Comment on "Biologically inspired protection of deep networks from   adversarial attacks"

Wieland Brendel; Matthias Bethge

arXiv:1704.01547·stat.ML·April 6, 2017·24 cites

Comment on "Biologically inspired protection of deep networks from adversarial attacks"

Wieland Brendel, Matthias Bethge

PDF

Open Access

TL;DR

This paper critically examines claims that saturation-based methods protect deep networks from adversarial attacks, revealing that such robustness may be due to numerical issues rather than true security.

Contribution

The study demonstrates that gradient-based attacks can succeed on saturated networks when numerical stabilization is applied, questioning the effectiveness of saturation as a defense.

Findings

01

Gradient attacks succeed with stabilized gradients

02

Saturation may cause numerical limitations, not robustness

03

Robustness claims need reevaluation

Abstract

A recent paper suggests that Deep Neural Networks can be protected from gradient-based adversarial perturbations by driving the network activations into a highly saturated regime. Here we analyse such saturated networks and show that the attacks fail due to numerical limitations in the gradient computations. A simple stabilisation of the gradient estimates enables successful and efficient attacks. Thus, it has yet to be shown that the robustness observed in highly saturated networks is not simply due to numerical limitations.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsAdversarial Robustness in Machine Learning · Bacillus and Francisella bacterial research