Adversarial Vulnerability as a Consequence of On-Manifold Inseparibility
Rajdeep Haldar, Yue Xing, Qifan Song, Guang Lin
TL;DR
This paper links adversarial vulnerability to the difficulty of training off-manifold features due to ill-conditioning, proposing second-order optimization methods to improve robustness and analyzing the impact of batch normalization.
Contribution
It introduces a theoretical framework connecting data manifold properties with adversarial vulnerability and demonstrates the effectiveness of second-order methods in enhancing robustness.
Findings
Second-order methods improve robustness in training.
Batch normalization hinders robustness gains.
Ill-conditioning affects off-manifold feature convergence.
Abstract
Recent works have shown theoretically and empirically that redundant data dimensions are a source of adversarial vulnerability. However, the inverse doesn't seem to hold in practice; employing dimension-reduction techniques doesn't exhibit robustness as expected. In this work, we consider classification tasks and characterize the data distribution as a low-dimensional manifold, with high/low variance features defining the on/off manifold direction. We argue that clean training experiences poor convergence in the off-manifold direction caused by the ill-conditioning in widely used first-order optimizers like gradient descent. The poor convergence then acts as a source of adversarial vulnerability when the dataset is inseparable in the on-manifold direction. We provide theoretical results for logistic regression and a 2-layer linear network on the considered data distribution.…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsMilitary Defense Systems Analysis
MethodsLogistic Regression