
Excessive Invariance Causes Adversarial Vulnerability
Despite their impressive performance, deep neural networks exhibit striking failures on outofdistribution inputs. One core idea of adversarial example research is to reveal neural network errors under such distribution shift. We decompose these errors into two complementary sources: sensitivity and invariance. We show deep networks are not only too sensitive to taskirrelevant changes of their input, as is wellknown from epsilonadversarial examples, but are also too invariant to a wide range of taskrelevant changes, thus making vast regions in input space vulnerable to adversarial attacks. After identifying this excessive invariance, we propose the usage of bijective deep networks to enable access to all variations. We introduce metameric sampling as an analytic attack for these networks, requiring no optimization, and show that it uncovers large subspaces of misclassified inputs. Then we apply these networks to MNIST and ImageNet and show that one can manipulate the classspecific content of almost any image without changing the hidden activations. Further, we extend the standard crossentropy loss to strengthen the model against such manipulations via an informationtheoretic analysis, providing the first approach tailored explicitly to overcome invariancebased vulnerability. We conclude by empirically illustrating its ability to control undesirable classspecific invariance, showing promise to overcome one major cause for adversarial examples.
11/01/2018 ∙ by JörnHenrik Jacobsen, et al. ∙ 16 ∙ shareread it

Invertible Residual Networks
Reversible deep networks provide useful theoretical guarantees and have proven to be a powerful class of functions in many applications. Usually, they rely on analytical inverses using dimension splitting, fundamentally constraining their structure compared to common architectures. Based on recent links between ordinary differential equations and deep networks, we provide a sufficient condition when standard ResNets are invertible. This condition allows unconstrained architectures for residual blocks, while only requiring an adaption to their regularization scheme. We numerically compute their inverse, which has O(1) memory cost and computational cost of 520 forward passes. Finally, we show that invertible ResNets perform on par with standard ResNets on classifying MNIST and CIFAR10 images.
11/02/2018 ∙ by Jens Behrmann, et al. ∙ 16 ∙ shareread it

Exploiting Excessive Invariance caused by NormBounded Adversarial Robustness
Adversarial examples are malicious inputs crafted to cause a model to misclassify them. Their most common instantiation, "perturbationbased" adversarial examples introduce changes to the input that leave its true label unchanged, yet result in a different model prediction. Conversely, "invariancebased" adversarial examples insert changes to the input that leave the model's prediction unaffected despite the underlying input's label having changed. In this paper, we demonstrate that robustness to perturbationbased adversarial examples is not only insufficient for general robustness, but worse, it can also increase vulnerability of the model to invariancebased adversarial examples. In addition to analytical constructions, we empirically study vision classifiers with stateoftheart robustness to perturbationbased adversaries constrained by an ℓ_p norm. We mount attacks that exploit excessive model invariance in directions relevant to the task, which are able to find adversarial examples within the ℓ_p ball. In fact, we find that classifiers trained to be ℓ_pnorm robust are more vulnerable to invariancebased adversarial examples than their undefended counterparts. Excessive invariance is not limited to models trained to be robust to perturbationbased ℓ_pnorm adversaries. In fact, we argue that the term adversarial example is used to capture a series of model limitations, some of which may not have been discovered yet. Accordingly, we call for a set of precise definitions that taxonomize and address each of these shortcomings in learning.
03/25/2019 ∙ by JörnHenrik Jacobsen, et al. ∙ 6 ∙ shareread it

Flexibly Fair Representation Learning by Disentanglement
We consider the problem of learning representations that achieve group and subgroup fairness with respect to multiple sensitive attributes. Taking inspiration from the disentangled representation learning literature, we propose an algorithm for learning compact representations of datasets that are useful for reconstruction and prediction, but are also flexibly fair, meaning they can be easily modified at test time to achieve subgroup demographic parity with respect to multiple sensitive attributes and their conjunctions. We show empirically that the resulting encoderwhich does not require the sensitive attributes for inferenceenables the adaptation of a single representation to a variety of fair classification tasks with new target labels and subgroup definitions.
06/06/2019 ∙ by Elliot Creager, et al. ∙ 4 ∙ shareread it

Residual Flows for Invertible Generative Modeling
Flowbased generative models parameterize probability distributions through an invertible transformation and can be trained by maximum likelihood. Invertible residual networks provide a flexible family of transformations where only Lipschitz conditions rather than strict architectural constraints are needed for enforcing invertibility. However, prior work trained invertible residual networks for density estimation by relying on biased logdensity estimates whose bias increased with the network's expressiveness. We give a tractable unbiased estima1te of the log density, and reduce the memory required during training by a factor of ten. Furthermore, we improve invertible residual blocks by proposing the use of activation functions that avoid gradient saturation and generalizing the Lipschitz condition to induced mixed norms. The resulting approach, called Residual Flows, achieves stateoftheart performance on density estimation amongst flowbased models, and outperforms networks that use coupling blocks at joint generative and discriminative modeling.
06/06/2019 ∙ by Ricky T. Q. Chen, et al. ∙ 2 ∙ shareread it

Multiscale Hierarchical Convolutional Networks
Deep neural network algorithms are difficult to analyze because they lack structure allowing to understand the properties of underlying transforms and invariants. Multiscale hierarchical convolutional networks are structured deep convolutional networks where layers are indexed by progressively higher dimensional attributes, which are learned from training data. Each new layer is computed with multidimensional convolutions along spatial and attribute variables. We introduce an efficient implementation of such networks where the dimensionality is progressively reduced by averaging intermediate layers along attribute indices. Hierarchical networks are tested on CIFAR image data bases where they obtain comparable precisions to state of the art networks, with much fewer parameters. We study some properties of the attributes learned from these databases.
03/12/2017 ∙ by JörnHenrik Jacobsen, et al. ∙ 0 ∙ shareread it

Dynamic Steerable Blocks in Deep Residual Networks
Filters in convolutional networks are typically parameterized in a pixel basis, that does not take prior knowledge about the visual world into account. We investigate the generalized notion of frames designed with image properties in mind, as alternatives to this parametrization. We show that framebased ResNets and Densenets can improve performance on Cifar10+ consistently, while having additional pleasant properties like steerability. By exploiting these transformation properties explicitly, we arrive at dynamic steerable blocks. They are an extension of residual blocks, that are able to seamlessly transform filters under predefined transformations, conditioned on the input at training and inference time. Dynamic steerable blocks learn the degree of invariance from data and locally adapt filters, allowing them to apply a different geometrical variant of the same filter to each location of the feature map. When evaluated on the Berkeley Segmentation contour detection dataset, our approach outperforms all competing approaches that do not utilize pretraining. Our results highlight the benefits of imagebased regularization to deep networks.
06/02/2017 ∙ by JörnHenrik Jacobsen, et al. ∙ 0 ∙ shareread it

iRevNet: Deep Invertible Networks
It is widely believed that the success of deep convolutional networks is based on progressively discarding uninformative variability about the input with respect to the problem at hand. This is supported empirically by the difficulty of recovering images from their hidden representations, in most commonly used network architectures. In this paper we show via a onetoone mapping that this loss of information is not a necessary condition to learn representations that generalize well on complicated problems, such as ImageNet. Via a cascade of homeomorphic layers, we build the iRevNet, a network that can be fully inverted up to the final projection onto the classes, i.e. no information is discarded. Building an invertible architecture is difficult, for one, because the local inversion is illconditioned, we overcome this by providing an explicit inverse. An analysis of iRevNets learned representations suggests an alternative explanation for the success of deep networks by a progressive contraction and linear separation with depth. To shed light on the nature of the model learned by the iRevNet we reconstruct linear interpolations between natural image representations.
02/20/2018 ∙ by JörnHenrik Jacobsen, et al. ∙ 0 ∙ shareread it

Conditional Generative Models are not Robust
Classconditional generative models are an increasingly popular approach to achieve robust classification. They are a natural choice to solve discriminative tasks in a robust manner as they jointly optimize for predictive performance and accurate modeling of the input distribution. In this work, we investigate robust classification with likelihoodbased conditional generative models from a theoretical and practical perspective. Our theoretical result reveals that it is impossible to guarantee detectability of adversarial examples even for nearoptimal generative classifiers. Experimentally, we show that naively trained conditional generative models have poor discriminative performance, making them unsuitable for classification. This is related to overlooked issues with training conditional generative models and we show methods to improve performance. Finally, we analyze the robustness of our proposed conditional generative models on MNIST and CIFAR10. While we are able to train robust models for MNIST, robustness completely breaks down on CIFAR10. This lack of robustness is related to various undesirable model properties maximum likelihood fails to penalize. Our results indicate that likelihood may fundamentally be at odds with robust classification on challenging problems.
06/04/2019 ∙ by Ethan Fetaya, et al. ∙ 0 ∙ shareread it
JörnHenrik Jacobsen
is this you? claim profile