Stability and Generalization in Free Adversarial Training

While deep neural networks (DNNs) have led to remarkable results in standard supervised learning tasks in computer vision and natural language processing, they are widely recognized to be susceptible to minor adversarially-designed perturbations to their input data commonly regarded as adversarial attacks [1, 2]. Adversarial examples are typically designed by finding the worst-case norm-constrained perturbation that leads to the maximum impact on the classification loss at an input data point. To combat norm-bounded adversarial attacks, adversarial training (AT) methods [3] which learn a DNN classifier using adversarially-perturbed training examples have been shown to significantly improve the robustness of a DNN against norm-bounded adversarial attacks. Several variants of AT methods have been developed in the machine learning community to accelerate and facilitate the application of AT algorithms to large-scale machine learning problems [4, 5]. While AT algorithms have achieved state-of-the-art robustness scores against standard norm-bounded adversarial attacks, the generalization gap between their performance on training and test data has been frequently observed to be significantly greater than the generalization error of DNNs learned by standard empirical risk minimization (ERM) [6, 7]. To understand the significant generalization gap in adversarial training, several theoretical and empirical studies have focused on the generalization properties of adversariallytrained models [8,9]. These studies have attempted to analyze the generalization error in learning adversariallyrobust models and reduce the generalization gap by applying explicit and implicit regularization techniques such as early stopping and Lipschitz regularization methods. Specifically, several recent works [10-12] have focused on the connections between the optimization and generalization behavior of adversarially-trained models.