Adversarial Noise Attacks of Deep Learning Architectures -- Stability Analysis via Sparse Modeled Signals

TL;DR

This paper investigates the stability of deep learning classifiers against adversarial noise by modeling signals as sparse representations, providing theoretical stability bounds, and comparing robustness of different pursuit algorithms through experiments on standard datasets.

Contribution

It introduces a sparse representation framework for analyzing CNN stability to adversarial attacks and compares the robustness of layered Thresholding and Basis Pursuit algorithms.

Findings

Layered Basis Pursuit shows greater robustness to adversarial noise.

The stability of classifiers depends on the sparsity of signal representations.

Theoretical stability bounds are validated through experiments on MNIST, CIFAR-10, and CIFAR-100.

Abstract

Despite their impressive performance, deep convolutional neural networks (CNNs) have been shown to be sensitive to small adversarial perturbations. These nuisances, which one can barely notice, are powerful enough to fool sophisticated and well performing classifiers, leading to ridiculous misclassification results. In this paper we analyze the stability of state-of-the-art deep-learning classification machines to adversarial perturbations, where we assume that the signals belong to the (possibly multi-layer) sparse representation model. We start with convolutional sparsity and then proceed to its multi-layered version, which is tightly connected to CNNs. Our analysis links between the stability of the classification to noise and the underlying structure of the signal, quantified by the sparsity of its representation under a fixed dictionary. In addition, we offer similar stability theorems for two practical pursuit algorithms, which are posed as two different deep-learning architectures - the layered Thresholding and the layered Basis Pursuit. Our analysis establishes the better robustness of the later to adversarial attacks. We corroborate these theoretical results by numerical experiments on three datasets: MNIST, CIFAR-10 and CIFAR-100.