• Corpus ID: 40725562

A geometric perspective on 
 the robustness of deep networks

@inproceedings{Fawzi2017AGP,
  title={A geometric perspective on 
 the robustness of deep networks},
  author={Omar Fawzi and Pascal Frossard and Alhussein Fawzi and Rachel Jones—Biomedical},
  year={2017}
}
Deep neural networks have recently shown impressive classification performance on a diverse set of visual tasks. When deployed in real-world (noise-prone) environments, it is equally important that these classifiers satisfy robustness guarantees: small perturbations applied to the samples should not yield significant losses to the performance of the predictor. The goal of this paper is to discuss the robustness of deep networks to a diverse set of perturbations that may affect the samples in… 
Analytic Expressions for Probabilistic Moments of PL-DNN with Gaussian Input
TLDR
This paper derives exact analytic expressions for the first and second moments of a small piecewise linear (PL) network (Affine, ReLU, Affine) subject to general Gaussian input and shows how these expressions can be used to systematically construct targeted and non-targeted adversarial attacks.
A Novel Framework for Robustness Analysis of Visual QA Models
TLDR
This work proposes a new framework that uses semantically relevant questions, dubbed basic questions, acting as noise to evaluate the robustness of VQA models, and analyzes the robusts of several state-of-the-art VqA models to show that attention-based V QA models are more robust than other methods in general.
One Pixel Attack for Fooling Deep Neural Networks
TLDR
This paper proposes a novel method for generating one-pixel adversarial perturbations based on differential evolution (DE), which requires less adversarial information (a black-box attack) and can fool more types of networks due to the inherent features of DE.
Defending Against Universal Perturbations With Shared Adversarial Training
TLDR
This work shows that adversarial training is more effective in preventing universal perturbations, where the same perturbation needs to fool a classifier on many inputs, and investigates the trade-off between robustness against universal perturbed data and performance on unperturbed data.
HyperNetworks with statistical filtering for defending adversarial examples
TLDR
This work proposes a new type of HyperNetwork in order to employ statistical properties of input data and features for computation of statistical adaptive maps and empirically demonstrates that the proposed method enables CNNs to spontaneously defend against different types of attacks.
Attacking convolutional neural network using differential evolution
TLDR
It is shown that current deep neural networks are also vulnerable to such simpler black-box attacks even under very limited attack conditions.
Assessing the Robustness of Visual Question Answering
TLDR
This work proposes a new method that uses semantically related questions, dubbed basic questions, acting as noise to evaluate the robustness of VQA models, and hypothesizes that as the similarity of a basic question to the main question decreases, the level of noise increases.
Assessing the Robustness of Visual Question Answering Models
TLDR
This work proposes a new method that uses semantically related questions, dubbed basic questions, acting as noise to evaluate the robustness of VQA models, and hypothesizes that as the similarity of a basic question to the main question decreases, the level of noise increases.
Task Agnostic Robust Learning on Corrupt Outputs by Correlation-Guided Mixture Density Networks
TLDR
The proposed method simultaneously estimates the target distribution and the quality of each data which is defined as the correlation between the target and data generating distributions, a Cholesky Block that enables modeling dependencies among mixture distributions in a differentiable manner.
...
...

References

SHOWING 1-10 OF 47 REFERENCES
Analysis of universal adversarial perturbations
TLDR
It is shown that the robustness of deep networks to universal perturbations is driven by a key property of their curvature: there exists shared directions along which the decision boundary ofDeep networks is systematically positively curved.
Classification regions of deep neural networks
TLDR
A fundamental asymmetry in the curvature of the decision boundary of deep nets is proposed, and this approach is shown to be effective for detecting small adversarial perturbations in images, and for recovering the labels of perturbed images.
Detecting Adversarial Samples from Artifacts
TLDR
This paper investigates model confidence on adversarial samples by looking at Bayesian uncertainty estimates, available in dropout neural networks, and by performing density estimation in the subspace of deep features learned by the model, and results show a method for implicit adversarial detection that is oblivious to the attack algorithm.
DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks
TLDR
The DeepFool algorithm is proposed to efficiently compute perturbations that fool deep networks, and thus reliably quantify the robustness of these classifiers, and outperforms recent methods in the task of computing adversarial perturbation and making classifiers more robust.
Universal Adversarial Perturbations
TLDR
The surprising existence of universal perturbations reveals important geometric correlations among the high-dimensional decision boundary of classifiers and outlines potential security breaches with the existence of single directions in the input space that adversaries can possibly exploit to break a classifier on most natural images.
Adversarial Diversity and Hard Positive Generation
TLDR
A new psychometric perceptual adversarial similarity score (PASS) measure for quantifying adversarial images, the notion of hard positive generation is introduced, and a novel hot/cold approach for adversarial example generation is presented, which provides multiple possible adversarial perturbations for every single image.
Towards Deep Neural Network Architectures Robust to Adversarial Examples
TLDR
Deep Contractive Network is proposed, a model with a new end-to-end training procedure that includes a smoothness penalty inspired by the contractive autoencoder (CAE) to increase the network robustness to adversarial examples, without a significant performance penalty.
Analysis of classifiers’ robustness to adversarial perturbations
TLDR
A general upper bound on the robustness of classifiers to adversarial perturbations is established, and the phenomenon of adversarial instability is suggested to be due to the low flexibility ofclassifiers, compared to the difficulty of the classification task (captured mathematically by the distinguishability measure).
On Detecting Adversarial Perturbations
TLDR
It is shown empirically that adversarial perturbations can be detected surprisingly well even though they are quasi-imperceptible to humans.
Robustness of classifiers: from adversarial to random noise
TLDR
This paper proposes the first quantitative analysis of the robustness of nonlinear classifiers in this general noise regime, and establishes precise theoretical bounds on the robustity of classifier's decision boundary, which depend on the curvature of the classifiers' decision boundary.
...
...