Likelihood Landscapes: A Unifying Principle Behind Many Adversarial Defenses
This work provides a unifying principle for understanding adversarial defenses, which could help develop more robust models against adversarial attacks.
The paper investigates how adversarial defense techniques affect the geometry of likelihood landscapes in neural networks, finding that many defenses flatten these landscapes and proposing direct regularization for improved robustness.
Convolutional Neural Networks have been shown to be vulnerable to adversarial examples, which are known to locate in subspaces close to where normal data lies but are not naturally occurring and of low probability. In this work, we investigate the potential effect defense techniques have on the geometry of the likelihood landscape - likelihood of the input images under the trained model. We first propose a way to visualize the likelihood landscape leveraging an energy-based model interpretation of discriminative classifiers. Then we introduce a measure to quantify the flatness of the likelihood landscape. We observe that a subset of adversarial defense techniques results in a similar effect of flattening the likelihood landscape. We further explore directly regularizing towards a flat landscape for adversarial robustness.