SpecFormer: Guarding Vision Transformer Robustness via Maximum Singular Value Penalization

In its current form, the paper has several weaknesses:

Major weaknesses:

• The proposed bound takes advantage of the global Liscphitz of the linear mapping operations in the self-attention layer. This results in a very loose bound that is quadratic in N, the Frobenius norm of the input and delta. The looseness of the bound is clear when $\delta_0 = 0$.
• The proposed regularization based on the bound is a simple spectral regularization. However, it is not clear how the bound is affected since the regularization only focuses on the maximum singular values of the weights. The norm of the inputs may actually grow across the different layers of the model to compensate for the decrease of the spectral norm of the weights.
• I believe that the resulting robustness is a simple case of obfuscated gradients as described in [1]: the model is not particularly more robust, it is the attacks that are less effective, especially with such weak attacks as FGSM or PGD-2 with 2/255 of the attack budget. This misunderstanding is clear from these two statements:

The proposition above suggests that when the maximum singular value of the weight matrices is small, the function fθ becomes less sensitive to input perturbations, which can significantly enhance adversarial robustness.

we can independently control the maximum singular values of these three weight matrices to imbue the model with adversarial robustness.

The robustness from Lipschitz continuity is an inherent trade-off between the Lipschitz and the margin of the classifier, as explicitly described in [2]. Reducing only the Lipschitz can have no impact on robustness if the margin is also reduced (which is often the case).

On the choice of the norm:

• The authors state: "The 2-norm is the most commonly used norm in Euclidean space". While the choice of the $\ell_2$ norm is perfectly reasonable, the $\ell_\infty$ norm is also highly studied in the adversarial robustness community. I would not say that the $\ell_2$ norm is "the most widely used norm".
• The authors state: "the sensitivity of a model to input perturbations is closely related to the 2-norm of the weight matrices". The sensitivity with respect to the $\ell_2$ norm is related to the 2-norm of the weight matrices, but one can still define the sensitivity with respect to any $\ell_p$ norm.
• The bound proposed in the paper is a bound on the local Lipschitz constant with respect to the $\ell_2$ norm. Therefore, it is not clear why the authors evaluate their approach against FGSM, which is a $\ell_\infty$ attack. It is also not clear whether the PGD attack used for the experiments is with respect to the $\ell_2$ or $\ell_\infty$ norm. A study of robustness against the linf norm can be done even though the proposed approach works for $\ell_2$, but mixing both $\ell_2$ and linf in the tables is confusing.

On the structure of the paper:

• In my opinion, the half page on page 4 on Lipschitz continuity could be condensed. Global Lipschitz and local Lipschitz are well-defined concepts in adversarial robustness.
• Theorem 4.2 is trivial and in my opinion not necessary.
• The whole section on power iteration is not necessary, the power method has been used many times in deep learning [2, 3, 4, 5, 6] and is a well-known concept. Also, the proof of convergence of the power iteration in the appendix doesn't seem to serve any clear purpose other than to fill space in the appendix. A reference to the relevant papers would suffice.
• Based on these comments, the authors could save space in the main paper and move Appendix D "Comparison with existing bounds" and the results on ImageNet to the main paper. Appendix D is interesting and would be better placed in the main paper.

[1] Athalye et al. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples
[2] Tsuzuku et al. Lipschitz-Margin Training: Scalable Certification of Perturbation Invariance for Deep Neural Networks
[3] Farnia et al. Generalizable Adversarial Training via Spectral Normalization
[4] Meunier et al. A Dynamical System Perspective for Lipschitz Neural Networks
[5] Miyato et al. Spectral Normalization for Generative Adversarial Networks
[6] Yoshida et al. Spectral Norm Regularization for Improving the Generalizability of Deep Learning

Some steps in the proof are a little bit concise that are not easy to understand. For instance, in the proof of Theorem 4.3, can you explain in detail the steps involved in utilizing Cauchy’s inequality and boundedness of input space to arrive at inequality (36)? Adding these intermediate deductions would help enhance the clarity of the theoretical derivations. More visual results, such as attention maps, can be provided to further visually demonstrate the impact of the proposed method on safeguarding the attention mechanism under malicious attacks.

1. Although the paper provides some bounds on local Lipschitz constants, it is rather loose and is likely vacuous in practical networks. In particular, the N(N+1)B factor can be really large. Here N is the number of tokens and B is the Frobenius norm of the input of this layer. The three factors multiplied together give a factor of about a thousand or more.

2. Some “theorems” and “propositions” (including 4.2 and 5.1) are textbook results. I feel it is not needed to write them as theorems in the paper. They do not add to the technical contribution of this paper.

3. The theory part and the experiments are disconnected: the main theorem presented is about the L2 norm of the attention layer, but the actual attack is done with PGD attack with Linf perturbation of 2/255 and 8/255.

4. The baselines presented in experiments are far from state-of-the-art. It would be better to actually show whether this method can improve upon a state-of-the-art adversarial defense training method. For example, https://robustbench.github.io lists many training methods can can achieve over 60% robust accuracy on CIFAR10.