AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
While our result does not provide a uniform learning bound over the hypothesis class, we have found empirically that regularized empirical risk minimization does return hypotheses satisfying non-trivial encoder gaps

Adversarial Robustness of Supervised Sparse Coding

NIPS 2020, (2020)

Cited by: 0|Views110
EI
Full Text
Bibtex
Weibo

Abstract

Several recent results provide theoretical insights into the phenomena of adversarial examples. Existing results, however, are often limited due to a gap between the simplicity of the models studied and the complexity of those deployed in practice. In this work, we strike a better balance by considering a model that involves learning a ...More
0
Introduction
  • With machine learning applications becoming ubiquitous in modern-day life, there exists an increasing concern about the robustness of the deployed models.
  • Other works address questions of learnabiltiy [Shafahi et al, 2018, Cullina et al, 2018, Bubeck et al, 2018, Tsipras et al, 2018] or sample complexity [Schmidt et al, 2018, Yin et al, 2018, Tu et al, 2019], in the hope of better characterizing the increased difficulty of learning hypotheses that are robust to adversarial attacks
  • While many of these results are promising, the analysis is often limited to simple models
Highlights
  • With machine learning applications becoming ubiquitous in modern-day life, there exists an increasing concern about the robustness of the deployed models
  • Other works address questions of learnabiltiy [Shafahi et al, 2018, Cullina et al, 2018, Bubeck et al, 2018, Tsipras et al, 2018] or sample complexity [Schmidt et al, 2018, Yin et al, 2018, Tu et al, 2019], in the hope of better characterizing the increased difficulty of learning hypotheses that are robust to adversarial attacks
  • We focus our attention on the adversarial robustness of the supervised sparse coding model [Mairal et al, 2011], or task-driven dictionary learning, consisting of a linear classifier acting on the representation computed via a supervised sparse encoder
  • In this paper we study the adversarial robustness of the supervised sparse coding model from two main perspectives: we provide a bound for the robust risk of any hypothesis that achieves a minimum encoder gap over the samples, as well as a robustness certificate for the resulting end-to-end classifier
  • While our result does not provide a uniform learning bound over the hypothesis class, we have found empirically that regularized empirical risk minimization (ERM) does return hypotheses satisfying non-trivial encoder gaps
  • Even though this work focuses on sparse encoders, we believe similar principles could be generalized to other forms of representations in a supervised learning setting, providing a framework for the principled analysis of adversarial robustness of machine learning models
Methods
  • The authors illustrate the robustness certificate guarantees both in synthetic and real data, as well as the trade-offs between constants in the sample complexity result.
  • The authors construct samples from a separable binary distribution of k-sparse signals.
  • To this end, the authors employ a dictionary with 120 atoms in 100 dimensions with a mutual coherence of 0.054.
  • The authors enforce separability by drawing w at random from the unit ball, determining the labels as y = sign(wT φD(x)), and discarding samples with a margin ρ smaller than a pre-specified amount (0.05 in this case).
  • Because of the separable construction, the accuracy of the resulting classifier is 1
Conclusion
  • In this paper the authors study the adversarial robustness of the supervised sparse coding model from two main perspectives: the authors provide a bound for the robust risk of any hypothesis that achieves a minimum encoder gap over the samples, as well as a robustness certificate for the resulting end-to-end classifier.
  • An analogous definition of encoder gap in terms of convolutional sparsity [Papyan et al, 2017b] may provide a solution to this limitation
  • This analysis could be extended to sparse models with multiple layers, as in [Papyan et al, 2017a, Sulam et al, 2019].
  • Even though this work focuses on sparse encoders, the authors believe similar principles could be generalized to other forms of representations in a supervised learning setting, providing a framework for the principled analysis of adversarial robustness of machine learning models
Funding
  • This research was supported, in part, by DARPA GARD award HR00112020004, NSF BIGDATA award IIS-1546482, NSF CAREER award IIS-1943251 and NSF TRIPODS award CCF-1934979
  • Raman Arora acknowledges support from the Simons Institute as part of the program on the Foundations of Deep Learning and the Institute for Advanced Study (IAS), Princeton, NJ, as part of the special year on Optimization, Statistics, and Theoretical Machine Learning
Study subjects and analysis
test samples: 200
Recall that φD(x) depends on λ, and we train two different models with two values for this parameter (λ = 0.2 and λ = 0.3). Figure 2c and 2d illustrate the certified accuracy on 200 test samples obtained by different degrees of randomized smoothing and by our result. While the certified accuracy resulting from our bound is comparable to that by randomized smoothing, the latter provides a certificate by defending (i.e. composing it with a Gaussian distribution)

Reference
  • Aviad Aberdam, Jeremias Sulam, and Michael Elad. Multi-layer sparse coding: the holistic way. SIAM Journal on Mathematics of Data Science, 1(1):46–77, 2019.
    Google ScholarLocate open access versionFindings
  • Aviad Aberdam, Alona Golts, and Michael Elad. Ada-lista: Learned solvers adaptive to varying models. arXiv preprint arXiv:2001.08456, 2020.
    Findings
  • Alireza Aghasi, Afshin Abdi, and Justin Romberg. Fast convex pruning of deep neural networks. SIAM Journal on Mathematics of Data Science, 2(1):158–188, 2020.
    Google ScholarLocate open access versionFindings
  • Zeyuan Allen-Zhu and Yuanzhi Li. Feature purification: How adversarial training performs robust deep learning. arXiv preprint arXiv:2005.10190, 2020.
    Findings
  • Anish Athalye, Nicholas Carlini, and David Wagner. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420, 2018.
    Findings
  • Mitali Bafna, Jack Murtagh, and Nikhil Vyas. Thwarting adversarial examples: An 0-robust sparse fourier transform. In Advances in Neural Information Processing Systems, pages 10075–10085, 2018.
    Google ScholarLocate open access versionFindings
  • Emilio Rafael Balda, Arash Behboodi, Niklas Koep, and Rudolf Mathar. Adversarial risk bounds for neural networks through sparsity based compression. arXiv preprint arXiv:1906.00698, 2019.
    Findings
  • Amir Beck and Marc Teboulle. A fast iterative shrinkage-thresholding algorithm for linear inverse problems. SIAM journal on imaging sciences, 2(1):183–202, 2009.
    Google ScholarLocate open access versionFindings
  • Sébastien Bubeck, Eric Price, and Ilya Razenshteyn. Adversarial examples from computational constraints. arXiv preprint arXiv:1805.10204, 2018.
    Findings
  • Nicholas Carlini and David Wagner. Adversarial examples are not easily detected: Bypassing ten detection methods. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pages 3–14, 2017.
    Google ScholarLocate open access versionFindings
  • Zachary Charles, Shashank Rajput, Stephen Wright, and Dimitris Papailiopoulos. Convergence and margin of adversarial training on separable data. arXiv preprint arXiv:1905.09209, 2019.
    Findings
  • Yudong Chen, Constantine Caramanis, and Shie Mannor. Robust sparse regression under adversarial corruption. In International Conference on Machine Learning, pages 774–782, 2013.
    Google ScholarLocate open access versionFindings
  • Moustapha Cisse, Piotr Bojanowski, Edouard Grave, Yann Dauphin, and Nicolas Usunier. Parseval networks: Improving robustness to adversarial examples. In Proceedings of the 34th International Conference on Machine Learning-Volume 70, pages 854–863. JMLR. org, 2017.
    Google ScholarLocate open access versionFindings
  • Adam Coates and Andrew Y Ng. The importance of encoding versus training with sparse coding and vector quantization. 2011.
    Google ScholarFindings
  • Jeremy M Cohen, Elan Rosenfeld, and J Zico Kolter. Certified adversarial robustness via randomized smoothing. arXiv preprint arXiv:1902.02918, 2019.
    Findings
  • Daniel Cullina, Arjun Nitin Bhagoji, and Prateek Mittal. Pac-learning in the presence of adversaries. In Advances in Neural Information Processing Systems, pages 230–241, 2018.
    Google ScholarLocate open access versionFindings
  • DARPA. https://www.darpa.mil/news-events/2019-02-06, 2019.
    Findings
  • David L Donoho and Michael Elad. Optimally sparse representation in general (nonorthogonal) dictionaries via 1 minimization. Proceedings of the National Academy of Sciences, 100(5): 2197–2202, 2003.
    Google ScholarLocate open access versionFindings
  • Michael Elad. Sparse and redundant representations: from theory to applications in signal and image processing. Springer Science & Business Media, 2010.
    Google ScholarFindings
  • Simon Foucart and Holger Rauhut. A mathematical introduction to compressive sensing. Bull. Am. Math, 54:151–165, 2017.
    Google ScholarLocate open access versionFindings
  • Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
    Findings
  • Rémi Gribonval, Rodolphe Jenatton, Francis Bach, Martin Kleinsteuber, and Matthias Seibert. Sample complexity of dictionary learning and other matrix factorizations. IEEE Transactions on Information Theory, 61(6):3469–3486, 2015.
    Google ScholarLocate open access versionFindings
  • Shixiang Gu and Luca Rigazio. Towards deep neural network architectures robust to adversarial examples. arXiv preprint arXiv:1412.5068, 2014.
    Findings
  • Shuhang Gu, Lei Zhang, Wangmeng Zuo, and Xiangchu Feng. Projective dictionary pair learning for pattern classification. In Advances in neural information processing systems, pages 793–801, 2014.
    Google ScholarLocate open access versionFindings
  • Yiwen Guo, Chao Zhang, Changshui Zhang, and Yurong Chen. Sparse DNNs with improved adversarial robustness. In Advances in neural information processing systems, pages 242–251, 2018.
    Google ScholarLocate open access versionFindings
  • Mikael Henaff, Kevin Jarrett, Koray Kavukcuoglu, and Yann LeCun. Unsupervised learning of sparse features for scalable audio classification. In ISMIR, volume 11, page 2011, 2011.
    Google ScholarLocate open access versionFindings
  • Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, and Aleksander Madry. Adversarial examples are not bugs, they are features. In Advances in Neural Information Processing Systems, pages 125–136, 2019.
    Google ScholarLocate open access versionFindings
  • Koray Kavukcuoglu, Marc’Aurelio Ranzato, and Yann LeCun. Fast inference in sparse coding algorithms with applications to object recognition. arXiv preprint arXiv:1010.3467, 2010.
    Findings
  • Diederik P Kingma and Jimmy Ba. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980, 2014.
    Findings
  • Yan Li, Ethan X Fang, Huan Xu, and Tuo Zhao. Inductive bias of gradient descent based adversarial training on separable data. arXiv preprint arXiv:1906.02931, 2019.
    Findings
  • Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
    Findings
  • Julien Mairal, Michael Elad, and Guillermo Sapiro. Sparse representation for color image restoration. IEEE Transactions on image processing, 17(1):53–69, 2007.
    Google ScholarLocate open access versionFindings
  • Julien Mairal, Francis Bach, Jean Ponce, Guillermo Sapiro, and Andrew Zisserman. Discriminative learned dictionaries for local image analysis. In 2008 IEEE Conference on Computer Vision and Pattern Recognition, pages 1–8. IEEE, 2008.
    Google ScholarLocate open access versionFindings
  • Julien Mairal, Francis Bach, and Jean Ponce. Task-driven dictionary learning. IEEE transactions on pattern analysis and machine intelligence, 34(4):791–804, 2011.
    Google ScholarLocate open access versionFindings
  • Zhinus Marzi, Soorya Gopalakrishnan, Upamanyu Madhow, and Ramtin Pedarsani. Sparsity-based defense against adversarial attacks on linear classifiers. In 2018 IEEE International Symposium on Information Theory (ISIT), pages 31–IEEE, 2018.
    Google ScholarLocate open access versionFindings
  • Nishant Mehta and Alexander Gray. Sparsity-based generalization bounds for predictive sparse coding. In International Conference on Machine Learning, pages 36–44, 2013.
    Google ScholarLocate open access versionFindings
  • Shahar Mendelson and Petra Philips. On the importance of small coordinate projections. Journal of Machine Learning Research, 5(Mar):219–238, 2004.
    Google ScholarLocate open access versionFindings
  • Jan Hendrik Metzen, Tim Genewein, Volker Fischer, and Bastian Bischoff. On detecting adversarial perturbations. arXiv preprint arXiv:1702.04267, 2017.
    Findings
  • Mehryar Mohri, Afshin Rostamizadeh, and Ameet Talwalkar. Foundations of machine learning. MIT press, 2018.
    Google ScholarFindings
  • Thomas Moreau and Joan Bruna. Understanding trainable sparse coding via matrix factorization. arXiv preprint arXiv:1609.00285, 2016.
    Findings
  • Calvin Murdock and Simon Lucey. Dataless model selection with the deep frame potential. arXiv preprint arXiv:2003.13866, 2020.
    Findings
  • Vardan Papyan, Yaniv Romano, and Michael Elad. Convolutional neural networks analyzed via convolutional sparse coding. The Journal of Machine Learning Research, 18(1):2887–2938, 2017a.
    Google ScholarLocate open access versionFindings
  • Vardan Papyan, Jeremias Sulam, and Michael Elad. Working locally thinking globally: Theoretical guarantees for convolutional sparse coding. IEEE Transactions on Signal Processing, 65(21): 5687–5701, 2017b.
    Google ScholarLocate open access versionFindings
  • Vardan Papyan, Yaniv Romano, Jeremias Sulam, and Michael Elad. Theoretical foundations of deep learning via sparse representations: A multilayer sparse model and its connection to convolutional neural networks. IEEE Signal Processing Magazine, 35(4):72–89, 2018.
    Google ScholarLocate open access versionFindings
  • Aditi Raghunathan, Jacob Steinhardt, and Percy Liang. Certified defenses against adversarial examples. arXiv preprint arXiv:1801.09344, 2018.
    Findings
  • Marc’Aurelio Ranzato, Fu Jie Huang, Y-Lan Boureau, and Yann LeCun. Unsupervised learning of invariant feature hierarchies with applications to object recognition. In 2007 IEEE conference on computer vision and pattern recognition, pages 1–8. IEEE, 2007.
    Google ScholarLocate open access versionFindings
  • Yaniv Romano, Aviad Aberdam, Jeremias Sulam, and Michael Elad. Adversarial noise attacks of deep learning architectures: Stability analysis via sparse-modeled signals. Journal of Mathematical Imaging and Vision, pages 1–15, 2019.
    Google ScholarLocate open access versionFindings
  • Hadi Salman, Mingjie Sun, Greg Yang, Ashish Kapoor, and J Zico Kolter. Black-box smoothing: A provable defense for pretrained classifiers. arXiv preprint arXiv:2003.01908, 2020.
    Findings
  • Ludwig Schmidt, Shibani Santurkar, Dimitris Tsipras, Kunal Talwar, and Aleksander Madry. Adversarially robust generalization requires more data. In Advances in Neural Information Processing Systems, pages 5014–5026, 2018.
    Google ScholarLocate open access versionFindings
  • Matthias Seibert. Sample Complexity of Representation Learning for Sparse and Related Data Models. PhD thesis, Technische Universität München, 2019.
    Google ScholarFindings
  • Ali Shafahi, W Ronny Huang, Christoph Studer, Soheil Feizi, and Tom Goldstein. Are adversarial examples inevitable? arXiv preprint arXiv:1809.02104, 2018.
    Findings
  • Jeremias Sulam, Aviad Aberdam, Amir Beck, and Michael Elad. On multi-layer basis pursuit, efficient algorithms and convolutional neural networks. IEEE transactions on pattern analysis and machine intelligence, 2019.
    Google ScholarLocate open access versionFindings
  • Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
    Findings
  • Robert Tibshirani. Regression shrinkage and selection via the lasso. Journal of the Royal Statistical Society: Series B (Methodological), 58(1):267–288, 1996.
    Google ScholarLocate open access versionFindings
  • Ryan J Tibshirani et al. The lasso problem and uniqueness. Electronic Journal of statistics, 7: 1456–1490, 2013.
    Google ScholarLocate open access versionFindings
  • Bahareh Tolooshams, Sourav Dey, and Demba Ba. Deep residual auto-encoders for expectation maximization-based dictionary learning. arXiv preprint arXiv:1904.08827, 2019.
    Findings
  • Florian Tramer, Nicholas Carlini, Wieland Brendel, and Aleksander Madry. On adaptive attacks to adversarial example defenses. arXiv preprint arXiv:2002.08347, 2020.
    Findings
  • Joel A Tropp. Just relax: Convex programming methods for identifying sparse signals in noise. IEEE transactions on information theory, 52(3):1030–1051, 2006.
    Google ScholarLocate open access versionFindings
  • Joel A Tropp, Anna C Gilbert, Sambavi Muthukrishnan, and Martin J Strauss. Improved sparse approximation over quasiincoherent dictionaries. In Proceedings 2003 International Conference on Image Processing (Cat. No. 03CH37429), volume 1, pages I–37. IEEE, 2003.
    Google ScholarLocate open access versionFindings
  • Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexander Turner, and Aleksander Madry. Robustness may be at odds with accuracy. arXiv preprint arXiv:1805.12152, 2018.
    Findings
  • Zhuozhuo Tu, Jingwei Zhang, and Dacheng Tao. Theoretical analysis of adversarial learning: A minimax approach. In Advances in Neural Information Processing Systems, pages 12259–12269, 2019.
    Google ScholarLocate open access versionFindings
  • Vladimir N Vapnik and A Ya Chervonenkis. On the uniform convergence of relative frequencies of events to their probabilities. In Theory of Probability and its Applications, page 264–280. 1971.
    Google ScholarLocate open access versionFindings
  • Eric Wong and J Zico Kolter. Provable defenses against adversarial examples via the convex outer adversarial polytope. arXiv preprint arXiv:1711.00851, 2017.
    Findings
  • John Wright, Yi Ma, Julien Mairal, Guillermo Sapiro, Thomas S Huang, and Shuicheng Yan. Sparse representation for computer vision and pattern recognition. Proceedings of the IEEE, 98(6): 1031–1044, 2010.
    Google ScholarLocate open access versionFindings
  • Bo Xin, Yizhou Wang, Wen Gao, David Wipf, and Baoyuan Wang. Maximal sparsity with deep networks? In Advances in Neural Information Processing Systems, pages 4340–4348, 2016.
    Google ScholarLocate open access versionFindings
  • Dong Yin, Kannan Ramchandran, and Peter Bartlett. Rademacher complexity for adversarially robust generalization. arXiv preprint arXiv:1810.11914, 2018.
    Findings
  • Matthew D Zeiler, Dilip Krishnan, Graham W Taylor, and Rob Fergus. Deconvolutional networks. In 2010 IEEE Computer Society Conference on computer vision and pattern recognition, pages 2528–2535. IEEE, 2010.
    Google ScholarLocate open access versionFindings
Author
Jeremias Sulam
Jeremias Sulam
Ramchandran Muthukumar
Ramchandran Muthukumar
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科