We propose a novel understanding of Sharpness-Aware Minimization (SAM) in the context of adversarial robustness. In this paper, we point out that both SAM and adversarial training (AT) can be viewed as specific feature perturbations, which improve adversarial robustness. However, we note that SAM and AT are distinct in terms of perturbation strength, leading to different accuracy and robustness trade-offs. We provide theoretical evidence for these claims in a simplified model with rigorous mathematical proofs. Furthermore, we conduct experiment to demonstrate that only utilizing SAM can achieve superior adversarial robustness compared to standard training, which is an unexpected benefit. As adversarial training can suffer from a decrease in clean accuracy, we show that using SAM alone can improve robustness without sacrificing clean accuracy. Code is available at https://github.com/weizeming/SAM_AT.

翻译：我们提出了一种关于锐度感知最小化（SAM）在对抗鲁棒性语境中的新颖理解。在本文中，我们指出SAM和对抗训练（AT）均可被视为特定的特征扰动，这些扰动能够提升对抗鲁棒性。然而，我们注意到SAM和AT在扰动强度上存在差异，从而导致不同的准确率与鲁棒性权衡。我们通过严谨的数学证明，在一个简化模型中为这些观点提供了理论依据。此外，我们通过实验证明，仅使用SAM即可实现比标准训练更优的对抗鲁棒性，这是一个意想不到的收益。鉴于对抗训练可能会降低干净样本准确率，我们表明单独使用SAM可以在不牺牲干净样本准确率的前提下提升鲁棒性。相关代码已开源在 https://github.com/weizeming/SAM_AT。