Deep neural networks are vulnerable to adversarial attacks. Recent studies about adversarial robustness focus on the loss landscape in the parameter space since it is related to optimization and generalization performance. These studies conclude that the difficulty of adversarial training is caused by the non-smoothness of the loss function: i.e., its gradient is not Lipschitz continuous. However, this analysis ignores the dependence of adversarial attacks on model parameters. Since adversarial attacks are optimized for models, they should depend on the parameters. Considering this dependence, we analyze the smoothness of the loss function of adversarial training using the optimal attacks for the model parameter in more detail. We reveal that the constraint of adversarial attacks is one cause of the non-smoothness and that the smoothness depends on the types of the constraints. Specifically, the $L_\infty$ constraint can cause non-smoothness more than the $L_2$ constraint. Moreover, our analysis implies that if we flatten the loss function with respect to input data, the Lipschitz constant of the gradient of adversarial loss tends to increase. To address the non-smoothness, we show that EntropySGD smoothens the non-smooth loss and improves the performance of adversarial training.

翻译：深度神经网络容易受到对抗性攻击。近期关于对抗鲁棒性的研究聚焦于参数空间中的损失景观，因为这关系到优化与泛化性能。这些研究得出结论，对抗训练的难度源于损失函数的非平滑性：即其梯度不满足Lipschitz连续性。然而，此类分析忽略了对抗攻击对模型参数的依赖性。由于对抗攻击是针对模型进行优化的，它们理应与参数相关。考虑到这一依赖性，我们利用模型参数下的最优攻击，更详细地分析了对抗训练损失函数的平滑性。我们揭示，对抗攻击的约束是造成非平滑性的一个原因，且平滑性取决于约束类型。具体而言，$L_\infty$约束比$L_2$约束更容易导致非平滑性。此外，我们的分析表明，如果针对输入数据将损失函数平坦化，对抗损失梯度的Lipschitz常数往往会增大。为解决非平滑性问题，我们证明EntropySGD能够平滑非平滑损失，并提升对抗训练的性能。