Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
97 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Persistent Classification: A New Approach to Stability of Data and Adversarial Examples (2404.08069v1)

Published 11 Apr 2024 in cs.LG

Abstract: There are a number of hypotheses underlying the existence of adversarial examples for classification problems. These include the high-dimensionality of the data, high codimension in the ambient space of the data manifolds of interest, and that the structure of machine learning models may encourage classifiers to develop decision boundaries close to data points. This article proposes a new framework for studying adversarial examples that does not depend directly on the distance to the decision boundary. Similarly to the smoothed classifier literature, we define a (natural or adversarial) data point to be $(\gamma,\sigma)$-stable if the probability of the same classification is at least $\gamma$ for points sampled in a Gaussian neighborhood of the point with a given standard deviation $\sigma$. We focus on studying the differences between persistence metrics along interpolants of natural and adversarial points. We show that adversarial examples have significantly lower persistence than natural examples for large neural networks in the context of the MNIST and ImageNet datasets. We connect this lack of persistence with decision boundary geometry by measuring angles of interpolants with respect to decision boundaries. Finally, we connect this approach with robustness by developing a manifold alignment gradient metric and demonstrating the increase in robustness that can be achieved when training with the addition of this metric.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (63)
  1. Sanity checks for saliency maps. Advances in neural information processing systems, 31, 2018.
  2. Pca as a defense against some adversaries. Technical report, Center for Brains, Minds and Machines (CBMM), 2022.
  3. An exact kernel equivalence for finite classification models. CoRR, abs/2308.00824, 2023. doi: 10.48550/arXiv.2308.00824. URL https://doi.org/10.48550/arXiv.2308.00824.
  4. Classifier robustness enhancement via test-time transformation. CoRR, abs/2303.15409, 2023. doi: 10.48550/ARXIV.2303.15409. URL https://doi.org/10.48550/arXiv.2303.15409.
  5. Random smoothing might be unable to certify l∞superscript𝑙l^{\infty}italic_l start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT robustness for high-dimensional images. The Journal of Machine Learning Research, 21(1):8726–8746, 2020.
  6. N. Carlini and D. Wagner. Towards evaluating the robustness of neural networks. arXiv:1608.04644 [cs], Aug. 2016. URL http://arxiv.org/abs/1608.04644. arXiv: 1608.04644.
  7. On evaluating adversarial robustness. CoRR, abs/1902.06705, 2019. URL http://arxiv.org/abs/1902.06705.
  8. Decision boundary-aware data augmentation for adversarial training. IEEE Transactions on Dependable and Secure Computing, 20(3):1882–1894, 2023. doi: 10.1109/TDSC.2022.3165889.
  9. Certified adversarial robustness via randomized smoothing. In international conference on machine learning, pages 1310–1320. PMLR, 2019.
  10. Detecting adversarial examples through nonlinear dimensionality reduction. In 27th European Symposium on Artificial Neural Networks, Computational Intelligence and Machine Learning - ESANN ’19, pages 483–488, 2019.
  11. Imagenet: A large-scale hierarchical image database. In 2009 IEEE conference on computer vision and pattern recognition, pages 248–255. IEEE, 2009.
  12. Boosting adversarial attacks with momentum. In 2018 IEEE Conference on Computer Vision and Pattern Recognition, (CVPR) 2018, Salt Lake City, UT, USA, June 18-22, 2018, pages 9185–9193.
  13. Empirical study of the topology and geometry of deep networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), June 2018.
  14. DARCCC: detecting adversaries by reconstruction from class conditional capsules. CoRR, abs/1811.06969, 2018. URL http://arxiv.org/abs/1811.06969.
  15. Do perceptually aligned gradients imply adversarial robustness? arXiv preprint arXiv:2207.11378, 2022.
  16. Adversarial spheres. In 6th International Conference on Learning Representations, (ICLR 2018), Vancouver, BC, Canada.
  17. Explaining and harnessing adversarial examples. In Y. Bengio and Y. LeCun, editors, 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA.
  18. Decision boundary analysis of adversarial examples. In International Conference on Learning Representations, 2018. URL https://openreview.net/forum?id=BkpiPMbA-.
  19. Are odds really odd? bypassing statistical detection of adversarial examples. CoRR, abs/1907.12138, 2019. URL http://arxiv.org/abs/1907.12138.
  20. A new defense against adversarial images: Turning a weakness into a strength. In H. M. Wallach, H. Larochelle, A. Beygelzimer, F. d’Alché-Buc, E. B. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems 32 (NeurIPS 2019) Vancouver, BC, Canada, pages 1633–1644.
  21. Adversarial examples are not bugs, they are features. In H. M. Wallach, H. Larochelle, A. Beygelzimer, F. d’Alché-Buc, E. B. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems 32 (NeurIPS 2019) Vancouver, BC, Canada, pages 125–136, 2019.
  22. Roby: Evaluating the adversarial robustness of a deep model by its decision boundaries. Information Sciences, 587:97–122, 2022. ISSN 0020-0255. doi: https://doi.org/10.1016/j.ins.2021.12.021. URL https://www.sciencedirect.com/science/article/pii/S0020025521012421.
  23. J. Jo and Y. Bengio. Measuring the tendency of cnns to learn surface statistical regularities. arXiv preprint arXiv:1711.11561, 2017.
  24. Are perceptually-aligned gradients a general property of robust classifiers? arXiv preprint arXiv:1910.08640, 2019.
  25. M. Khoury and D. Hadfield-Menell. On the geometry of adversarial examples. CoRR, abs/1811.00525, 2018.
  26. H. Kim. Torchattacks : A pytorch repository for adversarial attacks. CoRR, abs/2010.01950, 2020.
  27. The (un) reliability of saliency methods. In Explainable AI: Interpreting, Explaining and Visualizing Deep Learning, pages 267–280. Springer, 2019.
  28. Imagenet classification with deep convolutional neural networks. In F. Pereira, C. J. C. Burges, L. Bottou, and K. Q. Weinberger, editors, Advances in Neural Information Processing Systems, volume 25, 2012.
  29. Curse of dimensionality on randomized smoothing for certifiable robustness. In International Conference on Machine Learning, pages 5458–5467. PMLR, 2020.
  30. Adversarial examples in the physical world. In 5th International Conference on Learning Representations, ICLR 2017, Toulon, France.
  31. P. Langley. Crafting papers on machine learning. In P. Langley, editor, Proceedings of the 17th International Conference on Machine Learning (ICML 2000), pages 1207–1216, Stanford, CA, 2000. Morgan Kaufmann.
  32. Y. LeCun and C. Cortes. MNIST handwritten digit database. 2010. URL http://yann.lecun.com/exdb/mnist/.
  33. Certified robustness to adversarial examples with differential privacy. In 2019 IEEE Symposium on Security and Privacy (SP), pages 656–672. IEEE, 2019.
  34. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. In NeurIPS, 2018.
  35. Certified adversarial robustness with additive noise. Advances in neural information processing systems, 32, 2019.
  36. D. C. Liu and J. Nocedal. On the limited memory BFGS method for large scale optimization. Mathematical Programming, 45(1-3):503–528, 1989.
  37. Mr2d: Multiple random masking reconstruction adversarial detector. In 2022 10th International Conference on Information Systems and Computing Technology (ISCTech), pages 61–67, 2022. doi: 10.1109/ISCTech58360.2022.00016.
  38. Towards deep learning models resistant to adversarial attacks. In 6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada.
  39. G. Magai and A. Ayzenberg. Topology and geometry of data manifold in deep learning, 2022.
  40. D. Nguyen Minh and A. T. Luu. Textual manifold-based defense against natural language adversarial examples. In Proceedings of the 2022 Conference on Empirical Methods in Natural Language Processing, pages 6612–6625, Abu Dhabi, United Arab Emirates, Dec. 2022. Association for Computational Linguistics. URL https://aclanthology.org/2022.emnlp-main.443.
  41. Out-of-distribution detection with reconstruction error and typicality-based penalty. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision (WACV), pages 5551–5563, January 2023.
  42. Deflecting adversarial attacks with pixel deflection. In 2018 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) Salt Lake City, UT, USA, pages 8571–8580.
  43. Detecting and diagnosing adversarial images with class-conditional capsule reconstructions. In 8th International Conference on Learning Representations, (ICLR 2020), Addis Ababa, Ethiopia.
  44. The odds are odd: A statistical test for detecting adversarial examples. In K. Chaudhuri and R. Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning (ICML), volume 97, pages 5498–5507, 2019.
  45. ImageNet Large Scale Visual Recognition Challenge. International Journal of Computer Vision (IJCV), 115(3):211–252, 2015. doi: 10.1007/s11263-015-0816-y.
  46. J. Schmidhuber. Deep learning in neural networks: An overview. Neural Networks, 61:85 – 117, 2015.
  47. Are adversarial examples inevitable? In International Conference on Learning Representations (ICLR), 2019.
  48. Do input gradients highlight discriminative features? Advances in Neural Information Processing Systems, 34:2046–2059, 2021.
  49. A. Shamir. A new theory of adversarial examples in machine learning (a non-technical extended abstract). preprint, 2021.
  50. The dimpled manifold model of adversarial examples in machine learning. arXiv preprint arXiv:2106.10151, 2021.
  51. K. Simonyan and A. Zisserman. Very deep convolutional networks for large-scale image recognition. In International Conference on Learning Representations, 2015.
  52. Intriguing properties of neural networks. In International Conference on Learning Representations (ICLR), 2014.
  53. Measuring robustness to natural distribution shifts in image classification. In H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, editors, Advances in Neural Information Processing Systems, volume 33, pages 18583–18599. Curran Associates, Inc., 2020. URL https://proceedings.neurips.cc/paper_files/paper/2020/file/d8330f857a17c53d217014ee776bfd50-Paper.pdf.
  54. Evaluating robustness of neural networks with mixed integer programming. arXiv preprint arXiv:1711.07356, 2017.
  55. F. Tramer and D. Boneh. Adversarial training and robustness for multiple perturbations. Advances in Neural Information Processing Systems, 32, 2019.
  56. On adaptive attacks to adversarial example defenses. In H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, editors, Advances in Neural Information Processing Systems 33 (NeurIPS 2020), virtual, a.
  57. Ensemble adversarial training: Attacks and defenses. In 6th International Conference on Learning Representations, (ICLR 2018), Vancouver, BC, Canada, b.
  58. Robustness may be at odds with accuracy. In 7th International Conference on Learning Representations, ICLR 2019, New Orleans, LA, USA.
  59. Gradient methods provably converge to non-robust networks, 2022.
  60. Improving adversarial robustness requires revisiting misclassified examples. In International Conference on Learning Representations, 2020. URL https://openreview.net/forum?id=rklOg6EFwS.
  61. S.-A. Wegner. Lecture notes on high-dimensional spaces. arXiv preprint arXiv:2101.05841, 2021.
  62. Exploring and exploiting decision boundary dynamics for adversarial robustness, 2023.
  63. Randomized smoothing of all shapes and sizes. In International Conference on Machine Learning, pages 10693–10705. PMLR, 2020.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (7)
  1. Brian Bell (5 papers)
  2. Michael Geyer (3 papers)
  3. David Glickenstein (13 papers)
  4. Keaton Hamm (35 papers)
  5. Carlos Scheidegger (28 papers)
  6. Amanda Fernandez (5 papers)
  7. Juston Moore (8 papers)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets