Understanding Robust Overfitting from the Feature Generalization Perspective
This work addresses the problem of robust overfitting in adversarial training for machine learning practitioners, offering incremental improvements based on a novel feature generalization perspective.
The paper tackles robust overfitting in adversarial training by identifying that adversarial perturbations degrade feature generalization from natural data, and proposes methods like attack strength adjustment and data augmentation to mitigate this issue, achieving improved adversarial robustness on benchmark datasets.
Adversarial training (AT) constructs robust neural networks by incorporating adversarial perturbations into natural data. However, it is plagued by the issue of robust overfitting (RO), which severely damages the model's robustness. In this paper, we investigate RO from a novel feature generalization perspective. Specifically, we design factor ablation experiments to assess the respective impacts of natural data and adversarial perturbations on RO, identifying that the inducing factor of RO stems from natural data. Given that the only difference between adversarial and natural training lies in the inclusion of adversarial perturbations, we further hypothesize that adversarial perturbations degrade the generalization of features in natural data and verify this hypothesis through extensive experiments. Based on these findings, we provide a holistic view of RO from the feature generalization perspective and explain various empirical behaviors associated with RO. To examine our feature generalization perspective, we devise two representative methods, attack strength and data augmentation, to prevent the feature generalization degradation during AT. Extensive experiments conducted on benchmark datasets demonstrate that the proposed methods can effectively mitigate RO and enhance adversarial robustness.