Robustness of classifiers: from adversarial to random noise

2016·arXiv

Abstract

Several recent works have shown that state-of-the-art classifiers are vulnerable to worst-case (i.e., adversarial) perturbations of the datapoints. On the other hand, it has been empirically observed that these same classifiers are relatively robust to random noise. In this paper, we propose to study a semi-random noise regime that generalizes both the random and worst-case noise regimes. We propose the first quantitative analysis of the robustness of nonlinear classifiers in this general noise regime. We establish precise theoretical bounds on the robustness of classifiers in this general regime, which depend on the curvature of the classifier’s decision boundary. Our bounds confirm and quantify the empirical observations that classifiers satisfying curvature constraints are robust to random noise. Moreover, we quantify the robustness of classifiers in terms of the subspace dimension in the semi-random noise regime, and show that our bounds remarkably interpolate between the worst-case and random noise regimes. We perform experiments and show that the derived bounds provide very accurate estimates when applied to various state-of-the-art deep neural networks and datasets. This result suggests bounds on the curvature of the classifiers’ decision boundaries that we support experimentally, and more generally offers important insights onto the geometry of high dimensional classification problems.

1 Introduction

State-of-the-art classifiers, especially deep networks, have shown impressive classification performance on many challenging benchmarks in visual tasks [10] and speech processing [8]. An equally important property of a classifier that is often overlooked is its robustness in noisy regimes, when data samples are perturbed by noise. The robustness of a classifier is especially fundamental when it is deployed in real-world, uncontrolled, and possibly hostile environments. In these cases, it is crucial that classifiers exhibit good robustness properties. In other words, a sufficiently small perturbation of a datapoint should ideally not result in altering the estimated label of a classifier. State-of-the-art deep neural networks have recently been shown to be very unstable to worst-case perturbations of the data (or equivalently, adversarial perturbations) [18]. In particular, despite the excellent classification performances of these classifiers, well-sought perturbations of the data can easily cause misclassification, since data points often lie very close to the decision boundary of the classifier. Despite the importance of this result, the worst-case noise regime that is studied in [18] only represents a very specific type of noise. It furthermore requires the full knowledge of the classification model, which may be a hard assumption in practice.

In this paper, we precisely quantify the robustness of nonlinear classifiers in two practical noise regimes, namely random and semi-random noise regimes. In the random noise regime, datapoints are perturbed by noise with random direction in the input space. The semi-random regime generalizes this model to random subspaces of arbitrary dimension, where a worst-case perturbation is sought within the subspace. In both cases, we derive bounds that precisely describe the robustness of classifiers in function of the curvature of the decision boundary. We summarize our contributions as follows:

• In the random regime, we show that the robustness of classifiers behaves astimes the distance from the datapoint to the classification boundary (where d denotes the dimension of the data) provided the curvature of the decision boundary is sufficiently small. This result highlights the blessing of dimensionality for classification tasks, as it implies that robustness to random noise in high dimensional classification problems can be achieved, even at datapoints that are very close to the decision boundary.

• This quantification notably extends to the general semi-random regime, where we show that the robustness precisely behaves as �d/m times the distance to boundary, with m the dimension of the subspace. This result shows in particular that, even when m is chosen as a small fraction of the dimension d, it is still possible to find small perturbations that cause data misclassification.

• We empirically show that our theoretical estimates are very accurately satisfied by state-of-the-art deep neural networks on various sets of data. This in turn suggests quantitative insights on the curvature of the decision boundary that we support experimentally through the visualization and estimation on two-dimensional sections of the boundary.

The robustness of classifiers to noise has been the subject of intense research. The robustness properties of SVM classifiers have been studied in [20] for example, and robust optimization approaches for constructing robust classifiers have been proposed to minimize the worst possible empirical error under noise disturbance [1, 11]. More recently, following the recent results on the instability of deep neural networks to worst-case perturbations [18], several works have provided explanations of the phenomenon [4, 6, 15, 19], and designed more robust networks [7, 9, 21, 14, 16, 13]. In [19], the authors provide an interesting empirical analysis of the adversarial instability, and show that adversarial examples are not isolated points, but rather occupy dense regions of the pixel space. In [5], state-of-the-art classifiers are shown to be vulnerable to geometrically constrained adversarial examples. Our work differs from these works, as we provide a theoretical study of the robustness of classifiers to random and semi-random noise in terms of the robustness to adversarial noise. In [4], a formal relation between the robustness to random noise, and the worst-case robustness is established in the case of linear classifiers. Our result therefore generalizes [4] in many aspects, as we study general nonlinear classifiers, and robustness to semi-random noise. Finally, it should be noted that the authors in [6] conjecture that the “high linearity” of classification models explains their instability to adversarial perturbations. The objective and approach we follow here is however different, as we study theoretical relations between the robustness to random, semi-random and adversarial noise.

2 Deﬁnitions and notations

Let f : Rd → RL be an L -class classifier. Given a datapoint x0 ∈ Rd , the estimated label is obtained by ˆk(x0) = argmaxk fk(x0), where fk(x) is the kth component of f(x) that corresponds to the kth class. Let S be an arbitrary subspace of of dimension m. Here, we are interested in quantifying the robustness of f with respect to different noise regimes. To do so, we define r∗S to be the perturbation in S of minimal norm that is required to change the estimated label of f at x0.2

When S = Rd, r∗(x0) := r∗Rd(x0) is the adversarial (or worst-case) perturbation defined in [18], which corresponds to the (unconstrained) perturbation of minimal norm that changes the label of the datapoint . In other words, ∥r∗(x0)∥2 corresponds to the minimal distance from to the classifier boundary. In the case where S ⊂ Rd , only perturbations along S are allowed. The robustness of f at along S is naturally measured by the norm ∥r∗S(x0)∥2 . Different choices for S permit to study the robustness of f in two different regimes:

• Random noise regime: This corresponds to the case where S is a one-dimensional subspace (m = 1) with direction v, where v is a random vector sampled uniformly from the unit sphere Sd−1 . Writing it explicitly, we study in this regime the robustness quantity defined by mint |t| s.t. ∃k ̸= ˆk(x0), fk(x0 + tv) ≥ fˆk(x0)(x0 + tv) , where v is a vector sampled uniformly at random from the unit sphere Sd−1.

• Semi-random noise regime: In this case, the subspace S is chosen randomly, but can be ofarbitrary dimension m.3 We use the semi-random terminology as the subspace is chosen randomly, and the smallest vector that causes misclassification is then sought in the subspace. It should be noted that the random noise regime is a special case of the semi-random regime with a subspace of dimension m = 1. We differentiate nevertheless between these two regimes for clarity.

In the remainder of the paper, the goal is to establish relations between the robustness in the random and semi-random regimes on the one hand, and the robustness to adversarial perturbations ∥r∗(x0)∥2 on the other hand. We recall that the latter quantity captures the distance from to the classifier boundary, and is therefore a key quantity in the analysis of robustness.

In the following analysis, we fix to be a datapoint classified as ˆk(x0) . To simplify the notation, we remove the explicit dependence on in our notations (e.g., we use r∗S instead of r∗S(x0) and ˆk instead of ˆk(x0) ), and it should be implicitly understood that all our quantities pertain to the fixed datapoint x0.

3 Robustness of afﬁne classiﬁers

We first assume that f is an affine classifier, i.e., f(x) = W⊤x + b for a given W = [w1 . . . wL] and b ∈ RL.

The following result shows a precise relation between the robustness to semi-random noise, ∥r∗S∥2 and the robustness to adversarial perturbations, ∥r∗∥2.

Theorem 1. Let δ > 0 and S be a random m-dimensional subspace of Rd, and f be a L -class affine classifier. Let

The following inequalities hold between the robustness to semi-random noise ∥r∗S∥2 , and the robust- ness to adversarial perturbations ∥r∗∥2:

with probability exceeding 1 − 2(L + 1)δ.

Figure 1: ζ1(m, δ) and ζ2(m, δ) in function of m [δ = 0.05] .

The proof can be found in the appendix. Our upper and lower bounds depend on the functions ζ1(m, δ) and ζ2(m, δ) that control the inequality constants (for m, δ fixed). It should be noted that and are independent of the data dimension d. Fig. 1 shows the plots of and as functions of m, for a fixed . It should be noted that for sufficiently large m, ζ1(m, δ) and are very close to 1 (e.g., and belong to the interval [0.8, 1.3] for m ≥ 250 in the settings of Fig. 1). The interval [ζ1(m, δ), ζ2(m, δ)] is however (unavoidably) larger when m = 1.

The result in Theorem 1 shows that in the random and semi-random noise regimes, the robustness to noise is precisely related to ∥r∗∥2 by a factor of �d/m . Specifically, in the random noise regime (m = 1), the magnitude of the noise required to misclassify the datapoint behaves as Θ(√d∥r∗∥2) with high probability, with constants in the interval [ζ1(1, δ), ζ2(1, δ)] . Our results therefore show that, in high dimensional classification settings, affine classifiers can be robust to random noise, even if the datapoint lies very closely to the decision boundary (i.e., is small). In the semi-random noise regime with m sufficiently large (e.g., m ≥ 250 ), we have ∥r∗S∥2 ≈�d/m∥r∗∥2 with high probability, as the constants ζ1(m, δ) ≈ ζ2(m, δ) ≈ 1 for sufficiently large m. Our bounds therefore “interpolate” between the random noise regime, which behaves as √d∥r∗∥2 , and the worst-case noise . More importantly, the square root dependence is also notable here, as it shows that the semi-random robustness can remain small even in regimes where m is chosen to be a very small fraction of d. For example, choosing a small subspace of dimension m = 0.01d results in semi-random robustness of 10∥r∗∥2 with high probability, which might still not be perceptible in complex visual tasks. Hence, for semi-random noise that is mostly random and only mildly adversarial (i.e., the subspace dimension is small), affine classifiers remain vulnerable to such noise.

4 Robustness of general classiﬁers

4.1 Decision boundary curvature

We now consider the general case where f is a nonlinear classifier. We derive relations between the random and semi-random robustness ∥r∗S∥2 and worst-case robustness ∥r∗∥2 using properties of the classifier’s boundary. Let i and j be two arbitrary classes; we define the pairwise boundary Bi,j as the boundary of the binary classifier where only classes i and j are considered. Formally, the decision boundary Bi,j reads as follows:

The boundary Bi,j separates between two regions of , namely and , where the estimated label of the binary classifier is respectively i and j. Specifically, we have

Figure 2: Illustration of the quantities introduced for the definition of the curvature of the decision boundary.

We assume for the purpose of this analysis that the boundary Bi,j is smooth. We are now interested in the geometric properties of the boundary, namely its curvature. There are many notions of curvature that one can define on hypersurfaces [12]. In the simple case of a curve in a two-dimensional space, the curvature is defined as the inverse of the radius of the so-called oscullating circle. One way to define curvature for high-dimensional hypersurfaces is by taking normal sections of the hypersurface, and looking at the curvature of the resulting planar curve (see Fig. 4). We however introduce a notion of curvature that is specifically suited to the analysis of the decision boundary of a classifier. Informally, our curvature captures the global bending of the decision boundary by inscribing balls in the regions separated by the decision boundary.

We now formally define this notion of curvature. For a given p ∈ Bi,j, we define qi ∥ j(p) to be the radius of the largest open ball included in the region that intersects with Bi,j at p; i.e.,

where B(z, ∥z − p∥2) is the open ball in Rd of center z and radius . An illustration of this quantity in two dimensions is provided in Fig. 2. It is not hard to see that any ball B(z∗, ∥z∗ − p∥2) centered in and included in will have its tangent space at p coincide with the tangent of the decision boundary at the same point.

It should further be noted that the definition in Eq. (6) is not symmetric in i and j; i.e., qi ∥ j(p) ̸= qj ∥ i(p) as the radius of the largest ball one can inscribe in both regions need not be equal. We therefore define the following symmetric quantity qi,j(p) , where the worst-case ball inscribed in any of the two regions is considered:

This definition describes the curvature of the decision boundary locally at p by fitting the largest ball included in one of the regions. To measure the global curvature, the worst-case radius is taken over all points on the decision boundary, i.e.,

The curvature κ(Bi,j) is simply defined as the inverse of the worst-case radius over all points p on the decision boundary.

Figure 3: Binary classification example where the boundary is a union of two sufficiently distant spheres. In this case, the curvature is κ(Bi,j) = 1/R, where R is the radius of the circles.

Figure 4: Normal section of the boundary Bi,j with respect to plane U = span(n, u), where n is the normal to the boundary at p, and u is an arbitrary in the tangent space Tp(Bi,j).

In the case of affine classifiers, we have κ(Bi,j) = 0 , as it is possible to inscribe balls of infinite radius inside each region of the space. When the classification boundary is a union of (sufficiently distant) spheres with equal radius R (see Fig. 3), the curvature κ(Bi,j) = 1/R . In general, the quantity provides an intuitive way of describing the nonlinearity of the decision boundary by fitting balls inside the classification regions.

In the following section, we show a precise characterization of the robustness to semi-random and random noise of nonlinear classifiers in terms of the curvature of the decision boundaries κ(Bi,j).

4.2 Robustness to random and semi-random noise

We now establish bounds on the robustness to random and semi-random noise in the binary classifi-cation case. Let be a datapoint classified as ˆk = ˆk(x0) . We first study the binary classification problem, where only classes $ˆk and k ∈ {1, . . . , L}\{ˆk}$ are considered. To simplify the notation, we let Bk := Bk,ˆk be the decision boundary between classes k and ˆk . In the case of the binary classifi-cation problem where classes are considered, the semi-random robustness and adversarial (or worst-case) robustness defined in Eq. (2) can be re-written as follows:

For a randomly chosen subspace, ∥rkS∥2 is the random or semi-random robustness of the classifier, in the setting where only the two classes k and ˆk are considered. Likewise, ∥rk∥2 denotes the worst-case robustness in this setting. It should be noted that the global quantities r∗S and are obtained from rkS and rk by taking the vectors with minimum norm over all classes k.

The following result gives upper and lower bounds on the ratio ∥rkS∥2∥rk∥2 in function of the curvature of the boundary separating class k and ˆk.

Theorem 2. Let S be a random m-dimensional subspace of Rd. Let κ := κ(Bk) . Assuming that the curvature satisfies

the following inequality holds between the semi-random robustness ∥rkS∥2 and the adversarial robustness ∥rk∥2:

with probability larger than 1 − 4δ . We recall that ζ1(m, δ) and ζ2(m, δ) are defined in Eq. (3, 4). The constants are C = 0.2, C1 = 0.625, C2 = 2.25.

The proof can be found in the appendix. This result shows that the bounds relating the robustness to random and semi-random noise to the worst-case robustness can be extended to nonlinear classifiers, provided the curvature of the boundary κ(Bk) is sufficiently small. In the case of linear classifiers, we have κ(Bk) = 0 , and we recover the result for affine classifiers from Theorem 1.

To extend this result to multi-class classification, special care has to be taken. In particular, if k denotes a class that has no boundary with class , we have ∥rk∥2 = ∞ , and the previous curvature condition cannot be satisfied. It is therefore crucial to exclude such classes that have no boundary in common with class , or more generally, boundaries that are far from class . We define the set A of excluded classes k where ∥rk∥2 is large

Note that A is independent of S, and depends only on d, m and . Moreover, the constants in (11) were chosen for simplicity of exposition.

Assuming a curvature constraint only on the close enough classes, the following result establishes a simplified relation between ∥r∗S∥2 and ∥r∗∥2.

Corollary 1. Let S be a random m-dimensional subspace of . Assume that, for all k /∈ A , we have

Then, we have

with probability larger than 1 − 4(L + 2)δ.

Under the curvature condition in (12) on the boundaries between and classes in , our result shows that the robustness to random and semi-random noise exhibits the same behavior that has been observed earlier for linear classifiers in Theorem 1. In particular, ∥r∗S∥2 is precisely related to the adversarial robustness ∥r∗∥2 by a factor of �d/m . In the random regime (m = 1), this factor becomes, and shows that in high dimensional classification problems, classifiers with sufficiently flat boundaries are much more robust to random noise than to adversarial noise. More precisely, the addition of a sufficiently small random noise does not change the label of the image, even if the image lies very closely to the decision boundary (i.e., ∥r∗∥2 is small). However, in the semi-random regime where an adversarial perturbation is found on a randomly chosen subspace of dimension m, the �d/m factor that relates ∥r∗S∥2 to shows that robustness to semi-random noise might not be achieved even if m is chosen to be a tiny fraction of d (e.g., m = 0.01d). In other words, if a classifier is highly vulnerable to adversarial perturbations, then it is also vulnerable to noise that is overwhelmingly random and only mildly adversarial (i.e. worst-case noise sought in a random subspace of low dimensionality m).

It is important to note that the curvature condition in (12) is not an assumption on the curvature of the global decision boundary, but rather an assumption on the decision boundaries between pairs of classes. The distinction here is significant, as junction points where two decision boundaries meet might actually have a very large (or infinite) curvature (even in linear classification settings), and the curvature condition in (12) typically does not hold for this global curvature definition. We refer to our experimental section for a visualization of this phenomenon.

We finally stress that our results in Theorem 2 and Corollary 1 are applicable to any classifier, provided the decision boundaries are smooth. If we assume prior knowledge on the considered family of classifiers and their decision boundaries (e.g., the decision boundary is a union of spheres in Rd), similar bounds can further be derived under less restrictive curvature conditions (compared to Eq. (12)).

5 Experiments

5.1 Experimental results

We now evaluate the robustness of different image classifiers to random and semi-random perturbations, and assess the accuracy of our bounds on various datasets and state-of-the-art classifiers.

Table 1: β(f; m) for different classifiers f and different subspace dimensions m. The VGG-F and VGG-19 are respectively introduced in [2, 17].

Specifically, our theoretical results show that the robustness ∥r∗S(x)∥2 of classifiers satisfying the curvature property precisely behaves as �d/m∥r∗(x)∥2 . We first check the accuracy of these results in different classification settings. For a given classifier f and subspace dimension m, we define

where S is chosen randomly for each sample x and D denotes the test set. This quantity provides indication to the accuracy of our �d/m∥r∗(x)∥2 estimate of the robustness, and should ideally be equal to 1 (for sufficiently large m). Since β is a random quantity (because of S), we report both its mean and standard deviation for different networks in Table 1. It should be noted that finding ∥r∗S∥2 and ∥r∗∥2 involves solving the optimization problem in (1). We have used a similar approach to [14] to find subspace minimal perturbations. For each network, we estimate the expectation by averaging β(f; m) on 1000 random samples, with S also chosen randomly for each sample.

Observe that is suprisingly close to 1, even when m is a small fraction of d. This shows that our quantitative analysis provide very accurate estimates of the robustness to semi-random noise. We visualize the robustness to random noise, semi-random noise (with m = 10) and worst-case perturbations on a sample image in Fig. 5. While random noise is clearly perceptible due to the √d ≈ 400 factor, semi-random noise becomes much less perceptible even with a relatively small value of m = 10, thanks to the 1/√m factor that attenuates the required noise to misclassify the datapoint. It should be noted that the robustness of neural networks to adversarial perturbations has previously been observed empirically in [18], but we provide here a quantitative and generic explanation for this phenomenon.

Figure 5: (a) Original image classified as “Cauliflower”. Fooling perturbations for VGG-F network: (b) Random noise, (c) Semi-random perturbation with m = 10, (d) Worst-case perturbation, all wrongly classified as “Artichoke”.

The high accuracy of our bounds for different state-of-the-art classifiers, and different datasets suggest that the decision boundaries of these classifiers have limited curvature κ(Bk) , as this is a key assumption of our theoretical findings. To support the validity of this curvature hypothesis in practice, we visualize two-dimensional sections of the classifiers’ boundary in Fig. 6 in three different settings. Note that we have opted here for a visualization strategy rather than the numerical estimation of κ(B) , as the latter quantity is difficult to approximate in practice in high dimensional problems. In Fig. 6, is chosen randomly from the test set for each data set, and the decision boundaries are shown in the plane spanned by and r∗S , where S is a random direction (i.e., m = 1). Different colors on the boundary correspond to boundaries with different classes. It can be observed that the curvature of the boundary is very small except at “junction” points where the boundary of two different classes intersect. Our curvature assumption in Eq. (12), which only assumes a bound on the curvature of the decision boundary between pairs of classes ˆk(x0) and k (but not on the global decision boundary that contains junctions with high curvature) is therefore adequate to the decision boundaries of state-of-the-art classifiers according to Fig. 6. Interestingly, the assumption in Corollary 1 is satisfied by taking to be an empirical estimate of the curvature of the planar curves in Fig. 6 (a) for the dimension of the subspace being a very small fraction of d; e.g., m = 10−3d . While not reflecting the curvature κ(Bk) that drives the assumption of our theoretical analysis, this result still seems to suggest that the curvature assumption holds in practice, and that the curvature of such classifiers is therefore very small. It should be noted that a related empirical observation was made in [6]; our work however provides a precise quantitative analysis on the relation between the curvature and the robustness in the semi-random noise regime.

Figure 6: Boundaries of three classifiers near randomly chosen samples. Axes are normalized by the corresponding ∥r∗∥2 since our assumption in the theoretical bound (Corollary 1) depends on the product of ∥r∗∥2κ . Note the difference in range between x and y axes. Note also that the range of horizontal axis in (c) is much smaller than the other two, hence the illustrated boundary is more curved.

We now show a simple demonstration of the vulnerability of classifiers to semi-random noise in Fig. 7, where a structured message is hidden in the image and causes data misclassification. Specifically, we consider S to be the span of random translated and scaled versions of words “NIPS”, “SPAIN” and “2016” in an image, such that ⌊d/m⌋ = 228 . The resulting perturbations in the subspace are therefore linear combinations of these words with different intensities.4 The perturbed image x0 +r∗S shown in Fig. 7 (c) is clearly indistinguishable from Fig. 7 (a). This shows that imperceptibly small structured messages can be added to an image causing data misclassification.

6 Conclusion

In this work, we precisely characterized the robustness of classifiers in a novel semi-random noise regime that generalizes the random noise regime. Specifically, our bounds relate the robustness in this regime to the robustness to adversarial perturbations. Our bounds depend on the curvature of the decision boundary, the data dimension, and the dimension of the subspace to which the perturbation belongs. Our results show, in particular, that when the decision boundary has a small curvature, classifiers are robust to random noise in high dimensional classification problems (even if the robustness to adversarial perturbations is relatively small). Moreover, for semi-random noise that is mostly random and only mildly adversarial (i.e., the subspace dimension is small), our results show that state-of-the-art classifiers remain vulnerable to such perturbations. To improve the robustness to semi-random noise, our analysis encourages to impose geometric constraints on the curvature of the decision boundary, as we have shown the existence of an intimate relation between the robustness of classifiers and the curvature of the decision boundary.

Figure 7: A fooling hidden message, S consists of linear combinations of random words.

Acknowledgments

We would like to thank the anonymous reviewers for their helpful comments. We thank Omar Fawzi and Louis Merlin for the fruitful discussions. We also gratefully acknowledge the support of NVIDIA Corporation with the donation of the Tesla K40 GPU used for this research. This work has been partly supported by the Hasler Foundation, Switzerland, in the framework of the CORA project.

References

[1] Caramanis, C., Mannor, S., and Xu, H. (2012). Robust optimization in machine learning. In Sra, S., Nowozin, S., and Wright, S. J., editors, Optimization for machine learning, chapter 14. Mit Press.

[2] Chatfield, K., Simonyan, K., Vedaldi, A., and Zisserman, A. (2014). Return of the devil in the details: Delving deep into convolutional nets. In British Machine Vision Conference.

[3] Dasgupta, S. and Gupta, A. (2003). An elementary proof of a theorem of johnson and lindenstrauss. Random Structures & Algorithms, 22(1):60–65.

[4] Fawzi, A., Fawzi, O., and Frossard, P. (2015). Analysis of classifiers’ robustness to adversarial perturbations. CoRR, abs/1502.02590.

[5] Fawzi, A. and Frossard, P. (2015). Manitest: Are classifiers really invariant? In British Machine Vision Conference (BMVC), pages 106.1–106.13.

[6] Goodfellow, I. J., Shlens, J., and Szegedy, C. (2015). Explaining and harnessing adversarial examples. In International Conference on Learning Representations (ICLR).

[7] Gu, S. and Rigazio, L. (2014). Towards deep neural network architectures robust to adversarial examples. arXiv preprint arXiv:1412.5068.

[8] Hinton, G. E., Deng, L., Yu, D., Dahl, G. E., Mohamed, A., Jaitly, N., Senior, A., Vanhoucke, V., Nguyen, P., Sainath, T. N., and Kingsbury, B. (2012). Deep neural networks for acoustic modeling in speech recognition: The shared views of four research groups. IEEE Signal Process. Mag., 29(6):82–97.

[9] Huang, R., Xu, B., Schuurmans, D., and Szepesvári, C. (2015). Learning with a strong adversary. CoRR, abs/1511.03034.

[10] Krizhevsky, A., Sutskever, I., and Hinton, G. E. (2012). Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems (NIPS), pages 1097–1105.

[11] Lanckriet, G., Ghaoui, L., Bhattacharyya, C., and Jordan, M. (2003). A robust minimax approach to classification. The Journal of Machine Learning Research, 3:555–582.

[12] Lee, J. M. (2009). Manifolds and differential geometry, volume 107. American Mathematical Society Providence.

[13] Luo, Y., Boix, X., Roig, G., Poggio, T., and Zhao, Q. (2015). Foveation-based mechanisms alleviate adversarial examples. arXiv preprint arXiv:1511.06292.

[14] Moosavi-Dezfooli, S.-M., Fawzi, A., and Frossard, P. (2016). Deepfool: a simple and accurate method to fool deep neural networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[15] Sabour, S., Cao, Y., Faghri, F., and Fleet, D. J. (2016). Adversarial manipulation of deep representations. In International Conference on Learning Representations (ICLR).

[16] Shaham, U., Yamada, Y., and Negahban, S. (2015). Understanding adversarial training: Increasing local stability of neural nets through robust optimization. arXiv preprint arXiv:1511.05432.

[17] Simonyan, K. and Zisserman, A. (2014). Very deep convolutional networks for large-scale image recognition. In International Conference on Learning Representations (ICLR).

[18] Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. (2014). Intriguing properties of neural networks. In International Conference on Learning Representations (ICLR).

[19] Tabacof, P. and Valle, E. (2016). Exploring the space of adversarial images. IEEE International Joint Conference on Neural Networks.

[20] Xu, H., Caramanis, C., and Mannor, S. (2009). Robustness and regularization of support vector machines. The Journal of Machine Learning Research, 10:1485–1510.

[21] Zhao, Q. and Griffin, L. D. (2016). Suppressing the unusual: towards robust cnns using symmetric activation functions. arXiv preprint arXiv:1603.05145.

Appendix

A.1 Proof of Theorem 1 (affine classifiers)

Lemma 1 ([3]). Let Y be a point chosen uniformly at random from the surface of the d-dimensional sphere Sd−1 . Let the vector Z be the projection of Y onto its first m coordinates, with m < d. Then,

Lemma 2. Let v be a random vector uniformly drawn from the unit sphere Sd−1, and Pm be the projection matrix onto the first m coordinates. Then,

δ2/m . It is easy to see that when β = 1eδ2/m , the inequality holds. Note however that 1eδ2/m does not converge to 1 as m → ∞ . We therefore need to derive a tighter bound for this regime. Using the inequality β exp(1 − β) ≤ 1 − 12(1 − β)2 for 0 ≤ β ≤ 1 , it follows that the inequality β exp(1 − β) ≤ δ2/m holds for β = 1 −�2(1 − δ2/m) . In this case, we have 1 −�2(1 − δ2/m) → 1, as m → ∞ . We take our lower bound to be the max of both derived bounds (the latter is more appropriate for large m, whereas the former is tighter for small m).

For , note that the requirement β exp(1 − β) ≤ δ2/m is equivalent to − ln(β) + (β − 1) ≥ 2m ln(1/δ). By setting β = β2(δ, m) , this condition is equivalent to 2

Theorem 1. Let S be a random m-dimensional subspace of . The following inequalities hold between the norms of semi-random perturbation r∗S and the worst-case perturbation r∗. Let ζ1(m, δ) = 1β2(m,δ), and ζ2(m, δ) = 1β1(m,δ).

Proof. For the linear case, r∗ and r∗S can be computed in closed form. We recall that, for any subspace S, we have

The projection of a fixed vector in Sd−1 onto a random m dimensional subspace is equivalent (up to a unitary transformation U) to the projection of a random vector uniformly sampled from Sd−1 into a fixed subspace. Let be the projection onto the first m coordinates. We have

Figure 8: Bounding ∥xγ − x∥2 in terms of

Proof. Let p := arg mini ∥ri∥2 . Note that we have P�∥r∗S∥2∥r∗∥2 ≥ u�≤ P� ∥rpS∥2∥rp∥2 ≥ u�≤ δ . Moreover, we use a union bound to bound the the other bad event probability:

A.2 Proof of Theorem 2 and Corollary 1 (nonlinear classifiers)

First, we present an important geometric lemma and then use it to bound ∥r∗S∥2 . For the sake of the general readability of the section, some auxiliary results are given in Section A.3.

In the following result, we show that, when the curvature of a planar curve is constant and sufficiently small, the distance between a point x and the curve at a specific direction is well approximated by the distance between x and a straight line (see Fig. 8 for an illustration).

Lemma 4. Let be a planar curve of constant curvature . We denote by r the distance between a point x and the curve . Denote moreover by T the tangent to at the closest point to x (see Fig. 8). Let be the angle between u and v as depicted in Fig. 8. We assume that rκ < 1. We have

Proof of upper bound. We consider two distinct cases for the curve . In the case where is concave-shaped (Fig. 8, right figure), we have

and the upper bound in Eq. (33) directly holds. We therefore focus on the case where is convex-shaped as illustrated in the left figure of Fig. 8. Define R := 1/κ , one can write using simple geometric inspection

We have ∆ ≥ 0 as θ satisfies the two assumptions tan2(θ) ≤ 0.2R/r and r/R < 1 . The smallest solution of this second order equation is given as follows

Proof of lower bound. When the curve is convex shaped (Fig. 8 left), we have ∥xγ − x∥2 ≥ ∥u∥2, and the desired lower bound holds. We focus therefore on the case where has a concave shape, and coincides with with (see Fig. 8 right). The following equation holds using simple geometric arguments

Figure 9: Left: To prove the upper bound, we consider a ball B included in that intersects with the boundary at . Upper bounds on ∥rkS∥2 derived when the boundary is are also valid upper bounds for the real boundary . Right: Normal section to the decision boundary Bk = ∂B along the normal plane U = span�rTS , rk� . We denote by the normal section of boundary , along the plane U, and by Tx∗Bk the tangent space to the sphere ∂B at x∗.

We now use the previous lemma to bound the semi-random robustness of the classifier, i.e. ∥rkS∥2, to the worst-case robustness ∥rk∥2 in the case where the curvature is sufficiently small.

Theorem 2. Let S be a random m-dimensional subspace of Rd. Define α :=�m/d, and let κ := κ(Bk). Assuming that κ ≤ Cα2ζ2(m,δ)∥rk∥2 , the following inequalities hold between ∥rkS∥2 and the worst-case perturbation

∥ rk∥2

Proof of upper bound. Denote by the point belonging to the boundary that is closest to the original data point . By definition of the curvature (see Eq. 7), there exists a point such that the ball B centered at and of radius 1/κ = ∥z∗ − x∗∥2 is inscribed in the region Rk = {x ∈ Rd : fk(x) > fˆk(x0)(x)} (see Fig. 9 (a)).5

Observe that the worst-case perturbation along any subspace S that reaches the ball B is larger than the perturbation along S that reaches the region Rk, as B ⊆ Rk . Therefore, any upper bound derived when the boundary is the sphere of radius 1/κ; i.e., Bk = ∂B is also a valid upper bound for boundary (see Fig. 9 (a)). It is therefore sufficient to derive an upper bound in the worst case scenario where the boundary Bk = ∂B, and we consider this case for the remainder of the proof of the upper bound.

We now consider the linear classifier whose boundary is tangent to Bk at x∗ . For the random subspace S, we denote by rTS the worst-case subspace perturbation for this linear classifier. We then focus on the intersection between the boundary and the two-dimensional plane U spanned by the vectors rk and rTS . This normal section of the boundary cuts the ball B through its center as the tangent spaces of the decision boundary and the ball coincide. See Fig. 9 for a clarifying figure of this two-dimensional cross-section. We define the angle ˆθ as denoted in Fig. 9, such that cos(ˆθ) = ∥rk∥2∥rTS ∥2 .

with probability exceeding 1 − 2δ . Hence, using tan2(ˆθ) ≤ (cos2(ˆθ))−1 and the assumption of the theorem, we deduce that

Hence, the assumptions of Lemma 4 hold with probability larger than 1 − 2δ . Using the notations of Fig. 9, we therefore obtain from Lemma 4

Proof of the lower bound. We now consider the ball B′ of center z∗ and radius 1/κ = ∥z∗ − x∗∥2 that is included in the region Rˆk(x0) . Since the ball is, by definition, included in the region , the worst-case scenario for the lower bound on ∥rkS∥2 occurs whenever the decision boundary coincides with the ball (see Fig. 10 (a)). We consider this case in the remainder of the proof.

To derive the lower bound, we consider the cross-section spanned by the vectors rkS and rk (Fig. 10 (b)). We have ∥rk∥2κ < 1 ; using the lower bound of Lemma 4, we obtain

Let rTS denote the worst-case perturbation belonging to subspace S for the linear classifier Tx∗Bk . It is not hard to see that rTS is collinear to rkS (see Lemma 6 for a proof). Hence, we have rTS = xT − x0 . By applying our result on linear classifiers in Theorem 1 for the tangent classifier Tx∗Bk, we have:

Figure 10: Left: To prove the lower bound, we consider a ball included in Rˆk(x0) that intersects with the boundary at . Lower bounds on ∥rkS∥2 derived when the boundary is the sphere ∂B′ are also valid lower bounds for the real boundary . Right: Cross section of the problem along the plane U′ = span�rkS, rk�. γ denotes the normal section of Bk = B′ along the plane U′.

The goal is now to extend the previous result, derived for binary classifiers, to the multiclass classification case. To do so, we show the following lemma. Lemma 5 (Binary case to multiclass). Let p = arg mini ∥ri∥2 . Define the deterministic set

Proof. Using Theorem 2, we have that for all k /∈ A , the result in Eq. (52) holds. We simplify the result with the assumption κ(Bk)∥r∥2 ≤ 0.2ζ2(m,δ)md . Hence, the bounds of Theorem 2 are given as follows

A.3 Useful results

Figure 11: The worst-case perturbation in the subspace S when the decision boundary is and Tx∗(∂B) (denoted respectively by rBS and rTS ) are collinear.

Lemma 6. Let x0 ∈ Rd, and x∗ denote the closest point to on the sphere (see Fig. 11). Let Tx∗(∂B) be the tangent space to ∂B at x∗ . For an arbitrary subspace S, let rTS and rBS denote the worst-case perturbations of on the subspace S, when the decision boundaries are respectively Tx∗(∂B) and ∂B . Then, the two perturbations are collinear.

Proof. Assuming the center of the ball B is the origin, the points on the sphere satisfy equation: ∥x∥2 = R, where R denotes the radius. Hence, the perturbation rBS is given by

By equating the gradient of Lagrangian of the above constrained optimization problem to zero, we obtain the following necessary optimality condition

It should further be noted that PSrBS = rBS . Indeed, if rBS had a component orthogonal to S, the projection of rBS onto S would have strictly lower norm, while still satisfying the condition in Eq.(72). Hence, the necessary condition of optimality becomes

It should further be noted that rTS can be computed in closed form, and is collinear to PS(x∗ − x0), which is itself collinear to , as the the center of the ball was assumed to be the origin. This concludes the proof.

Designed for Accessibility and to further Open Science