Robustness of classifiers to universal perturbations: a geometric perspective

TL;DR

This paper provides a geometric analysis of why deep classifiers are vulnerable to small, universal perturbations, linking robustness to the curvature of decision boundaries and introducing a method to compute such perturbations.

Contribution

It offers the first quantitative analysis connecting classifier robustness to the geometry of decision boundaries, especially curvature, and proposes a new geometric method for computing universal perturbations.

Findings

Robustness is linked to decision boundary curvature.

Shared positively curved directions enable small universal perturbations.

Theoretical bounds on classifier robustness are established.

Abstract

Deep networks have recently been shown to be vulnerable to universal perturbations: there exist very small image-agnostic perturbations that cause most natural images to be misclassified by such classifiers. In this paper, we propose the first quantitative analysis of the robustness of classifiers to universal perturbations, and draw a formal link between the robustness to universal perturbations, and the geometry of the decision boundary. Specifically, we establish theoretical bounds on the robustness of classifiers under two decision boundary models (flat and curved models). We show in particular that the robustness of deep networks to universal perturbations is driven by a key property of their curvature: there exists shared directions along which the decision boundary of deep networks is systematically positively curved. Under such conditions, we prove the existence of small universal perturbations. Our analysis further provides a novel geometric method for computing universal perturbations, in addition to explaining their properties.