Advanced search
1 file | 361.66 KB Add to list

Lower bounds on the robustness to adversarial perturbations

Jonathan Peck (UGent) , Joris Roels (UGent) , Bart Goossens (UGent) and Yvan Saeys (UGent)
Author
Organization
Abstract
The input-output mappings learned by state-of-the-art neural networks are significantly discontinuous. It is possible to cause a neural network used for image recognition to misclassify its input by applying very specific, hardly perceptible perturbations to the input, called adversarial perturbations. Many hypotheses have been proposed to explain the existence of these peculiar samples as well as several methods to mitigate them, but a proven explanation remains elusive. In this work, we take steps towards a formal characterization of adversarial perturbations by deriving lower bounds on the magnitudes of perturbations necessary to change the classification of neural networks. The proposed bounds can be computed efficiently, requiring time at most linear in the number of parameters and hyperparameters of the model for any given sample. This makes them suitable for use in model selection, when one wishes to find out which of several proposed classifiers is most robust to adversarial perturbations. They may also be used as a basis for developing techniques to increase the robustness of classifiers, since they enjoy the theoretical guarantee that no adversarial perturbation could possibly be any smaller than the quantities provided by the bounds. We experimentally verify the bounds on the MNIST and CIFAR-10 data sets and find no violations. Additionally, the experimental results suggest that very small adversarial perturbations may occur with non-zero probability on natural samples.
Keywords
Convolutional neural networks, adversarial perturbations

Downloads

  • (...).pdf
    • full text
    • |
    • UGent only
    • |
    • PDF
    • |
    • 361.66 KB

Citation

Please use this url to cite or link to this publication:

MLA
Peck, Jonathan, Joris Roels, Bart Goossens, et al. “Lower Bounds on the Robustness to Adversarial Perturbations.” Advances in Neural Information Processing Systems 30 (NIPS 2017). Ed. I Guyon et al. Vol. 30. La Jolla, CA, USA: Neural Information Processing Systems (NIPS), 2017. 804–813. Print.
APA
Peck, J., Roels, J., Goossens, B., & Saeys, Y. (2017). Lower bounds on the robustness to adversarial perturbations. In I. Guyon, U. Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, & R. Garnett (Eds.), Advances in neural information processing systems 30 (NIPS 2017) (Vol. 30, pp. 804–813). Presented at the 31st Conference on Neural Information Processing Systems (NIPS 2017), La Jolla, CA, USA: Neural Information Processing Systems (NIPS).
Chicago author-date
Peck, Jonathan, Joris Roels, Bart Goossens, and Yvan Saeys. 2017. “Lower Bounds on the Robustness to Adversarial Perturbations.” In Advances in Neural Information Processing Systems 30 (NIPS 2017), ed. I Guyon, UV Luxburg, S Bengio, H Wallach, R Fergus, S Vishwanathan, and R Garnett, 30:804–813. La Jolla, CA, USA: Neural Information Processing Systems (NIPS).
Chicago author-date (all authors)
Peck, Jonathan, Joris Roels, Bart Goossens, and Yvan Saeys. 2017. “Lower Bounds on the Robustness to Adversarial Perturbations.” In Advances in Neural Information Processing Systems 30 (NIPS 2017), ed. I Guyon, UV Luxburg, S Bengio, H Wallach, R Fergus, S Vishwanathan, and R Garnett, 30:804–813. La Jolla, CA, USA: Neural Information Processing Systems (NIPS).
Vancouver
1.
Peck J, Roels J, Goossens B, Saeys Y. Lower bounds on the robustness to adversarial perturbations. In: Guyon I, Luxburg U, Bengio S, Wallach H, Fergus R, Vishwanathan S, et al., editors. Advances in neural information processing systems 30 (NIPS 2017). La Jolla, CA, USA: Neural Information Processing Systems (NIPS); 2017. p. 804–13.
IEEE
[1]
J. Peck, J. Roels, B. Goossens, and Y. Saeys, “Lower bounds on the robustness to adversarial perturbations,” in Advances in neural information processing systems 30 (NIPS 2017), Long Beach, CA, USA, 2017, vol. 30, pp. 804–813.
@inproceedings{8545488,
  abstract     = {The input-output mappings learned by state-of-the-art neural networks are significantly discontinuous. It is possible to cause a neural network used for image recognition to misclassify its input by applying very specific, hardly perceptible perturbations to the input, called adversarial perturbations. Many hypotheses have been proposed to explain the existence of these peculiar samples as well as several methods to mitigate them, but a proven explanation remains elusive. In this work, we take steps towards a formal characterization of adversarial perturbations by deriving lower bounds on the magnitudes of perturbations necessary to change the classification of neural networks. The proposed bounds can be computed efficiently, requiring time at most linear in the number of parameters and hyperparameters of the model for any given sample. This makes them suitable for use in model selection, when one wishes to find out which of several proposed classifiers is most robust to adversarial perturbations. They may also be used as a basis for developing techniques to increase the robustness of classifiers, since they enjoy the theoretical guarantee that no adversarial perturbation could possibly be any smaller than the quantities provided by the bounds. We experimentally verify the bounds on the MNIST and CIFAR-10 data sets and find no violations. Additionally, the experimental results suggest that very small adversarial perturbations may occur with non-zero probability on natural samples.},
  author       = {Peck, Jonathan and Roels, Joris and Goossens, Bart and Saeys, Yvan},
  booktitle    = {Advances in neural information processing systems 30 (NIPS 2017)},
  editor       = {Guyon, I and Luxburg, UV and Bengio, S and Wallach, H and Fergus, R and Vishwanathan, S and Garnett, R},
  issn         = {1049-5258},
  keywords     = {Convolutional neural networks,adversarial perturbations},
  language     = {eng},
  location     = {Long Beach, CA, USA},
  pages        = {804--813},
  publisher    = {Neural Information Processing Systems (NIPS)},
  title        = {Lower bounds on the robustness to adversarial perturbations},
  url          = {https://papers.nips.cc/paper/6682-lower-bounds-on-the-robustness-to-adversarial-perturbations},
  volume       = {30},
  year         = {2017},
}

Web of Science
Times cited: