Smoothness Analysis of Loss Functions of Adversarial Training

Deep neural networks are vulnerable to adversarial attacks. Recent studies of adversarial robustness focus on the loss landscape in the parameter space since it is related to optimization performance. These studies conclude that it is hard to optimize the loss function for adversarial training with respect to parameters because the loss function is not smooth: i.e., its gradient is not Lipschitz continuous. However, this analysis ignores the dependence of adversarial attacks on parameters. Since adversarial attacks are the worst noise for the models, they should depend on the parameters of the models. In this study, we analyze the smoothness of the loss function of adversarial training for binary linear classification and for general cases considering the dependence. We reveal that the Lipschitz continuity depends on the types of constraints of adversarial attacks in the binary linear classification. Specifically, under the L2 constraints, the adversarial loss is smooth except at zero. We extend the analysis to general cases and prove local smoothness in several cases. Our analysis reveals that the constraint of adversarial examples is a cause of the non-smoothness of adversarial loss. Moreover, we reveal the relation between the flatness of the loss function with respect to input data and the smoothness of the adversarial loss with respect to parameters. Our analysis implies that if we flatten the loss function with respect to input data, the smoothness of adversarial loss tends to decrease.