18 research outputs found
Art of singular vectors and universal adversarial perturbations
Vulnerability of Deep Neural Networks (DNNs) to adversarial attacks has been
attracting a lot of attention in recent studies. It has been shown that for
many state of the art DNNs performing image classification there exist
universal adversarial perturbations --- image-agnostic perturbations mere
addition of which to natural images with high probability leads to their
misclassification. In this work we propose a new algorithm for constructing
such universal perturbations. Our approach is based on computing the so-called
-singular vectors of the Jacobian matrices of hidden layers of a
network. Resulting perturbations present interesting visual patterns, and by
using only 64 images we were able to construct universal perturbations with
more than 60 \% fooling rate on the dataset consisting of 50000 images. We also
investigate a correlation between the maximal singular value of the Jacobian
matrix and the fooling rate of the corresponding singular vector, and show that
the constructed perturbations generalize across networks.Comment: Submitted to CVPR 201
Estimating operator norms using covering nets
We present several polynomial- and quasipolynomial-time approximation schemes
for a large class of generalized operator norms. Special cases include the
norm of matrices for , the support function of the set of
separable quantum states, finding the least noisy output of
entanglement-breaking quantum channels, and approximating the injective tensor
norm for a map between two Banach spaces whose factorization norm through
is bounded.
These reproduce and in some cases improve upon the performance of previous
algorithms by Brand\~ao-Christandl-Yard and followup work, which were based on
the Sum-of-Squares hierarchy and whose analysis used techniques from quantum
information such as the monogamy principle of entanglement. Our algorithms, by
contrast, are based on brute force enumeration over carefully chosen covering
nets. These have the advantage of using less memory, having much simpler proofs
and giving new geometric insights into the problem. Net-based algorithms for
similar problems were also presented by Shi-Wu and Barak-Kelner-Steurer, but in
each case with a run-time that is exponential in the rank of some matrix. We
achieve polynomial or quasipolynomial runtimes by using the much smaller nets
that exist in spaces. This principle has been used in learning theory,
where it is known as Maurey's empirical method.Comment: 24 page
Estimating the matrix norm
The matrix norm is a fundamental quantity appearing in a
variety of areas of mathematics. This quantity is known to be efficiently
computable in only a few special cases. The best known algorithms for
approximately computing this quantity with theoretical guarantees essentially
consist of computing the norm for where this quantity can be
computed exactly or up to a constant, and applying interpolation. We analyze
the matrix norm problem and provide an improved approximation
algorithm via a simple argument involving the rows of a given matrix. For
example, we improve the best-known norm approximation from
to . This insight for the norm improves the best known approximation algorithm for the region , and leads to an
overall improvement in the best-known approximation for norms from
to
Universalization of any adversarial attack using very few test examples
Deep learning models are known to be vulnerable not only to input-dependent
adversarial attacks but also to input-agnostic or universal adversarial
attacks. Dezfooli et al. \cite{Dezfooli17,Dezfooli17anal} construct universal
adversarial attack on a given model by looking at a large number of training
data points and the geometry of the decision boundary near them. Subsequent
work \cite{Khrulkov18} constructs universal attack by looking only at test
examples and intermediate layers of the given model. In this paper, we propose
a simple universalization technique to take any input-dependent adversarial
attack and construct a universal attack by only looking at very few adversarial
test examples. We do not require details of the given model and have negligible
computational overhead for universalization. We theoretically justify our
universalization technique by a spectral property common to many
input-dependent adversarial perturbations, e.g., gradients, Fast Gradient Sign
Method (FGSM) and DeepFool. Using matrix concentration inequalities and
spectral perturbation bounds, we show that the top singular vector of
input-dependent adversarial directions on a small test sample gives an
effective and simple universal adversarial attack. For VGG16 and VGG19 models
trained on ImageNet, our simple universalization of Gradient, FGSM, and
DeepFool perturbations using a test sample of 64 images gives fooling rates
comparable to state-of-the-art universal attacks \cite{Dezfooli17,Khrulkov18}
for reasonable norms of perturbation