Sharpness-Aware Minimization (SAM) is an effective method for improving generalization ability by regularizing loss sharpness. In this paper, we explore SAM in the context of adversarial robustness. We find that using only SAM can achieve superior adversarial robustness without sacrificing clean accuracy compared to standard training, which is an unexpected benefit. We also discuss the relation between SAM and adversarial training (AT), a popular method for improving the adversarial robustness of DNNs. In particular, we show that SAM and AT differ in terms of perturbation strength, leading to different accuracy and robustness trade-offs. We provide theoretical evidence for these claims in a simplified model. Finally, while AT suffers from decreased clean accuracy and computational overhead, we suggest that SAM can be regarded as a lightweight substitute for AT under certain requirements. Code is available at https://github.com/weizeming/SAM_AT.

翻译：锐度感知最小化（Sharpness-Aware Minimization, SAM）是一种通过正则化损失锐度来提升泛化能力的有效方法。本文在对抗鲁棒性的背景下探索SAM的应用。我们发现，仅使用SAM即可在不牺牲干净准确率的情况下，实现比标准训练更优的对抗鲁棒性，这一结果出乎意料。我们还讨论了SAM与对抗训练（Adversarial Training, AT）——一种提升深度神经网络对抗鲁棒性的常用方法——之间的关系。具体而言，我们表明SAM与AT在扰动强度上存在差异，从而导致不同的准确率与鲁棒性权衡。我们通过一个简化模型为这些论断提供了理论证据。最后，尽管AT存在干净准确率下降和计算开销增加的问题，我们提出SAM在特定需求下可被视为AT的轻量级替代方案。代码已在https://github.com/weizeming/SAM_AT开源。