Adversarial Spheres

TL;DR

This paper investigates the geometric reasons behind adversarial vulnerability in high-dimensional data, using a simple spherical dataset to demonstrate fundamental tradeoffs between error and robustness.

Contribution

It introduces a theoretical framework linking high-dimensional geometry to adversarial vulnerability, supported by analysis of a synthetic spherical dataset.

Findings

Any model misclassifying a small fraction of the sphere is vulnerable to small perturbations.

All tested architectures approach the theoretical vulnerability bound.

Vulnerability is a natural consequence of high-dimensional geometry and test error.

Abstract

State of the art computer vision models have been shown to be vulnerable to small adversarial perturbations of the input. In other words, most images in the data distribution are both correctly classified by the model and are very close to a visually similar misclassified image. Despite substantial research interest, the cause of the phenomenon is still poorly understood and remains unsolved. We hypothesize that this counter intuitive behavior is a naturally occurring result of the high dimensional geometry of the data manifold. As a first step towards exploring this hypothesis, we study a simple synthetic dataset of classifying between two concentric high dimensional spheres. For this dataset we show a fundamental tradeoff between the amount of test error and the average distance to nearest error. In particular, we prove that any model which misclassifies a small constant fraction of a sphere will be vulnerable to adversarial perturbations of size $O(1/\sqrt{d})$. Surprisingly, when we train several different architectures on this dataset, all of their error sets naturally approach this theoretical bound. As a result of the theory, the vulnerability of neural networks to small adversarial perturbations is a logical consequence of the amount of test error observed. We hope that our theoretical analysis of this very simple case will point the way forward to explore how the geometry of complex real-world data sets leads to adversarial examples.