First-order Adversarial Vulnerability of Neural Networks and Input - - PowerPoint PPT Presentation

first order adversarial vulnerability of neural networks
SMART_READER_LITE
LIVE PREVIEW

First-order Adversarial Vulnerability of Neural Networks and Input - - PowerPoint PPT Presentation

Sep 26, 2022 516 likes •805 views

First-order Adversarial Vulnerability of Neural Networks and Input Dimension C.-J. Simon-Gabriel , Y. Ollivier , L. Bottou , B. Schlkopf , D. Lopez-Paz Max-Planck-Institute for Intelligent Systems Facebook AI Research

slide-1
SLIDE 1

First-order Adversarial Vulnerability of Neural Networks and Input Dimension

C.-J. Simon-Gabriel †, Y. Ollivier ‡, L. Bottou ‡, B. Schölkopf †, D. Lopez-Paz ‡

† Max-Planck-Institute for Intelligent Systems ‡ Facebook AI Research

1 First-order Adv Vul of NNs & Input Dim

slide-2
SLIDE 2

Relation to Literature

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-3
SLIDE 3

Relation to Literature

[1,2] : “Under specific data assumptions, vulnerability Increases with input dimension.”

[1] Adversarial Spheres, Gilmer et al., ICLR Workshop 2018 [2] Are adversarial examples inevitable?, Shafahi et al., ICLR 2019 Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-4
SLIDE 4

Relation to Literature

[1,2] : “Under specific data assumptions, vulnerability Increases with input dimension.”

  • No-free-lunch-like result:

“If data can be anything, then there exists datasets that make the problem arbitrarily hard”

[1] Adversarial Spheres, Gilmer et al., ICLR Workshop 2018 [2] Are adversarial examples inevitable?, Shafahi et al., ICLR 2019 Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-5
SLIDE 5

Relation to Literature

[1,2] : “Under specific data assumptions, vulnerability Increases with input dimension.”

  • No-free-lunch-like result:

“If data can be anything, then there exists datasets that make the problem arbitrarily hard”

  • Cannot apply to image-datasets, because humans are a non vulnerable classifiers for which

higher dimension (higher resolution) helps.

[1] Adversarial Spheres, Gilmer et al., ICLR Workshop 2018 [2] Are adversarial examples inevitable?, Shafahi et al., ICLR 2019 Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-6
SLIDE 6

Relation to Literature

[1,2] : “Under specific data assumptions, vulnerability Increases with input dimension.”

  • No-free-lunch-like result:

“If data can be anything, then there exists datasets that make the problem arbitrarily hard”

  • Cannot apply to image-datasets, because humans are a non vulnerable classifiers for which

higher dimension (higher resolution) helps.

  • Hence the question:

not : what’s wrong with our data? but : what’s wrong with our classifiers?

[1] Adversarial Spheres, Gilmer et al., ICLR Workshop 2018 [2] Are adversarial examples inevitable?, Shafahi et al., ICLR 2019 Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-7
SLIDE 7

Relation to Literature

[1,2] : “Under specific data assumptions, vulnerability Increases with input dimension.” Here : “Under specific classifier assumptions, vulnerability Increases with input dimension.”

  • No-free-lunch-like result:

“If data can be anything, then there exists datasets that make the problem arbitrarily hard”

  • Cannot apply to image-datasets, because humans are a non vulnerable classifiers for which

higher dimension (higher resolution) helps.

  • Hence the question:

not : what’s wrong with our data? but : what’s wrong with our classifiers?

[1] Adversarial Spheres, Gilmer et al., ICLR Workshop 2018 [2] Are adversarial examples inevitable?, Shafahi et al., ICLR 2019 Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-8
SLIDE 8

Main Theorem

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-9
SLIDE 9

Main Theorem

Theorem:

At initialization, using “He-initialization”, and for a very wide class of neural nets, adversarial damage increases like ! (!: input dimension).

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-10
SLIDE 10

Main Theorem

Theorem:

At initialization, using “He-initialization”, and for a very wide class of neural nets, adversarial damage increases like ! (!: input dimension).

Remarks:

  • Vulnerability is independent of the network topology (inside a wide class).

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-11
SLIDE 11

Main Theorem

Theorem:

At initialization, using “He-initialization”, and for a very wide class of neural nets, adversarial damage increases like ! (!: input dimension).

Remarks:

  • Vulnerability is independent of the network topology (inside a wide class).
  • Includes any succession of FC-, conv-, ReLU-, and subsampling layers at He-init.

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-12
SLIDE 12

Main Theorem

Theorem:

At initialization, using “He-initialization”, and for a very wide class of neural nets, adversarial damage increases like ! (!: input dimension).

Remarks:

  • Vulnerability is independent of the network topology (inside a wide class).
  • Includes any succession of FC-, conv-, ReLU-, and subsampling layers at He-init.

Question:

Does it hold after training? → Experiments

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-13
SLIDE 13

Experimental Setting

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-14
SLIDE 14

Experimental Setting

  • Up-sample CIFAR-10
  • Yields 4 datasets with input sizes:

(3x)32x32, 64x64, 128x128, 256x256.

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-15
SLIDE 15

Experimental Setting

  • Up-sample CIFAR-10
  • Yields 4 datasets with input sizes:

(3x)32x32, 64x64, 128x128, 256x256.

  • Train a conv net for each input size
  • Use same architecture for all networks

(up to convolution dilation and subsampling layers).

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-16
SLIDE 16

Experimental Setting

  • Up-sample CIFAR-10
  • Yields 4 datasets with input sizes:

(3x)32x32, 64x64, 128x128, 256x256.

  • Train a conv net for each input size
  • Use same architecture for all networks

(up to convolution dilation and subsampling layers).

  • Compare their adversarial vulnerability

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-17
SLIDE 17

Experimental Results (after training)

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-18
SLIDE 18

Experimental Results (after training)

32 64 128

image-width / p d

100 150 200 250 300 350

Ex k∂xLk1

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-19
SLIDE 19

Experimental Results (after training)

32 64 128

image-width / p d

100 150 200 250 300 350

Ex k∂xLk1

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-20
SLIDE 20

Experimental Results (after training)

32 64 128

image-width / p d

100 150 200 250 300 350

Ex k∂xLk1

Adversarial damage ∝ "

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-21
SLIDE 21

Conclusion

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-22
SLIDE 22

Conclusion

We show:

  • Our networks are vulnerable by design: vulnerability increases like !.

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-23
SLIDE 23

Conclusion

We show:

  • Our networks are vulnerable by design: vulnerability increases like !.
  • Proven theoretically at initialization

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-24
SLIDE 24

Conclusion

We show:

  • Our networks are vulnerable by design: vulnerability increases like !.
  • Proven theoretically at initialization
  • Verified empirically after usual and robust training

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-25
SLIDE 25

Conclusion

We show:

  • Our networks are vulnerable by design: vulnerability increases like !.
  • Proven theoretically at initialization
  • Verified empirically after usual and robust training
  • Theoretical result is independent of network topology

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-26
SLIDE 26

Conclusion

We show:

  • Our networks are vulnerable by design: vulnerability increases like !.
  • Proven theoretically at initialization
  • Verified empirically after usual and robust training
  • Theoretical result is independent of network topology

Suggests that:

  • Current networks are not yet data-specific enough.

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-27
SLIDE 27

Conclusion

We show:

  • Our networks are vulnerable by design: vulnerability increases like !.
  • Proven theoretically at initialization
  • Verified empirically after usual and robust training
  • Theoretical result is independent of network topology

Suggests that:

  • Current networks are not yet data-specific enough.
  • Architectural tweaks may not be sufficient to solve adversarial vulnerability.

Carl-Johann SIMON-GABRIEL First-order Adv Vul of NNs & Input Dim

slide-28
SLIDE 28

Thank you for listening!

First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

Yann Ollivier Léon Bottou Bernhard Schölkopf David Lopez-Paz First-order Adversarial Vulnerability of Neural Networks and Input Dimension

Poster Pacific Ballroom #62