Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
167 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Effect of Ambient-Intrinsic Dimension Gap on Adversarial Vulnerability (2403.03967v2)

Published 6 Mar 2024 in cs.LG, cs.CR, and stat.ML

Abstract: The existence of adversarial attacks on machine learning models imperceptible to a human is still quite a mystery from a theoretical perspective. In this work, we introduce two notions of adversarial attacks: natural or on-manifold attacks, which are perceptible by a human/oracle, and unnatural or off-manifold attacks, which are not. We argue that the existence of the off-manifold attacks is a natural consequence of the dimension gap between the intrinsic and ambient dimensions of the data. For 2-layer ReLU networks, we prove that even though the dimension gap does not affect generalization performance on samples drawn from the observed data space, it makes the clean-trained model more vulnerable to adversarial perturbations in the off-manifold direction of the data space. Our main results provide an explicit relationship between the $\ell_2,\ell_{\infty}$ attack strength of the on/off-manifold attack and the dimension gap.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (30)
  1. Adler, R. J. and Taylor, J. E. (2007), “Gaussian inequalities,” Random Fields and Geometry, 49–64.
  2. Bartlett, P., Bubeck, S., and Cherapanamjeri, Y. (2021), “Adversarial examples in multi-layer random relu networks,” Advances in Neural Information Processing Systems, 34, 9241–9252.
  3. Bubeck, S., Cherapanamjeri, Y., Gidel, G., and Tachet des Combes, R. (2021), “A single gradient step finds adversarial examples on random two-layers neural networks,” Advances in Neural Information Processing Systems, 34, 10081–10091.
  4. Carlini, N. and Wagner, D. (2017), “Towards evaluating the robustness of neural networks,” in 2017 ieee symposium on security and privacy (sp), Ieee, pp. 39–57.
  5. Daniely, A. and Shacham, H. (2020), “Most ReLU Networks Suffer from \ell^2 Adversarial Perturbations,” in Advances in Neural Information Processing Systems, eds. Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M., and Lin, H., Curran Associates, Inc., vol. 33, pp. 6629–6636.
  6. Deng, J., Dong, W., Socher, R., Li, L.-J., Li, K., and Fei-Fei, L. (2009), “ImageNet: A large-scale hierarchical image database,” in 2009 IEEE Conference on Computer Vision and Pattern Recognition, pp. 248–255.
  7. Facco, E., d’Errico, M., Rodriguez, A., and Laio, A. (2017), “Estimating the intrinsic dimension of datasets by a minimal neighborhood information,” Scientific Reports, 7.
  8. Frei, S., Vardi, G., Bartlett, P. L., and Srebro, N. (2023), “The Double-Edged Sword of Implicit Bias: Generalization vs. Robustness in ReLU Networks,” arXiv preprint arXiv:2303.01456.
  9. Fukunaga, K. and Olsen, D. (1971), “An Algorithm for Finding Intrinsic Dimensionality of Data,” IEEE Transactions on Computers, C-20, 176–183.
  10. Goodfellow, I. J., Shlens, J., and Szegedy, C. (2014), “Explaining and harnessing adversarial examples,” arXiv preprint arXiv:1412.6572.
  11. Haro, G., Randall, G., and Sapiro, G. (2008), “Translated Poisson Mixture Model for Stratification Learning,” International Journal of Computer Vision, 80, 358–374.
  12. He, K., Zhang, X., Ren, S., and Sun, J. (2015), “Delving deep into rectifiers: Surpassing human-level performance on imagenet classification,” in Proceedings of the IEEE international conference on computer vision, pp. 1026–1034.
  13. — (2016), “Deep Residual Learning for Image Recognition,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR).
  14. Hornik, K., Stinchcombe, M., and White, H. (1989), “Multilayer feedforward networks are universal approximators,” Neural networks, 2, 359–366.
  15. Laurent, B. and Massart, P. (2000), “Adaptive estimation of a quadratic functional by model selection,” Annals of statistics, 1302–1338.
  16. LeCun, Y., Cortes, C., and Burges, C. (2010), “MNIST handwritten digit database,” ATT Labs [Online]. Available: http://yann.lecun.com/exdb/mnist, 2.
  17. Ledoux, M. (2006), “Isoperimetry and Gaussian analysis,” Lectures on Probability Theory and Statistics: Ecole d’Eté de Probabilités de Saint-Flour XXIV—1994, 165–294.
  18. Leshno, M., Lin, V. Y., Pinkus, A., and Schocken, S. (1993), “Multilayer feedforward networks with a nonpolynomial activation function can approximate any function,” Neural networks, 6, 861–867.
  19. Liu, J., Bai, Y., Jiang, G., Chen, T., and Wang, H. (2019), “Understanding Why Neural Networks Generalize Well Through GSNR of Parameters,” in International Conference on Learning Representations.
  20. Lyu, K. and Li, J. (2020), “Gradient Descent Maximizes the Margin of Homogeneous Neural Networks,” .
  21. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. (2017), “Towards deep learning models resistant to adversarial attacks,” arXiv preprint arXiv:1706.06083.
  22. Melamed, O., Yehudai, G., and Vardi, G. (2023), “Adversarial Examples Exist in Two-Layer ReLU Networks for Low Dimensional Data Manifolds,” arXiv preprint arXiv:2303.00783.
  23. Pinkus, A. (1999), “Approximation theory of the MLP model in neural networks,” Acta numerica, 8, 143–195.
  24. Schmidt, L., Santurkar, S., Tsipras, D., Talwar, K., and Madry, A. (2018), “Adversarially robust generalization requires more data,” Advances in neural information processing systems, 31.
  25. Shamir, A., Melamed, O., and BenShmuel, O. (2022), “The Dimpled Manifold Model of Adversarial Examples in Machine Learning,” .
  26. Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. (2013), “Intriguing properties of neural networks,” arXiv preprint arXiv:1312.6199.
  27. Vardi, G., Yehudai, G., and Shamir, O. (2022), “Gradient methods provably converge to non-robust networks,” Advances in Neural Information Processing Systems, 35, 20921–20932.
  28. Xiao, H., Rasul, K., and Vollgraf, R. (2017), “Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms,” .
  29. Xiao, J., Yang, L., Fan, Y., Wang, J., and Luo, Z.-Q. (2022), “Understanding adversarial robustness against on-manifold adversarial examples,” arXiv preprint arXiv:2210.00430.
  30. Zhang, W., Zhang, Y., Hu, X., Goswami, M., Chen, C., and Metaxas, D. N. (2022), “A Manifold View of Adversarial Risk,” in International Conference on Artificial Intelligence and Statistics, PMLR, pp. 11598–11614.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets