Adversarial Training Makes Weight Loss Landscape
Sharper in Logistic Regression

We consider a binary classification task with ${\bm{x}}\equiv(x_{1},\dots,x_{d})\in\mathbb{R}^{d}$ and $y\in\left\{-1,1\right\}$. A data point is represented as ${\bm{x}}^{n}$, where $n$ is the data index and its true label is $y^{n}$. A loss function of logistic regression is defined as

	$\displaystyle L\left(\bm{x},y,\bm{w}\right)$	$\displaystyle=\frac{1}{N}\sum_{n}\ell\left(\bm{x}^{n},y^{n},\bm{w}\right),$
	$\displaystyle\ell\left(\bm{x}^{n},y^{n},\bm{w}\right)$	$\displaystyle\equiv\log\left(1+\exp\left(-y^{n}\bm{w}\cdot\bm{x}^{n}\right)\right),$		(1)

where $N$ is the total number of data and ${\bm{w}}\equiv(w_{1},\dots,w_{d})\in\mathbb{R}^{d}$ is the training parameter of the model.

Adversarial example $\left({\bm{x}}^{\prime}\right)^{n}={\bm{x}}^{n}+{\bm{\eta}}^{n}$ is defined as

$\displaystyle\bm{\eta}^{n}=\underset{\bm{\eta}^{n}\in\mathbb{B}_{{\rm p}}\left(\bm{x}^{n},\varepsilon\right)}{{\rm argmax}}\ell\left(\bm{x}^{n}+\bm{\eta}^{n},y^{n},\bm{w}\right),$

(2)

where $\mathbb{B}_{\rm p}\left({\bm{x}}^{n},\varepsilon\right)$ is the region around ${\bm{x}}^{n}$ where the $L_{\rm{p}}$ norm is less than $\varepsilon$. Projected gradient decent (PGD) Madry et al. (2018), which is a powerful adversarial attack, uses multi-step search as

$\displaystyle\bm{x}^{n}\leftarrow\Pi_{\varepsilon}\left(\bm{x}^{n}+\lambda{\rm sign}\left(\frac{\partial}{\partial\bm{x}^{n}}\ell\left(\bm{x}^{n},y^{n},\bm{w}\right)\right)\right),$

(3)

where $\lambda$ is step size and $\Pi_{\varepsilon}$ is projection to constrained space. Recently, since PGD can be prevented by gradient obfuscation, auto attack Croce and Hein (2020), which tries various attacks, is used to more reliably evaluate robustness.

A promising way to defend the model against adversarial examples is adversarial training Goodfellow et al. (2015); Kurakin et al. (2017); Madry et al. (2018). Adversarial training learns the model with adversarial examples as

$\displaystyle\min_{{\bm{w}}}\frac{1}{N}\sum_{n}\max_{{\bm{\eta}}^{n}\in\mathbb{B}_{\rm p}\left({\bm{x}}^{n},\varepsilon\right)}\ell\left(\bm{x}^{n}+\bm{\eta}^{n},y^{n},\bm{w}\right).$

(4)

Since the adversarial training uses the information of the adversarial example, the adversarial training can improve the robustness of the model against the adversarial attack used for learning. In this paper, we describe models trained in standard training and adversarial training as clean and robust models, respectively.

Li et al. (2018) presented a filter normalization for visualizing the weight loss landscape. The filter normalization works for not only standard training but also for adversarial training Wu et al. (2020). The filter normalization with adversarial training visualizes the change of loss by adding noise to the weight as

$\displaystyle g\left(\alpha\right)=\max_{{\bm{\eta}}^{n}\in\mathbb{B}_{\rm p}\left({\bm{x}}^{n},\varepsilon\right)}\frac{1}{N}\sum_{n}\ell\left({\bm{x}}^{n}+{\bm{\eta}}^{n},y^{n},{\bm{w}}+\alpha{\bm{h}}\right),$

(5)

where $\alpha$ is the magnitude of noise and ${\bm{h}}\in\mathbb{R}^{d}$ is the direction of noise. The ${\bm{h}}$ is sampled from a Gaussian distribution and filter-wise normalized by

$\displaystyle{\bm{h}}^{\left(l,m\right)}\leftarrow\frac{{\bm{h}}^{\left(l,m\right)}}{\left\|{\bm{h}}^{\left(l,m\right)}\right\|_{{\rm F}}}\left\|{\bm{w}}^{\left(l,m\right)}\right\|_{{\rm F}},$

(6)

where ${\bm{h}}^{\left(l,m\right)}$ is the $m$-th filter at the $l$-th layer of ${\bm{h}}$ and $\left\|\cdot\right\|_{{\rm F}}$ is the Frobenius norm. We note that the Frobenius norm is equal to the $L_{\rm 2}$ norm in logistic regression because ${\bm{w}}$ can be regarded as $\bm{w}\in\mathbb{R}^{1\times d}$. This normalization is used to remove the scaling freedom of weights for avoiding the fake loss landscape Li et al. (2018). For instance, Dinh et al. (2017) exploit this scaling freedom of weights to build pairs of equivalent networks that have different apparent sharpnesses. The filter normalization absorbs the scaling freedom of the weights and enables the loss landscape to be visualized. The sharpness of the weight loss landscape strongly correlates with the generalization gap when this normalization is used Li et al. (2018). Moreover, the sharpness of the weight loss landscape on adversarial training strongly correlates with a robust generalization gap when this normalization is used Wu et al. (2020).

Several weight loss landscape sharpness/flatness definitions have been presented in the study of generalization performance and loss landscape sharpness in deep learning Hochreiter and Schmidhuber (1997); Keskar et al. (2017); Chaudhari et al. (2017). In this paper, we use the simple definition, which defines flatness as the eigenvalues of the Hessian matrix. This definition is presented in Keskar et al. (2017) and also used in Li et al. (2018). For clarifying the relationship between the weight loss landscape and the generalization gap, we use filter normalization with weights. In other words, the definition of weight loss landscape sharpness is the eigenvalue of $\frac{\partial^{2}L}{\partial{w}_{i}\partial{w}_{j}}$ with the normalized weights. The larger the eigenvalue becomes, the sharper the weight loss landscape becomes.

This section presents Theorem 1, which provides the relation between weight loss landscape and the norm of adversarial noise.

Let us prove Theorem 1. For the simple but special case of logistic regression, Eq. (2.1) can be written with adversarial noise $\eta_{i}^{n}$ and angle $\theta^{n}$ as

where $\left\|{\bm{w}}\right\|$ and $\left\|{\bm{\eta}}^{n}\right\|$ is the $L_{\rm 2}$ norm due to the inner product. Since an adversarial example must increase the loss, Lemma 1 shows $y^{n}\cos\theta^{n}=1$.

All the proofs of lemmas are provided in the supplementary material.

The gradient of loss with respect to weight $\frac{\partial L_{\eta}}{\partial\omega_{i}}$ is

$$\!\frac{1}{N}\!\sum_{n}\!\frac{\!\left(\!-y^{n}\!x_{i}^{n}\!+\!\frac{w_{i}}{\left\|\bm{w}\right\|}\!\left\|\!\bm{\eta}^{n}\!\right\|\!\right)\!\exp\!\left(\!-y^{n}\!\bm{w}\!\cdot\!\bm{x}^{n}\!+\left\|\bm{w}\right\|\left\|\bm{\eta}^{n}\!\right\|\!\right)}{\left(1+\exp\left(y^{n}\bm{w}\cdot\bm{x}^{n}-\left\|\bm{w}\right\|\left\|\bm{\eta}^{n}\right\|\right)\right)}.$$

(8)

An optimal weight ${\bm{w}}^{\ast}$ of $L_{\eta}$ for each point satisfies $\frac{w_{i}^{\ast}}{\left\|{\bm{w}}^{\ast}\right\|}=\frac{y^{n}x_{i}^{n}}{\left\|{\bm{\eta}}^{n}\right\|}$. Next, we consider the Hessian matrix of loss on an optimal weight. The $(i,j)$-th element of the Hessian matrix is obtained as

$\displaystyle\left.\frac{\partial^{2}L_{\eta}}{\partial\omega_{i}\partial\omega_{j}}\right|_{{\bm{w}}={\bm{w}}^{\ast}}=\frac{1}{2N}\sum_{n}\frac{\left\|{\bm{\eta}}^{n}\right\|}{\left\|{\bm{w}}^{\ast}\right\|}\left(\delta_{ij}-\frac{w_{i}^{\ast}w_{j}^{\ast}}{\left\|{\bm{w}}^{\ast}\right\|^{2}}\right).$

(9)

See the supplementary material for derivation. We consider the eigenvalues of the Hessian matrix. This matrix has a trivial eigenvector as

	$\displaystyle\sum_{j}\left(\delta_{ij}-\frac{w_{i}^{\ast}w_{j}^{\ast}}{\left\|{\bm{w}}^{\ast}\right\|^{2}}\right)v_{j}$	$\displaystyle=v_{i},$		(10)
	$\displaystyle\sum_{j}\left(\delta_{ij}-\frac{w_{i}^{\ast}w_{j}^{\ast}}{\left\|{\bm{w}}^{\ast}\right\|^{2}}\right)w_{j}$	$\displaystyle=0,$		(11)

where $v_{j}$ is the element of ${\bm{v}}$ which is an arbitrary vector orthogonal to ${\bm{w}}^{\ast}$. This matrix has eigenvalues $1$ and $0$. Since $\left(\delta_{ij}-\frac{w_{i}^{\ast}w_{j}^{\ast}}{\left\|{\bm{w}}^{\ast}\right\|^{2}}\right)\in\mathbb{R}^{d\times d}$ is positive-semidefinite, $\frac{1}{2N}\sum_{n}\frac{\left\|{\bm{\eta}}^{n}\right\|}{\left\|{\bm{w}}^{\ast}\right\|}$ determines the sharpness of the weight loss landscape. Let $\left\|{\bm{\eta}}_{a}\right\|\geq\left\|{\bm{\eta}}_{b}\right\|$ be an adversarial example for perturbation strength $\varepsilon_{a}\geq\varepsilon_{b}$. The optimal weights in adversarial training with $\left\|{\bm{\eta}}_{a}\right\|$ and $\left\|{\bm{\eta}}_{b}\right\|$ are ${\bm{w}}_{a}^{\ast}$ and ${\bm{w}}_{b}^{\ast}$. The relation between the eigenvalues is as in

$\displaystyle\frac{1}{2N}\sum_{n}\frac{\left\|{\bm{\eta}}_{a}\right\|}{\left\|{\bm{w}}_{a}^{\ast}\right\|}\geq\frac{1}{2N}\sum_{n}\frac{\left\|{\bm{\eta}}_{b}\right\|}{\left\|{\bm{w}}_{b}^{\ast}\right\|},$

(12)

since the filter normalization makes the scale of the weights the same $\left\|{\bm{w}}_{a}^{\ast}\right\|\approx\left\|{\bm{w}}_{b}^{\ast}\right\|$ (In particularly in the case of logistic regression, this is natural because $\left\|{\bm{w}}\right\|_{{\rm F}}=\left\|{\bm{w}}\right\|$). Therefore, Theorem 1 is proved from Eq. (12). Moreover, since the eigenvalues are never negative, the results of adversarial training are always convex, which is a natural result.

Prabhu et al. (2019) and Wu et al. (2020) experimentally studied the weight loss landscape in adversarial training. Wu et al. (2020) demonstrated that the model with a flatter weight loss landscape has a smaller generalization gap and presented the Adversarial Weight Perturbation (AWP), which consequently achieves a more robust accuracy Wu et al. (2020). Prabhu et al. (2019) reported that the robust model has a sharper loss landscape than the clean model. However, these studies did not theoretically analyze the weight loss landscape. Recently, Liu et al. (2020) theoretically analyzed the loss landscapes in the robust model. The main topic of Liu et al. (2020) is a discussion of Lipschitzian smoothness in adversarial training, and their supplementary material contains a theoretical analysis of the weight loss landscape in logistic regression. The difference between the analysis of Liu et al. (2020) and our analysis is that Liu et al. (2020) compared the weight loss landscape of different $x$ positions in the single model ($L\left({\bm{x}},y,{\bm{w}}\right)$ and $L\left({\bm{x}}+{\bm{\eta}},y,{\bm{w}}\right)$), while we compare the weight loss landscape of the different models trained with different magnitudes of adversarial noise ($L\left({\bm{x}}+{\bm{\eta}}_{a},y,{\bm{w}}^{\ast}_{a}\right)$ and $L\left({\bm{x}}+{\bm{\eta}}_{b},y,{\bm{w}}^{\ast}_{b}\right)$, where ${\bm{w}}^{\ast}_{a}$ and ${\bm{w}}^{\ast}_{a}$ mean each optimal weights). Also, Liu et al. (2020) used an approximation of the loss function as $L_{\eta}=\frac{1}{N}\sum_{n}y^{n}\log\left(1+\exp\left(-y^{n}{\bm{w}}\cdot{\bm{x}}^{n}+{\bm{\eta}}^{n}\right)\right)$ to simplify the problem. In contrast, we do not use an approximation of the loss function as Eq. (7). Liu et al. (2020) derived that since the logistic loss is a monotonically decreasing convex function, adding noise in the direction of increasing the loss must increase the gradient, which leads to a sharp weight loss landscape.

The relationship between weight loss landscape and generalization performance in deep learning has been theoretically and experimentally investigated Foret et al. (2020); Jiang et al. (2020); Keskar et al. (2017); Dinh et al. (2017). In a large experiment evaluating 40 complexity measures by Jiang et al. (2020), measures based on the weight loss landscape had the highest correlation with the generalization error, and the generalization performance becomes better as the weight loss landscape becomes flatter. For improving the generalization performance by flattening the weight loss landscape, several methods have been presented, such as operating on diffused loss landscape Mobahi (2016), local entropy regularization Chaudhari et al. (2017), and optimizer Sharpness-Aware Minimization (SAM) Foret et al. (2020), which searches for a flat weight loss landscape. In particular, since a recently presented SAM Foret et al. (2020) is an improvement of the optimizer, it can be adapted to various methods and achieved a strong experimental result that updated the state-of-the-art for many datasets including CIFAR10, CIFAR100, and ImageNet. Since the weight loss landscape becomes sharper, and the generalization gap becomes larger in adversarial training than in standard training, we believe that finding a flat solution is more important in adversarial training than in standard training.

We conducted experiments on image dataset MNIST LeCun et al. (1998), which is well known for its adversarial example settings. Since the linear logistic regression model did not perform well in classifying the two-class CIFAR10, we evaluated on MNIST. To experiment with logistic regression for binary classification, we created a two-class dataset MNIST2 from MNIST. We made MNIST2 using only MNIST class 0 and class 1. Figures 2 and 2 show the weight loss landscape with various noise magnitudes of the $L_{2}$ and $L_{\infty}$ norm in logistic regression. We can confirm that the weight loss landscape becomes sharp as the noise magnitude increases. For the sake of clarity, we have excluded the ranges with large $\varepsilon=\left\{\frac{25.5}{255},\frac{51}{255},\frac{76.5}{255}\right\}$ in $L_{\infty}$ from Fig. 2. The results for the large $\varepsilon=\left\{\frac{0}{255},\frac{25.5}{255},\frac{51}{255},\frac{76.5}{255}\right\}$ in $L_{\infty}$ norm, which is often used in the 10-class classification of MNIST, are included in the supplementary material. The results are similar: the larger the noise magnitude, the sharper the weight loss landscape. Table 1 also shows that the absolute value of the generalization gap is larger in adversarial training than in standard training ($\varepsilon=0$). The test robust accuracy is larger than the training accuracy because of early stopping in the test robust accuracy Rice et al. (2020), but we emphasize that the training accuracy and test accuracy diverge. In Table. 3, the relationship between the generalization gap and $\varepsilon$ is difficult to understand because the experiment was designed with a small noise to achieve training loss becomes zero. However, where $\varepsilon$ is a large range in Tab. 3, the absolute value of the generalization gap increases as $\varepsilon$ increases in the experiment.

In the more general case as multi-class classification using softmax with residual network He et al. (2016), we confirm that the weight loss landscape becomes sharper in adversarial training as well as logistic regression. We use ResNet18 He et al. (2016) with softmax in CIFAR10 and SVHN. Figure 4 shows the weight loss landscape in $\varepsilon=\left\{\frac{0}{255},\frac{4}{255},\frac{8}{255},\frac{12}{255},\frac{16}{255}\right\}$. We confirmed that the weight loss landscape becomes sharper as the noise magnitude of adversarial training becomes larger. Tables 5 and 6 also shows that the generalization gap becomes larger in most cases as the magnitude of noise becomes larger.