Improving Neural Network Robustness through Neighborhood Preserving Layers

TL;DR

This paper introduces neighborhood preserving layers as a replacement for fully-connected layers in neural networks, enhancing robustness against adversarial attacks by controlling gradient magnitudes, with theoretical and empirical validation.

Contribution

The paper proposes a novel neighborhood preserving layer that improves neural network robustness and provides a new architecture with theoretical and empirical support.

Findings

Enhanced robustness against PGD attacks on MNIST and CIFAR10

Theoretical proof of gradient magnitude control leading to robustness

Empirical results show improved adversarial resistance

Abstract

Robustness against adversarial attack in neural networks is an important research topic in the machine learning community. We observe one major source of vulnerability of neural nets is from overparameterized fully-connected layers. In this paper, we propose a new neighborhood preserving layer which can replace these fully connected layers to improve the network robustness. We demonstrate a novel neural network architecture which can incorporate such layers and also can be trained efficiently. We theoretically prove that our models are more robust against distortion because they effectively control the magnitude of gradients. Finally, we empirically show that our designed network architecture is more robust against state-of-art gradient descent based attacks, such as a PGD attack on the benchmark datasets MNIST and CIFAR10.