Shift Invariance Can Reduce Adversarial Robustness

TL;DR

This paper demonstrates that while shift invariance improves CNN classification performance, it can also increase vulnerability to adversarial attacks, as shown through theoretical analysis and empirical experiments.

Contribution

It reveals a fundamental trade-off between shift invariance and adversarial robustness in neural networks, supported by theoretical proofs and empirical evidence.

Findings

Shift invariance affects the class margin depending only on the DC component.

Shift-invariant neural networks can produce linear decision boundaries in simple cases.

Empirical results show shift invariance reduces adversarial robustness on real datasets.

Abstract

Shift invariance is a critical property of CNNs that improves performance on classification. However, we show that invariance to circular shifts can also lead to greater sensitivity to adversarial attacks. We first characterize the margin between classes when a shift-invariant linear classifier is used. We show that the margin can only depend on the DC component of the signals. Then, using results about infinitely wide networks, we show that in some simple cases, fully connected and shift-invariant neural networks produce linear decision boundaries. Using this, we prove that shift invariance in neural networks produces adversarial examples for the simple case of two classes, each consisting of a single image with a black or white dot on a gray background. This is more than a curiosity; we show empirically that with real datasets and realistic architectures, shift invariance reduces adversarial robustness. Finally, we describe initial experiments using synthetic data to probe the source of this connection.