The reliability of deep learning algorithms is fundamentally challenged by the existence of adversarial examples, which are incorrectly classified inputs that are extremely close to a correctly classified input. We explore the properties of adversarial examples for deep neural networks with random weights and biases, and prove that for any p≥1, the ell^p distance of any given input from the classification boundary scales as one over the square root of the dimension of the input times the ell^p norm of the input. The results are based on the recently proved equivalence between Gaussian processes and deep neural networks in the limit of infinite width of the hidden layers, and are validated with experiments on both random deep neural networks and deep neural networks trained on the MNIST and CIFAR10 datasets. The results constitute a fundamental advance in the theoretical understanding of adversarial examples, and open the way to a thorough theoretical characterization of the relation between network architecture and robustness to adversarial perturbations.
Adversarial Robustness Guarantees for Random Deep Neural Networks / Giacomo De Palma; Bobak Kiani; Seth Lloyd. - ELETTRONICO. - 139:(2021), pp. 2522-2534. (Intervento presentato al convegno 38th International Conference on Machine Learning tenutosi a Online nel 18-24 lug 2021).
Adversarial Robustness Guarantees for Random Deep Neural Networks
Giacomo De Palma
Primo
;
2021
Abstract
The reliability of deep learning algorithms is fundamentally challenged by the existence of adversarial examples, which are incorrectly classified inputs that are extremely close to a correctly classified input. We explore the properties of adversarial examples for deep neural networks with random weights and biases, and prove that for any p≥1, the ell^p distance of any given input from the classification boundary scales as one over the square root of the dimension of the input times the ell^p norm of the input. The results are based on the recently proved equivalence between Gaussian processes and deep neural networks in the limit of infinite width of the hidden layers, and are validated with experiments on both random deep neural networks and deep neural networks trained on the MNIST and CIFAR10 datasets. The results constitute a fundamental advance in the theoretical understanding of adversarial examples, and open the way to a thorough theoretical characterization of the relation between network architecture and robustness to adversarial perturbations.| File | Dimensione | Formato | |
|---|---|---|---|
|
Adversarial Robustness Guarantees for Random Deep Neural Networks.pdf
accesso aperto
Tipo:
Versione (PDF) editoriale
Licenza:
Licenza per accesso libero gratuito
Dimensione
952.7 kB
Formato
Adobe PDF
|
952.7 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
