Adversarial robustness of VAEs through the lens of local geometry

TL;DR

This paper investigates the vulnerability of VAEs to adversarial attacks by analyzing the local geometry of the latent space through the pullback metric tensor, proposing new robustness scores and a mixup training method to enhance robustness.

Contribution

It introduces a geometric perspective using the pullback metric tensor to evaluate and improve VAE robustness against adversarial perturbations.

Findings

Pullback metric tensor eigenspectrum correlates with robustness.

Mixup training improves robustness without degrading reconstruction.

Proposed scores effectively measure VAE robustness.

Abstract

In an unsupervised attack on variational autoencoders (VAEs), an adversary finds a small perturbation in an input sample that significantly changes its latent space encoding, thereby compromising the reconstruction for a fixed decoder. A known reason for such vulnerability is the distortions in the latent space resulting from a mismatch between approximated latent posterior and a prior distribution. Consequently, a slight change in an input sample can move its encoding to a low/zero density region in the latent space resulting in an unconstrained generation. This paper demonstrates that an optimal way for an adversary to attack VAEs is to exploit a directional bias of a stochastic pullback metric tensor induced by the encoder and decoder networks. The pullback metric tensor of an encoder measures the change in infinitesimal latent volume from an input to a latent space. Thus, it can be viewed as a lens to analyse the effect of input perturbations leading to latent space distortions. We propose robustness evaluation scores using the eigenspectrum of a pullback metric tensor. Moreover, we empirically show that the scores correlate with the robustness parameter $\beta$ of the $\beta-$VAE. Since increasing $\beta$ also degrades reconstruction quality, we demonstrate a simple alternative using \textit{mixup} training to fill the empty regions in the latent space, thus improving robustness with improved reconstruction.