Understanding and Quantifying Adversarial Examples Existence in Linear Classification

TL;DR

This paper analyzes the existence of adversarial examples in linear classifiers, proposing a new definition that considers signal direction, and demonstrates the possibility of robust linear classifiers through theoretical and experimental validation.

Contribution

It introduces a practical definition of strong adversarial examples for linear classifiers and shows robustness is achievable with human knowledge integration.

Findings

Linear classifiers can be made robust to strong adversarial examples.

A new definition of adversarial examples considering signal direction is proposed.

Numerical experiments confirm the theoretical formulas.

Abstract

State-of-art deep neural networks (DNN) are vulnerable to attacks by adversarial examples: a carefully designed small perturbation to the input, that is imperceptible to human, can mislead DNN. To understand the root cause of adversarial examples, we quantify the probability of adversarial example existence for linear classifiers. Previous mathematical definition of adversarial examples only involves the overall perturbation amount, and we propose a more practical relevant definition of strong adversarial examples that separately limits the perturbation along the signal direction also. We show that linear classifiers can be made robust to strong adversarial examples attack in cases where no adversarial robust linear classifiers exist under the previous definition. The quantitative formulas are confirmed by numerical experiments using a linear support vector machine (SVM) classifier. The results suggest that designing general strong-adversarial-robust learning systems is feasible but only through incorporating human knowledge of the underlying classification problem.