Golyadkin's Torment: Doppelg\"angers and Adversarial Vulnerability

TL;DR

This paper investigates adversarial Doppelgangers in ML classifiers, revealing their vulnerability, defining their structure, and proposing criteria and methods to improve classifier robustness against such inputs, which are perceptually close yet qualitatively different from typical adversarial examples.

Contribution

The paper introduces the concept of adversarial Doppelgangers, analyzes their properties, and provides criteria and methods to assess and enhance classifier robustness against these adversarial inputs.

Findings

Most classifiers are vulnerable to adversarial Doppelgangers.

Robustness-accuracy trade-offs may not eliminate vulnerability.

Certain problems lack any AD-robust classifiers due to class ambiguity.

Abstract

Many machine learning (ML) classifiers are claimed to outperform humans, but they still make mistakes that humans do not. The most notorious examples of such mistakes are adversarial visual metamers. This paper aims to define and investigate the phenomenon of adversarial Doppelgangers (AD), which includes adversarial visual metamers, and to compare the performance and robustness of ML classifiers to human performance. We find that AD are inputs that are close to each other with respect to a perceptual metric defined in this paper. AD are qualitatively different from the usual adversarial examples. The vast majority of classifiers are vulnerable to AD and robustness-accuracy trade-offs may not improve them. Some classification problems may not admit any AD robust classifiers because the underlying classes are ambiguous. We provide criteria that can be used to determine whether a classification problem is well defined or not; describe the structure and attributes of an AD-robust classifier; introduce and explore the notions of conceptual entropy and regions of conceptual ambiguity for classifiers that are vulnerable to AD attacks, along with methods to bound the AD fooling rate of an attack. We define the notion of classifiers that exhibit hypersensitive behavior, that is, classifiers whose only mistakes are adversarial Doppelgangers. Improving the AD robustness of hyper-sensitive classifiers is equivalent to improving accuracy. We identify conditions guaranteeing that all classifiers with sufficiently high accuracy are hyper-sensitive. Our findings are aimed at significant improvements in the reliability and security of machine learning systems.