The Double-Edged Sword of Implicit Bias: Generalization vs. Robustness in ReLU Networks
This work addresses the trade-off between generalization and robustness in neural networks, which is a critical problem for machine learning practitioners seeking reliable models, though it is incremental in analyzing specific data settings.
The study investigates how the implicit bias of gradient flow in two-layer ReLU networks affects generalization and adversarial robustness, showing that it promotes good generalization but leads to high vulnerability to adversarial examples, even in overparameterized settings with many more parameters than training examples.
In this work, we study the implications of the implicit bias of gradient flow on generalization and adversarial robustness in ReLU networks. We focus on a setting where the data consists of clusters and the correlations between cluster means are small, and show that in two-layer ReLU networks gradient flow is biased towards solutions that generalize well, but are highly vulnerable to adversarial examples. Our results hold even in cases where the network has many more parameters than training examples. Despite the potential for harmful overfitting in such overparameterized settings, we prove that the implicit bias of gradient flow prevents it. However, the implicit bias also leads to non-robust solutions (susceptible to small adversarial $\ell_2$-perturbations), even though robust networks that fit the data exist.