Explaining Adversarial Examples by Local Properties of Convolutional Neural Networks

Hamed H. Aghdam, Elnaz J. Heravi, Domenec Puig

2017

Abstract

Vulnerability of ConvNets to adversarial examples have been mainly studied by devising a solution for generating adversarial examples. Early studies suggested that sensitivity of ConvNets to adversarial examples are due to their non-linearity. Most recent studies explained that instability of ConvNet to these examples are because of their linear nature. In this work, we analyze some of local properties of ConvNets that are directly related to their unreliability to adversarial examples. We shows that ConvNets are not locally isotropic and symmetric. Also, we show that Mantel score of distance matrices in the input and output of a ConvNet is very low showing that topology of points located at a very close distance to a samples might significantly change by ConvNets. We also explain that non-linearity of topology changes in ConvNet are because they apply an affine transformation in each layer. Furthermore, we explain that despite the fact that global Lipschitz constant of a ConvNet might be greater than 1, it is locally less than 1 in most of adversarial examples.

References

1. Aghdam, H. H., Heravi, E. J., and Puig, D. (2015). Recognizing Traffic Signs using a Practical Deep Neural Network. In Robot 2015: Second Iberian Robotics Conference, pages 399-410, Lisbon. Springer.
2. Aghdam, H. H., Heravi, E. J., and Puig, D. (2016). Analyzing the Stability of Convolutional Neural Networks Against Image Degradation. In Proceedings of the 11th International Conference on Computer Vision Theory and Applications.
3. Ciresan, D., Meier, U., and Schmidhuber, J. (2012). Multicolumn deep neural networks for image classification. In 2012 IEEE Conference on Computer Vision and Pattern Recognition, number February, pages 3642- 3649. IEEE.
4. Goodfellow, I. J., Shlens, J., and Szegedy, C. (2015). Explaining and Harnessing Adversarial Examples. Iclr 2015, pages 1-11.
5. He, K., Zhang, X., Ren, S., and Sun, J. (2015). Deep Residual Learning for Image Recognition. In arXiv prepring arXiv:1506.01497.
6. Krizhevsky, A., Sutskever, I., and Hinton, G. (2012). Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems, pages 1097-1105. Curran Associates, Inc.
7. Simonyan, K. and Zisserman, A. (2015). Very Deep Convolutional Networks for Large-Scale Image Recognition. In International Conference on Learning Representation (ICLR), pages 1-13.
8. Szegedy, C., Reed, S., Sermanet, P., Vanhoucke, V., and Rabinovich, A. (2014a). Going deeper with convolutions. In arXiv preprint arXiv:1409.4842, pages 1-12.
9. Szegedy, C., Zaremba, W., and Sutskever, I. (2014b). Intriguing properties of neural networks.

Paper Citation

in Harvard Style

Aghdam H., Heravi E. and Puig D. (2017). Explaining Adversarial Examples by Local Properties of Convolutional Neural Networks . In Proceedings of the 12th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications - Volume 5: VISAPP, (VISIGRAPP 2017) ISBN 978-989-758-226-4, pages 226-234. DOI: 10.5220/0006123702260234

in Bibtex Style

@conference{visapp17,
author={Hamed H. Aghdam and Elnaz J. Heravi and Domenec Puig},
title={Explaining Adversarial Examples by Local Properties of Convolutional Neural Networks},
booktitle={Proceedings of the 12th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications - Volume 5: VISAPP, (VISIGRAPP 2017)},
year={2017},
pages={226-234},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006123702260234},
isbn={978-989-758-226-4},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications - Volume 5: VISAPP, (VISIGRAPP 2017)
TI - Explaining Adversarial Examples by Local Properties of Convolutional Neural Networks
SN - 978-989-758-226-4
AU - Aghdam H.
AU - Heravi E.
AU - Puig D.
PY - 2017
SP - 226
EP - 234
DO - 10.5220/0006123702260234