ATHEORETICALFRAMEWORKFORROBUSTNESSOF(DEEP)CLASSIFIERSUNDERADVERSARIALEXAMPLES

BeilunWang,JiGaoandYanjun QiDepartmentofComputerScience,UniversityofVirginia

ProblemSetting:

DefineAdversarialExamples:

TowardsPrincipledSolutions(forDNNs):

OurtheoremssuggestalistofpossiblesolutionsthatmayimprovetherobustnessofDNNclassifiersagainstadversarialsamples.Optionsinclude,like(1)learningabetter12 ;(2)modifyingunnecessaryfeatures(SeePosterDeepMask-TuesdayMorningW18).

• For(1),thealternativemethodforhardeningtheDNNmodelsisminimizingsomelossfunctions345(7, 7′)sothatwhen:.(;. 7 , ;.(7′)) < =(approximatedby(>, ∥⋅∥)),thisloss345(7, 7′)issmall.Atableofcomparingexistinghardeningsolutionsusingthismethodisshownasfollowing:

ExperimentEvaluation

Define(AB, C)-Strong-robustness:

WhyDNNmodelisnotstrong-robust.

Whyaclassifierisvulnerabletoadversarialsamples.

SufficientConditionforStrong-robustness:

Strong-robustness forD.

ExperimentalEvaluation:

TowardsPrincipledUnderstanding