×

zbMATH — the first resource for mathematics

Adversarial noise attacks of deep learning architectures: stability analysis via sparse-modeled signals. (English) Zbl 1434.68520
Summary: Despite their impressive performance, deep convolutional neural networks (CNN) have been shown to be sensitive to small adversarial perturbations. These nuisances, which one can barely notice, are powerful enough to fool sophisticated and well performing classifiers, leading to ridiculous misclassification results. In this paper, we analyze the stability of state-of-the-art deep learning classification machines to adversarial perturbations, where we assume that the signals belong to the (possibly multilayer) sparse representation model. We start with convolutional sparsity and then proceed to its multilayered version, which is tightly connected to CNN. Our analysis links between the stability of the classification to noise and the underlying structure of the signal, quantified by the sparsity of its representation under a fixed dictionary. In addition, we offer similar stability theorems for two practical pursuit algorithms, which are posed as two different deep learning architectures – the layered thresholding and the layered basis pursuit. Our analysis establishes the better robustness of the later to adversarial attacks. We corroborate these theoretical results by numerical experiments on three datasets: MNIST, CIFAR-10 and CIFAR-100.
MSC:
68T07 Artificial neural networks and deep learning
68P30 Coding and information theory (compaction, compression, models of communication, encoding schemes, etc.) (aspects in computer science)
Software:
CIFAR; MNIST
PDF BibTeX XML Cite
Full Text: DOI
References:
[1] Aberdam, A.; Sulam, J.; Elad, M., Multi-layer sparse coding: the holistic way, SIAM J. Math. Data Sci., 1, 1, 46-77 (2019)
[2] Bibi, A., Ghanem, B., Koltun, V., Ranftl, R: Deep layers as stochastic solvers. In: International Conference on Learning Representations (2019)
[3] Bishop, C., Neural Networks for Pattern Recognition (1995), Oxford: Oxford University Press, Oxford
[4] Bredensteiner, E.J., Bennett, K.P.: Multicategory classification by support vector machines. In: Computational Optimization, pp. 53-79. Springer, Berlin (1999) · Zbl 1040.90574
[5] Candes, EJ, The restricted isometry property and its implications for compressed sensing, C.R. Math., 346, 9-10, 589-592 (2008) · Zbl 1153.94002
[6] Elad, M., Sparse and Redundant Representations: From Theory to Applications in Signal and Image Processing (2010), Berlin: Springer, Berlin · Zbl 1211.94001
[7] Fawzi, A., Fawzi, H., Fawzi, O.: Adversarial vulnerability for any classifier. arXiv preprint arXiv:1802.08686 (2018) · Zbl 06888606
[8] Fawzi, A.; Fawzi, O.; Frossard, P., Analysis of classifiers’ robustness to adversarial perturbations, Mach. Learn., 107, 3, 481-508 (2018) · Zbl 06888606
[9] Goodfellow, I.; Bengio, Y.; Courville, A.; Bengio, Y., Deep Learning (2016), Cambridge: MIT Press, Cambridge · Zbl 1373.68009
[10] Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. ICLR (2015)
[11] Gregor, K., LeCun, Y.: Learning fast approximations of sparse coding. In: Proceedings of the 27th International Conference on Machine Learning (ICML-10), pp. 399-406 (2010)
[12] Krizhevsky, A., Nair, V., Hinton, G.: The CIFAR-10 dataset. online: http://www.cs.toronto.edu/kriz/cifar.html (2014)
[13] Kurakin. A., Goodfellow, I.,, Bengio, S.: Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 (2016)
[14] LeCun, Y.; Bengio, Y.; Hinton, G., Deep learning, Nature, 521, 7553, 436-444 (2015)
[15] LeCun, Y., Cortes, C., Burges, C.J.: MNIST handwritten digit database. AT&T Labs [Online]. Available: http://yann.lecun.com/exdb/mnist, 2 (2010)
[16] Liao, F., Liang, M., Dong, Y., Pang, T., Zhu, J., Hu, X.: Defense against adversarial attacks using high-level representation guided denoiser. In: IEEE-CVPR (2018)
[17] Liu, Y., Chen, X., Liu, C., Song, D.: Delving into transferable adversarial examples and black-box attacks. In: ICLR (2017)
[18] Mahdizadehaghdam, S., Panahi, A., Krim, H., Dai, L.: Deep dictionary learning: a parametric network approach. arXiv preprint arXiv:1803.04022 (2018) · Zbl 07123015
[19] Mairal, J., Bach, F., Ponce, J.: Sparse modeling for image and vision processing. arXiv preprint arXiv:1411.3230 (2014) · Zbl 1333.68263
[20] Moustapha, C., Piotr, B., Edouard, G., Yann, D., Nicolas, U.: Parseval networks: improving robustness to adversarial examples. In: ICML (2017)
[21] Papyan, V.; Romano, Y.; Elad, M., Convolutional neural networks analyzed via convolutional sparse coding, J. Mach. Learn. Res., 18, 83, 1-52 (2017) · Zbl 1434.68444
[22] Papyan, V.; Sulam, J.; Elad, M., Working locally thinking globally: theoretical guarantees for convolutional sparse coding, IEEE Trans. Signal Process., 65, 21, 5687-5701 (2017) · Zbl 1414.94462
[23] Sokolić, J.; Giryes, R.; Sapiro, G.; Rodrigues, MRD, Robust large margin deep neural networks, IEEE Trans. Signal Process., 65, 16, 4265-4280 (2016) · Zbl 1414.68076
[24] Sulam, J., Aberdam, A., Beck, A., Elad, M.: On multi-layer basis pursuit, efficient algorithms and convolutional neural networks. IEEE Trans. Pattern Anal. Mach. Intell. (2019)
[25] Sulam, J.; Papyan, V.; Romano, Y.; Elad, M., Multilayer convolutional sparse modeling: pursuit and dictionary learning, IEEE Trans. Signal Process., 66, 15, 4090-4104 (2018) · Zbl 1415.94241
[26] Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Dumitru, E., Goodfellow, I., Fergus, R.: Intriguing properties of neural networks. In: ICLR (2014)
[27] Zeiler, M.D.., Krishnan, D., Taylor, G.W., Fergus, R.: Deconvolutional networks. In: IEEE-CVPR (2010)
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.