Adversarial Defense Via Local Flatness Regularization
share
Adversarial defense is a popular and important research area. Due to its intrinsic mechanism, one of the most straightforward and effective ways is to analyze the property of loss surface in the input space. In this paper, we define the local flatness of the loss surface as the maximum value of the chosen norm of the gradient regarding to the input within a neighborhood centered at the sample, and discuss its relationship with adversarial vulnerability. Based on the analysis, we propose a new defense approach via regularizing the local flatness (LFR). We demonstrate the effectiveness of the proposed method also from other perspectives, such as human visual mechanism, and analyze the relationship between LFR and related methods theoretically. Experiments are conducted to verify our theory and demonstrate the superiority of the proposed method.
READ FULL TEXT