Cross-Entropy Loss and Low-Rank Features Have Responsibility for Adversarial Examples

TL;DR

This paper identifies that cross-entropy loss and low-rank features contribute to adversarial vulnerability in neural networks, and proposes differential training to increase decision margin and robustness against adversarial examples.

Contribution

It introduces differential training, a novel loss function based on feature differences, to improve neural network robustness against adversarial attacks.

Findings

Differential training significantly reduces adversarial vulnerability on CIFAR-10.

The method increases the margin between decision boundary and training points.

It decreases the ratio of images with detectable adversarial examples.

Abstract

State-of-the-art neural networks are vulnerable to adversarial examples; they can easily misclassify inputs that are imperceptibly different than their training and test data. In this work, we establish that the use of cross-entropy loss function and the low-rank features of the training data have responsibility for the existence of these inputs. Based on this observation, we suggest that addressing adversarial examples requires rethinking the use of cross-entropy loss function and looking for an alternative that is more suited for minimization with low-rank features. In this direction, we present a training scheme called differential training, which uses a loss function defined on the differences between the features of points from opposite classes. We show that differential training can ensure a large margin between the decision boundary of the neural network and the points in the training dataset. This larger margin increases the amount of perturbation needed to flip the prediction of the classifier and makes it harder to find an adversarial example with small perturbations. We test differential training on a binary classification task with CIFAR-10 dataset and demonstrate that it radically reduces the ratio of images for which an adversarial example could be found -- not only in the training dataset, but in the test dataset as well.