Chaos Theory and Adversarial Robustness

TL;DR

This paper introduces a Chaos Theory-inspired metric called the susceptibility ratio to analyze and quantify neural network robustness against adversarial attacks, revealing depth-related vulnerabilities and enabling efficient robustness estimation.

Contribution

It presents a novel susceptibility ratio metric, analyzes its relation to model depth and robustness, and offers a practical method for approximating robustness radii in large models.

Findings

Susceptibility to attacks increases with model depth.

The susceptibility ratio correlates with post-attack accuracy.

Efficient approximation of robustness radii for large models is possible.

Abstract

Neural networks, being susceptible to adversarial attacks, should face a strict level of scrutiny before being deployed in critical or adversarial applications. This paper uses ideas from Chaos Theory to explain, analyze, and quantify the degree to which neural networks are susceptible to or robust against adversarial attacks. To this end, we present a new metric, the "susceptibility ratio," given by $\hat \Psi(h, \theta)$, which captures how greatly a model's output will be changed by perturbations to a given input. Our results show that susceptibility to attack grows significantly with the depth of the model, which has safety implications for the design of neural networks for production environments. We provide experimental evidence of the relationship between $\hat \Psi$ and the post-attack accuracy of classification models, as well as a discussion of its application to tasks lacking hard decision boundaries. We also demonstrate how to quickly and easily approximate the certified robustness radii for extremely large models, which until now has been computationally infeasible to calculate directly.