The robustness of a deep classifier can be characterized by its margins: the decision boundary's distances to natural data points. However, it is unclear whether existing robust training methods effectively increase the margin for each vulnerable point during training. To understand this, we propose a continuous-time framework for quantifying the relative speed of the decision boundary with respect to each individual point. Through visualizing the moving speed of the decision boundary under Adversarial Training, one of the most effective robust training algorithms, a surprising moving-behavior is revealed: the decision boundary moves away from some vulnerable points but simultaneously moves closer to others, decreasing their margins. To alleviate these conflicting dynamics of the decision boundary, we propose Dynamics-aware Robust Training (DyART), which encourages the decision boundary to engage in movement that prioritizes increasing smaller margins. In contrast to prior works, DyART directly operates on the margins rather than their indirect approximations, allowing for more targeted and effective robustness improvement. Experiments on the CIFAR-10 and Tiny-ImageNet datasets verify that DyART alleviates the conflicting dynamics of the decision boundary and obtains improved robustness under various perturbation sizes compared to the state-of-the-art defenses. Our code is available at https://github.com/Yuancheng-Xu/Dynamics-Aware-Robust-Training.

翻译：深度分类器的鲁棒性可通过其边界裕度来表征，即决策边界到自然数据点的距离。然而，现有鲁棒训练方法是否能在训练过程中有效增加每个脆弱点的裕度尚不明确。为理解这一问题，我们提出了一种连续时间框架，用于量化决策边界相对于每个数据点的相对移动速度。通过可视化对抗训练（最有效的鲁棒训练算法之一）中决策边界的移动速度，揭示了一个令人惊讶的移动行为：决策边界远离部分脆弱点的同时，却向其他脆弱点靠近，从而减小了它们的裕度。为缓解决策边界的这种冲突性动力学，我们提出了动力学感知鲁棒训练（DyART），该方法优先引导决策边界优先增加较小的边界裕度。与先前工作不同，DyART直接作用于边界裕度本身而非其间接近似，从而能更精准有效地提升鲁棒性。在CIFAR-10和Tiny-ImageNet数据集上的实验表明，DyART能够缓解决策边界的冲突性动力学，并在不同扰动幅度下相较于现有最优防御方法获得更优的鲁棒性。我们的代码开源在https://github.com/Yuancheng-Xu/Dynamics-Aware-Robust-Training。