Sharpness-Aware Minimization Leads to Better Robustness in Meta-learning

Transforming few-shot learning into meta-learning is an important way to narrow the gap between human ability and machine learning. In this paper, we study the adversarial robustness of meta-learning model and propose Defending R2D2 algorithm (DeR2D2) to resist attacks. We pay more attention to the two problems of adversarial meta-learning: the high training cost and the significant decrease of classification accuracy on clean samples. First, we demonstrate that the introduction of adversarial samples in R2D2 training can improve its adversarial robustness. Second, we choose Randomized Fast Gradient Sign Method (R+FGSM) instead of Projected Gradient Descent (PGD) as the adversarial training method, which significantly reduces the training cost. Finally, due to the Sharpness-Aware Minimization (SAM), our method further reduces adversarial training time and significantly improves the classification accuracy on clean samples. In addition, we verify that in most cases, DeR2D2 also has a strong ability to defend against attacks.