A Simple Explanation for the Existence of Adversarial Examples with Small Hamming Distance

TL;DR

This paper offers a geometric explanation for the existence of adversarial examples with small Hamming distance in neural networks, linking their properties to the geometry of input space and network class distinctions.

Contribution

It introduces a simple mathematical framework based on the geometry of  space to explain adversarial examples and their Hamming distances in neural networks.

Findings

Adversarial examples with small Hamming distance are a natural consequence of input space geometry.

The framework predicts targeted adversarial examples with Hamming distance m in deep networks.

Provides a quantitative understanding of how network parameters influence adversarial vulnerability.

Abstract

The existence of adversarial examples in which an imperceptible change in the input can fool well trained neural networks was experimentally discovered by Szegedy et al in 2013, who called them "Intriguing properties of neural networks". Since then, this topic had become one of the hottest research areas within machine learning, but the ease with which we can switch between any two decisions in targeted attacks is still far from being understood, and in particular it is not clear which parameters determine the number of input coordinates we have to change in order to mislead the network. In this paper we develop a simple mathematical framework which enables us to think about this baffling phenomenon from a fresh perspective, turning it into a natural consequence of the geometry of $\mathbb{R}^n$ with the $L_0$ (Hamming) metric, which can be quantitatively analyzed. In particular, we explain why we should expect to find targeted adversarial examples with Hamming distance of roughly $m$ in arbitrarily deep neural networks which are designed to distinguish between $m$ input classes.