Although AI is developing rapidly, AI's vulnerability under adversarial attacks remains an extraordinarily dificult problem. In this paper we study the root cause of adversarial examples through studying the deep neural network's (DNN) classification boundary. The existing attack algorithms can generate from a handful to a few hundred adversarial examples given one clean sample. We show there are a lot more adversarial examples given one clean sample, all within a small neighborhood of the clean sample. We then define DNN uncertainty regions and show the transferability of adversarial examples is not universal. The results lead to two conjectures regarding the size of the DNN uncertainty regions and where DNN function becomes discontinuous. The conjectures ofer a potential explanation for why the generalization error bound - the theoretical guarantee established for DNN - cannot adequately capture the phenomenon of adversarial examples.
ter DNN gained popularity [
Despite decades of theoretical research on DNN, there are still many unanswered questions regarding DNN’s properties. For example, we do not know the shape of DNN classification boundary. There is also a discrepancy between the established generalization error bounds for DNN and the existence of adversarial examples.
We know the shape of the decision boundary of many
well known models, such as linear regression,
generalized linear regression, non-parametric regression,
support vector machine (SVM), to name a few. Despite
ate DNN robustness, we are yet to know the shape of
DNN classification boundary. A lack of understanding
of DNN’s classification boundary naturally leads to the
fact that we do not know where are the regions
containing the adversarial examples. There are
conflicting conjectures about the regions containing the
adversarial examples. [
1. We show DNN classification boundary is highly many work on building a robust DNN and to evalu- in critical applications without fully understanding its fractured, unlike other classifiers. There are lower
resulting learning model to make a mistake with certain dimensional regions containing adversarial exam- test samples. Assuming there is no easy access to the ples within a small neighborhood surrounding
training process, evasion attacks generate test samples every clean image. 2. Our first conjecture is that the union of these lower dimensional bounded regions containing adversarial examples has zero probability mass.
Our second conjecture is that a DNN function is discontinuous at the boundary of these lower dimensional bounded regions, and may be discontinuous inside some of these bounded regions.
The two conjectures could be the reason that the theoretical guarantees established for DNN, such as the generalization error bounds, co-exist with the adversarial examples. Hence new theory is needed to evaluate DNN robustness.
that the learning model cannot handle correctly. The
adversarial examples generated to attack DNN belong
to evasion attacks. Depending on adversaries’
knowledge of a DNN model, there are white-box attacks and
black-box attacks. For white-box attacks, adversaries
know the true DNN model, including model structure
and parameter values. For black-box attacks, adversaries
don’t know the true model. Instead, adversaries query
the true model, build a local substitute model based on
the queries, and attack the local model. A targeted attack
generates adversarial examples that are misclassified into
a pre-determined class, while an untargeted attack simply
generates misclassified samples. Several survey papers
3. We show that transferability of adversarial exam- are published, introducing the current state and the
timeples is not universal, contrary to [
We show that adversarial examples against one DNN can be correctly classified by some other DNN models, simply by using diferent initial random seeds in the training process. This leads to our definition of DNN uncertainty regions.
generate up to a few hundred adversarial exam- gray-scale image, and a tensor for a color image. The Besides the three major contributions, additional contributions of this paper are the following.
1. Given one clean image, existing attack algorithms ples. Sampling from the lower dimensional region lead to a stronger attack, generating a lot more adversarial examples given one clean image. 2. Far fewer pixels are perturbed to form these hyper-rectangles compared to the existing attack algorithms. Therefore we reduce the total amount of perturbations added to a clean image to create adversarial examples.
The paper is organized as follows. Section 1.1 discusses tablish the shape of DNN classification boundary and introduces the concept of DNN uncertainty regions. Section 3 discusses the discrepancy between the theoretically ror bound, and the existence of adversarial examples.
There are two broad categories of attacks, poisoning
attacks and evasion attacks [
Adversarial evasion attacks against DNN are the
earliest attacks. Recently there are attacks designed to break
graph neural network (e.g., [
Let
be a clean image and be an adversarial example. Let class label to . ( be a trained DNN model that assigns a ) ≠ ( )
. is a matrix for a size of the matrix/tensor is determined by the image resolution. The individual elements (pixels) in
represent
the light level, having integer values ranging from 0 (no
light) to 255 (maximum light). The pixels are rescaled
to [
can be
vectorized. Assume a vectorized is − dimensional, i.e.,
∈ [
Method (BIM) 1, 2, ∞ attacks; (6) Moment Iterative
DNN function is described by ( ) =
, where is the
object class assigned to image by a trained DNN model
used to classify the samples. The areas within the mar- [
.
DNN model structure:
the classification boundary of DNN, here the DNN model structure must strictly remain the same. We discover that even a minor change to the model structure, such as adding or removing a batch normalization layer, will lead to a diferent classification boundary.
Uncertainty Region Construction:
adversarial example with the corresponding clean . If a pixel value in is diferent than that in , it is perturbed by the attack. Given a clean , we use one attack algorithm and generate a suficient amount of adversarial examples that are all mis-classified into the same wrong object class. We examine how many pixels are perturbed by the attack. Then we compute the interval for each perturbed pixel (the original has a single value for this pixel). The perturbed pixels are ordered by the interval sizes from the largest to the smallest. We then construct a hyper-rectangle starting from the largest interval, and stop at where the subsequent intervals can be considered as nearly a constant (which may not equal to the original pixel value for clean ). The detailed procedure is described as follows.
Assume 1 is the model under attack. For a given attack algorithm and a object class , ≠ where is the true object class of , we combine the adversarial examples from both the targeted attack and the untargeted attack, s.t. 1(
) = . We then construct the subspace . spanned by s. This step requires an attack algorithm to generate suficient amount of perturbed images at least 80-100 images, given one clean image. We notice that diferent attack algorithms discover diferent regions containing the adversarial examples for one clean image. Only a handful of adversarial examples is not enough , The more adversarial examples an attack algorithm can (a) (b) into disjoint regions, where at least two DNN models and disagree on the hard label of .
Definition 1.
An uncertainty region is defined as
∶=
{ ∶ ∃
, ∈ ℳ, ..
( ) ≠
( ) } ,
where cannot be separated into disjoint regions in [
Denote the − ball by ( , ) ( , ) ∶= { ∶ ( , ) ≤ }. When is suficiently small, the points in ( , ) are noisy versions of and should be labeled to the same object class as . Given a clean image , we can determine the value of based on the amount of adversarial perturbations. We choose sarial perturbations calculated from a number of attack algorithms. Figure 2 (b) conceptually shows two separate |( , )| = in ( , ) Clean natural sample:
We consider a clean natural image as the result of taking a photo using a camera. Regarding how many clean images we can have, let’s consider the volume of a − dimensional ( , )
. The volume of the feature space
are noisy versions of . For a fixed and ,
there are only a finite number of non-overlapping balls
in the feature space [
. Hence the feature space for higher resolution color images can contain increasingly more clean images. intervals are ranked by interval size as (,1) ≥ (,2) ≥ ⋯ (,) . We construct a hyper-rectangle () using largest in () ( , ). As. Then the tervals with ≤
as () = ⊗ =1 [ () ( ,() ),
() ( ,() )]. () is the subspace based on the adversarial examples generated by attack and misclassified to class . We choose the number of intervals that the remaining interval sizes are very small and the perturbations added can be considered as approximately constant. periments. CPU is Intel Xeon Silver 4114 and the GPU is Nvidia Tesla P100. The code is posted on GitHub. 2
Here we conduct an experiment with the task to classify MNIST dataset of 10 handwritten digit. MNIST has 60,000 training images and 10,000 test images. Each image has 28x28 gray-scale pixels. Our model structure is
2https://github.com/juanshu30/Understanding-AdversarialExamples-Through-DNNs-Classification-Boundary-andUncertainty-Regions
on clean test data.
the PyTorch implementation [
We have ∈ [
Intuitively, the ten handwritten digits have distinct
features that facilitate the classification task. Hence LeNet
can achieve nearly 99% accuracy. We visualize the
digits using t-Distributed Stochastic Neighbor Embedding
(t-SNE) technique [
We choose a clean image , and generate adversarial examples using the attack algorithms listed in Section 1.1.
We then construct the hyper-rectangles () . We have information. obtained similar results. Due to the limited space, here we show the results for a digit 1 from the test data. We run the attacks against 1. Table 2 shows the following 1. The number of intervals used to construct the hyper-rectangles. For example, CW2 1 → 6 means the digit 1 is mis-classified as 6. 150d means 2 tervals.
(6) is spanned by the largest 150
in2. The smallest interval size in () , shown in
column () . For PW attack, we use [
We use Pytorch 1.5.0 and Cuda 10.2 to run all the ex- studied many test images and training images, and have
Table 3 shows the 10 re-trained LeNet models’ mis-classification rates against the original adversarial images generated by the attacks, and the number of perturbed (a) PW 1 → 8 (b) PW Sampled 1 → 8 cpoixluemls.ns iTnhTeablleeft 4thsrheoew Figure 5: Clean Image 1 the minimum amount of perturbations ((|| − || 2)), the maximum amount of perturbations ((|| − || 2)), and the average amount selected pixels, since the measured interval sizes of perturbations ((|| − || 2)) of the 1000 sampled are all close to 1. For all other attacks, the interval images in each hyper-rectangle () . The right three size is measured from the added perturbations. columns in Table 4 show the same information for the 3. We sample 1000 images from each () , and re- adversarial examples generated by the corresponding port the misclassification rates by 1 to 10. attacks.
Figure 4 shows the adversarial examples generated by the attacks, and the adversarial images generated through sampling in the hyper-rectangles () . Figure 5 is the corresponding clean image 1. Except for PointWise attack, which changes a pixel value to 0 or 1, the rest of () has the maximum value 0.032, as shown in Table 2.
This translates to 8 consecutive integer values on the original 0 – 255 scale. They are very similar light levels, and can be considered as approximately constant.
If we add more dimensions to () , the additional di- (a) CW2 5 → 6 (b) CW2 Sampled 5 → 6 mensions can be considered as moving the additional Figure 6: Images for MLP experiment pixels to diferent values. Adding more dimensions do not change the shape and size of () . Instead that moves a hyper-rectangle to a diferent location, increasing the amount of perturbation and away from the clean image 3x512 hidden neurons and ReLU activation. We vary the . The hyper-rectangles () in Table 2 perturbed far initial seeds and train 5 MLPs. The optimizer is SGD fewer pixels than the original attacks. From Table 4, we with learning rate 0.01. Table 5 shows the MLP missee that leads to smaller perturbations to create adver- classification rates on the clean MNIST test data. In the sarial examples. There are more such hyper-rectangles interest of space, here we show two examples, a digit with the same shape and size, as we add more pixels 5 and a digit 7, under Carlini & Wagner 2 attack. Taidentified by the attacks. Adding more pixels does not ble 6 shows the 5 MLPs’ mis-classification rates in the necessarily increase the mis-classification rates by all hyper-rectangles. Table 7 shows mis-classification rates DNNs. For Carlini & Wagner 2 attack and FGSM, even- against the original adversarial images generated by the tually the hyper-rectangle is moved to a place where 1 attack. Figure 6 shows an adversarial example genermis-classification rate is close to 100% and 2 to 10 ated by Carlini & Wagner 2 attack, and an adversarial see near 0% mis-classification rate. This is the efect of example generated through sampling from the hyperthe optimization approach used in the attack algorithms rectangle, based on the same clean image 5. Figure 9 (a) against 1. We observe three types of () in Table 2. is the corresponding clean image 5. The hyper-rectangle for 7 → 2 lie in one DNN uncertainty region. Again Carlini & Wagner 2 attack has great success with the target model 1 but can be correctly classified by some other MLPs. 1. The target DNN mis-classifies most of the adversarial examples while there exists another DNN which correctly classifies the adversarial examples; 2. The target model correctly classifies the adversarial examples while another DNN mis-classifies most of the adversarial examples; 3. The transferable adversarial regions where all
DNNs mis-classify a significant proportion of the adversarial examples.
This phenomenon occurs to attacks adding both small
and large perturbations. The first two types of ()
belong to DNN uncertainty regions. The existence of DNN
uncertainty regions shows transferability of adversarial
examples is not universal, contrary to [
Here we conduct experiment with a MLP trained on MNIST. It is a fully connected network with 3 layers,
CIFAR10 [
Figure 7 shows the mis-classification rates as we
increase the dimensions of the hyper-rectangle. The largest
interval size is 0.2 and the 2000th largest interval size
is 0.017. 1 misclassifies all the sampled images
starting from around 200 perturbed dimensions. 5
correctly classifies all the sampled images. We see 2 and
4 misclassification rates increase as more efective
dimensions are included, then decrease as we include
additional irrelevant dimensions. The 2000-dimensional
(a) BIM 2 airplane→deer (b) BIM Sampled airplane→deer
hyper-rectangle lies in one MobileNet uncertainty region.
As noted in [
Due to the nature of the uncertainty regions, we have to train multiple models. However the classification boundary is established for one model – the model under attack – not the ensemble of all the trained models. The output of a DNN ensemble is either based on the majority vote, or we take the average of the softmax layer outputs from the DNN models in the ensemble. Hence a DNN ensemble has a diferent classification boundary compared with that of a single model used in the ensemble.
For the MNIST CNN experiment, we use Figure 10 as a conceptual plot to show the classification boundary for 1. 1 is the model under attack. Let be the digit 1 used in Section 2.1. Let = 6 . Hence the hyperrectangles with larger perturbations are excluded from ( , ) .
The blue dot in the center is the clean image. Inside
the black circle, the solid line segments are part of the
shape of an uncertainty/transferable region may not be
a hyper-rectangle. It is important to further investigate
how many uncertainty regions and transferable
adversarial regions exist in the feature space [
DNN transferable adversarial regions. We leave it to the future work. 10.
The dashed lines inside the black circle are not part of 1’s classification boundary, but they are model 1’s uncertainty regions, because inside these regions s are correctly classified by 1 but misclassified by some other model . We call them the type 3 regions.
Type 1 and 3 are the uncertainty regions. Type 2 are
the transferable adversarial regions which are more
dififcult to handle. Both the uncertainty regions and the 3. Generalization Error Bound and
transferable adversarial regions are lower dimensional Adversarial Examples
small “cracks” inside the small neighborhood of a clean
image. Only type 1 and type 2 regions where 1 misclas- The accuracy on clean test data is often used to measure
sifies the samples in the − ball ( , ) are part of model a classifier’s performance. However, in [
√
refers to a constant based on the width and depth of
a DNN model, e.g., [
We observe there is a discrepancy between the theoretically proven generalization error bound for DNN and the existence of adversarial examples. Following the theory, the generalization error on test data should decrease to 0 at a rate proportional to −1/2 where is the training sample size. However for every clean image we show there exists a large number of adversarial images in its neighborhood ( , )
, for diferent network structures and datasets. Adversarial examples also exist for large DNN models trained on ImageNet with millions on its generalization error. So far we see adversarial examples exist in much lower dimensional regions, leading to Conjecture 1.
Remark 2:
Let ̂
( ) = 1 ∑1 (
tion error as
∗( ) = (
mated from the training data . [
( ),
which is also used in some recent papers to establish
DNN theoretical guarantees. Corollary 1 in [
The union of these lower dimensional bounded uncertainty regions and transferable adversarial regions has zero probability mass.
Conjecture 2:
A DNN function is discontinuous at the boundary of these lower dimensional bounded regions, and may be discontinuous inside some of these bounded regions. Note Lipschitz continuity is an important assumption for proving the generalization error bound.
The two conjectures with Theorem 1 ofer a potential
explanation for why such a discrepancy exists. Let be
a − dimensional region in [
with < . Let ℒ = ∪=1 ∞ be the union of countably infinite non-overlapping
lower dimensional regions in [
2( ) . And assume ∃ ∈ ℒ , s.t. 1( ) ≠
2( ) . We have ( 1( , +1 )) = (
2( , +1 )).
Proof: For any continuous distribution on [
2( , +1 )). ■ Remark 1:
Theorem 1 means the definition of
generalization error cannot tell the diference between a trained
classifier that assign correct labels to all the points in
[
2 ∗( 2).
A limitation of our work is that we rely on the existing attack algorithms to locate these hyper-rectangles. Also our approach works with low resolution images. Again we leave it to the future work to capture the shape of the DNN classification boundary in very high dimensional feature space.
We gain important insights from this study. A DNN
model draws the classification boundary around every
image instead of along the border between the object
classes. This helps a DNN model to achieve high accuracy
and low generalization error for complex tasks but leaves
space for it to be attacked. How to seal these small cracks
surrounding every image is a very dificult problem, as
we witness the success of the adaptive attacks [
Understanding the shape of DNN’s classification
boundary also provides insights to defend against the
backdoor attacks [
We conclude that the adversarial examples stem from a structural problem of DNN. DNN’s classification boundary is unlike that of any other classifier. Current defense strategies do not address this structural problem. We also need new theory to describe the phenomenon of adversarial examples and measure the robustness of DNN.
This work is supported in part by US Army Research Ofice award W911NF-17-1-0356 and US Army Research