Solving adversarial examples requires solving exponential misalignment

TL;DR

This paper investigates the geometric and dimensional properties of neural network perceptual manifolds, revealing exponential misalignment with human concepts as a key factor behind adversarial vulnerability.

Contribution

It introduces the concept of perceptual manifolds, analyzes their high dimensionality, and links this to adversarial examples, providing a new geometric perspective on robustness.

Findings

Neural network perceptual manifolds have much higher dimensionality than human concepts.

Exponential misalignment exists between machine and human perceptual manifolds.

Robust networks still exhibit exponential misalignment, limiting adversarial robustness.

Abstract

Adversarial attacks - input perturbations imperceptible to humans that fool neural networks - remain both a persistent failure mode in machine learning, and a phenomenon with mysterious origins. To shed light, we define and analyze a network's perceptual manifold (PM) for a class concept as the space of all inputs confidently assigned to that class by the network. We find, strikingly, that the dimensionalities of neural network PMs are orders of magnitude higher than those of natural human concepts. Since volume typically grows exponentially with dimension, this suggests exponential misalignment between machines and humans, with exponentially many inputs confidently assigned to concepts by machines but not humans. Furthermore, this provides a natural geometric hypothesis for the origin of adversarial examples: because a network's PM fills such a large region of input space, any input will be very close to any class concept's PM. Our hypothesis thus suggests that adversarial robustness cannot be attained without dimensional alignment of machine and human PMs, and therefore makes strong predictions: both robust accuracy and distance to any PM should be negatively correlated with the PM dimension. We confirmed these predictions across 18 different networks of varying robust accuracy. Crucially, we find even the most robust networks are still exponentially misaligned, and only the few PMs whose dimensionality approaches that of human concepts exhibit alignment to human perception. Our results connect the fields of alignment and adversarial examples, and suggest the curse of high dimensionality of machine PMs is a major impediment to adversarial robustness.