Batch Normalization is a Cause of Adversarial VulnerabilityDownload PDF

Angus Galloway, Anna Golubeva, Thomas Tanay, Medhat Moussa, Graham W. Taylor

Published: 04 Jun 2019, Last Modified: 22 Oct 2023ICML Deep Phenomena 2019Readers: Everyone
Keywords: batch normalization, adversarial examples, robustness
TL;DR: Batch normalization reduces adversarial robustness, as well as general robustness in many cases, particularly to noise corruptions.
Abstract: Batch normalization (batch norm) is often used in an attempt to stabilize and accelerate training in deep neural networks. In many cases it indeed decreases the number of parameter updates required to achieve low training error. However, it also reduces robustness to small adversarial input perturbations and noise by double-digit percentages, as we show on five standard datasets. Furthermore, substituting weight decay for batch norm is sufficient to nullify the relationship between adversarial vulnerability and the input dimension. Our work is consistent with a mean-field analysis that found that batch norm causes exploding gradients.
Community Implementations: [![CatalyzeX](/images/catalyzex_icon.svg) 2 code implementations](https://www.catalyzex.com/paper/arxiv:1905.02161/code)
1 Reply