Support samples guided adversarial generalization

Abstract

Adversarial training proves to be the most effective measure to classify adversarial perturbation, which is imperceptible but can drastically alter the output of the classifier. We review various theories behind the relationship between generalization gap and adversarial robustness and then raise the question: is it the input near the decision boundary that provides guidance for the classifier to learn the ideal decision boundary and therefore yield a more desired outcome? We provide quantitative confirmation that the expected required sample size correlates favorably with sample distance and further investigate the relationship between the robust classification error and the expected distance from the decision boundary to samples. Experimental results reveal that applying the data near the decision boundary as training sets can significantly promote adversarial generalization, which keeps consistence with the main conjectures presented in this work.