnerability and the input dimension. Our work is consistent with a mean-field analysis that found that batch norm causes exploding gradients.