Recovery Guarantees for Compressible Signals with Adversarial Noise

TL;DR

This paper extends recovery guarantees for compressible signals under adversarial noise, providing theoretical assurances for neural network defenses against various norm-bounded attacks and demonstrating their effectiveness experimentally.

Contribution

It generalizes recovery guarantees to most unitary transforms and multiple noise norms, enhancing neural network robustness against adversarial attacks.

Findings

Recovery guarantees for IHT and BP under $oldsymbol{ extit{ ext{l}}}_0$-norm noise.

Recovery guarantees for BP under $oldsymbol{ extit{ ext{l}}}_2$-norm noise.

Recovery guarantees for Dantzig Selector under $oldsymbol{ extit{ ext{l}}}_ ext{infty}$-norm noise.

Abstract

We provide recovery guarantees for compressible signals that have been corrupted with noise and extend the framework introduced in \cite{bafna2018thwarting} to defend neural networks against $\ell_0$-norm, $\ell_2$-norm, and $\ell_{\infty}$-norm attacks. Our results are general as they can be applied to most unitary transforms used in practice and hold for $\ell_0$-norm, $\ell_2$-norm, and $\ell_\infty$-norm bounded noise. In the case of $\ell_0$-norm noise, we prove recovery guarantees for Iterative Hard Thresholding (IHT) and Basis Pursuit (BP). For $\ell_2$-norm bounded noise, we provide recovery guarantees for BP and for the case of $\ell_\infty$-norm bounded noise, we provide recovery guarantees for Dantzig Selector (DS). These guarantees theoretically bolster the defense framework introduced in \cite{bafna2018thwarting} for defending neural networks against adversarial inputs. Finally, we experimentally demonstrate the effectiveness of this defense framework against an array of $\ell_0$, $\ell_2$ and $\ell_\infty$ norm attacks.