Going Further: Flatness at the Rescue of Early Stopping for Adversarial Example Transferability
This work addresses the challenge of adversarial example transferability for improving security evaluations in machine learning, offering a novel approach that is competitive but incremental relative to existing techniques.
The paper tackles the problem of improving adversarial example transferability by challenging the hypothesis that early stopping works due to robust feature learning, and instead links transferability to loss landscape sharpness. The result shows that sharpness-aware minimizers, particularly SAM, outperform early stopping by up to 28.8 percentage points in transferability.
Transferability is the property of adversarial examples to be misclassified by other models than the surrogate model for which they were crafted. Previous research has shown that early stopping the training of the surrogate model substantially increases transferability. A common hypothesis to explain this is that deep neural networks (DNNs) first learn robust features, which are more generic, thus a better surrogate. Then, at later epochs, DNNs learn non-robust features, which are more brittle, hence worst surrogate. First, we tend to refute this hypothesis, using transferability as a proxy for representation similarity. We then establish links between transferability and the exploration of the loss landscape in parameter space, focusing on sharpness, which is affected by early stopping. This leads us to evaluate surrogate models trained with seven minimizers that minimize both loss value and loss sharpness. Among them, SAM consistently outperforms early stopping by up to 28.8 percentage points. We discover that the strong SAM regularization from large flat neighborhoods tightly links to transferability. Finally, the best sharpness-aware minimizers prove competitive with other training methods and complement existing transferability techniques.