On the Relationship Between Adversarial Robustness and Decision Region in Deep Neural Networks

TL;DR

This paper investigates how the internal geometry of deep neural networks, specifically the concept of Populated Region Set (PRS), relates to their robustness against adversarial attacks, providing insights and methods to enhance robustness.

Contribution

It introduces the novel concept of PRS to analyze DNN internal properties and proposes a PRS regularizer to improve adversarial robustness without adversarial training.

Findings

Low PRS ratio correlates with higher adversarial robustness.

Empirical validation of PRS as a meaningful metric for robustness.

PRS regularizer improves robustness in experiments.

Abstract

In general, Deep Neural Networks (DNNs) are evaluated by the generalization performance measured on unseen data excluded from the training phase. Along with the development of DNNs, the generalization performance converges to the state-of-the-art and it becomes difficult to evaluate DNNs solely based on this metric. The robustness against adversarial attack has been used as an additional metric to evaluate DNNs by measuring their vulnerability. However, few studies have been performed to analyze the adversarial robustness in terms of the geometry in DNNs. In this work, we perform an empirical study to analyze the internal properties of DNNs that affect model robustness under adversarial attacks. In particular, we propose the novel concept of the Populated Region Set (PRS), where training samples are populated more frequently, to represent the internal properties of DNNs in a practical setting. From systematic experiments with the proposed concept, we provide empirical evidence to validate that a low PRS ratio has a strong relationship with the adversarial robustness of DNNs. We also devise PRS regularizer leveraging the characteristics of PRS to improve the adversarial robustness without adversarial training.