Mechanistic Understandings of Representation Vulnerabilities and Engineering Robust Vision Transformers

TL;DR

This paper investigates the vulnerabilities of vision transformers to adversarial attacks, revealing how perturbations propagate through layers, and introduces NeuroShield-ViT, a defense mechanism that improves robustness without fine-tuning.

Contribution

The study provides a detailed analysis of representation vulnerabilities in ViT and proposes NeuroShield-ViT, a novel layer-neutralization defense method that enhances robustness against adversarial attacks.

Findings

NeuroShield-ViT achieves 77.8% accuracy on adversarial examples without fine-tuning.

Adversarial effects amplify from early to late layers in ViT.

NeuroShield-ViT outperforms traditional robustness methods against strong iterative attacks.

Abstract

While transformer-based models dominate NLP and vision applications, their underlying mechanisms to map the input space to the label space semantically are not well understood. In this paper, we study the sources of known representation vulnerabilities of vision transformers (ViT), where perceptually identical images can have very different representations and semantically unrelated images can have the same representation. Our analysis indicates that imperceptible changes to the input can result in significant representation changes, particularly in later layers, suggesting potential instabilities in the performance of ViTs. Our comprehensive study reveals that adversarial effects, while subtle in early layers, propagate and amplify through the network, becoming most pronounced in middle to late layers. This insight motivates the development of NeuroShield-ViT, a novel defense mechanism that strategically neutralizes vulnerable neurons in earlier layers to prevent the cascade of adversarial effects. We demonstrate NeuroShield-ViT's effectiveness across various attacks, particularly excelling against strong iterative attacks, and showcase its remarkable zero-shot generalization capabilities. Without fine-tuning, our method achieves a competitive accuracy of 77.8% on adversarial examples, surpassing conventional robustness methods. Our results shed new light on how adversarial effects propagate through ViT layers, while providing a promising approach to enhance the robustness of vision transformers against adversarial attacks. Additionally, they provide a promising approach to enhance the robustness of vision transformers against adversarial attacks.