Timezone: »

 
Poster
Do Wider Neural Networks Really Help Adversarial Robustness?
Boxi Wu · Jinghui Chen · Deng Cai · Xiaofei He · Quanquan Gu

Tue Dec 07 08:30 AM -- 10:00 AM (PST) @
in Poster Session 1 »

Adversarial training is a powerful type of defense against adversarial examples. Previous empirical results suggest that adversarial training requires wider networks for better performances. However, it remains elusive how does neural network width affect model robustness. In this paper, we carefully examine the relationship between network width and model robustness. Specifically, we show that the model robustness is closely related to the tradeoff between natural accuracy and perturbation stability, which is controlled by the robust regularization parameter λ. With the same λ, wider networks can achieve better natural accuracy but worse perturbation stability, leading to a potentially worse overall model robustness. To understand the origin of this phenomenon, we further relate the perturbation stability with the network's local Lipschitzness. By leveraging recent results on neural tangent kernels, we theoretically show that wider networks tend to have worse perturbation stability. Our analyses suggest that: 1) the common strategy of first fine-tuning λ on small networks and then directly use it for wide model training could lead to deteriorated model robustness; 2) one needs to properly enlarge λ to unleash the robustness potential of wider models fully. Finally, we propose a new Width Adjusted Regularization (WAR) method that adaptively enlarges λ on wide models and significantly saves the tuning time.

Keywords: Deep Learning · Robustness · Adversarial Robustness and Security

Author Information

Boxi Wu (Zhejiang University)
Jinghui Chen (University of Virginia)
Deng Cai (ZJU)
Xiaofei He (Zhejiang University)
Quanquan Gu (UCLA)

More from the Same Authors