Manifold Preserving Adversarial Learning

1 Introduction

Recent developments in adversarial machine learning

DBLP:journals/corr/abs-1802-00420 ; DBLP:conf/nips/SongSKE18 ; zhao2018generating

have cast serious doubts on the robustness of deep learning models. Although many defense mechanisms

DBLP:journals/corr/abs-1903-06603 ; sinha2018certifiable ; DBLP:journals/corr/abs-1801-09344 ; DBLP:journals/corr/MadryMSTV17 ; DBLP:journals/corr/abs-1711-00851 have been proposed to alleviate the security risks faced by these models, very few are resilient to attacks DBLP:journals/corr/abs-1802-00420 ; DBLP:journals/corr/CarliniW16a

. Adversarial attacks manipulate data with imperceptible noise so as to cause a classifier to make incorrect predictions

42503 . In the image domain, adversarial examples are generated to be identical to real images, albeit the precise locations of fine details in the images might still not be preserved. In the text domain, even slight changes to a sentence can alter its readability or corrupt its meaning zhao2018generating . For adversarial samples to be coherent, they need to be valid and convey ideally the meaning of the true inputs. In the text domain especially, they need to be grammatically and linguistically sound. We posit the reason existing approaches fail to enforce such requirements is because the semantics of the true inputs and the adversarial examples, captured in their respective low dense representation or manifold, do not necessarily align. This may result from a poor characterization of the manifold of the true inputs due to rigid assumptions about its structure – such as confining the latent variable model of the manifold to be Gaussian DBLP:conf/nips/SongSKE18 ; zhao2018generating – or because the search for adversarial examples is restricted to uniformly-bounded regions or conducted along suboptimal gradient directions 42503 ; DBLP:journals/corr/KurakinGB16 ; ianj.goodfellow2014 .

In this study, we explore a novel approach to generate coherent adversarial examples in the image and text domains. Our approach is built around the manifold invariance theorem 10.1088/2053-2571/ab0281ch6 and seeks to align the manifolds of the adversarial examples and the true inputs so that the adversarial examples may reflect the semantics of the true inputs. To intuitively introduce our approach, we decompose the adversarial learning problem into: (i.) manifold learning

, where we develop a variational inference technique to encode high-dimensional data into a low dense representation without needing to reparameterize the encoder network

kingma2014 , and (ii.) perturbation invariance under the manifold invariance concept, where we describe a simple yet efficient perturbation strategy that ensures cases we perturb remain in the manifold of the true inputs. We subsequently illustrate how the rich latent structure exposed in the manifold can be leveraged as a source of knowledge upon which adversarial constraints can be imposed; this while learning the manifold and without resorting to exhaustive search as per common practice DBLP:conf/nips/SongSKE18 ; zhao2018generating ; ianj.goodfellow2014 . Finally, we apply our approach to images and text data in a black-box setting to generate adversarial examples that are coherent and perceptually similar to the true inputs.

The main contributions of our work are thus: (i.) a novel variational inference method for manifold learning in the presence of continuous latent variables with minimal assumptions about their distribution, (ii.) an intuitive perturbation strategy that encourages perturbed elements of a manifold to remain within the manifold, (iii.) an end-to-end pipeline that combines (i.) and (ii.) to generate adversarial examples that follow the same distribution as the inputs, and (iv.) illustration on images and text, as well as empirical validation against strong certified and non-certified adversarial defenses.

2 Problem Setup & Architecture

Problem Setup. Consider $D$ a dataset of training examples, $Y$ their corresponding classes, and $g$ a black-box classifier. We want to generate adversarial examples that are coherent. By “coherent”, we mean given an example $x \in D$ , we want its adversarial example $x^{'}$ to come from a distribution similar to $P_{x}$ of $x$ . In particular, we require $x^{'}$ to be the nearest such instance to $x$ in the manifold that defines $P_{x}$ and subject to adversariality. To produce coherent adversarial examples, we devise our approach around the invariant manifold concept defined in 10.1088/2053-2571/ab0281ch6 which we revisit below.

Definition 2.1.

Manifold Invariance 10.1088/2053-2571/ab0281ch6 . Let $(X, d)$ be a metric space and $h : X \to X$ a homeomorphism. For any point $u \in X$ , a neighborhood $U$ of $u$ is invariant under $h$ if: $v \in U \Rightarrow h (v) \in U$ .

Definition 2.1 stipulates that the topology of $U$ is preserved under $h$ as any projection $h (v)$ of $v \in U$ remains in $U$ . To see how Definition 2.1 can be enforced in an adversarial setting, we confine for now $U$ to an $ϵ$ -radius ball $B (u; ϵ)$ around $u$ and let $y \in Y$ be the class of $u$ . If there exists a point $w \in X$ s.t $w = h (v) \in U$ and $g (w) \neq y$ , then $w$ is adversarial to $u$ athalye2017 and is neighborhood-preserving.

In this paper, we mainly operate in the low embedding space of $D$ we denote $Z$ . Earlier, we restricted the search region for the adversarial examples of $u$ to the uniformly-bounded ball $B (u; ϵ)$ . In reality, the search region may not be as well-defined and may even be difficult to characterize especially in the dense regions of $Z$ . Thus, to adapt Definition 2.1 to $Z$ , we consider instead two embedding maps $h : X \to Z$ and $h^{'} : X \to Z$ parameterized respectively by $θ$ and $θ^{'}$ , and use $h^{'}$ to find points that lie in the vicinity of $h (u)$ in $Z$ such that when mapped back onto $X$ , the input space of $D$ , they induce adversariality. We assume here that $θ$ and $θ^{'}$ follow the implicit distributions $p (θ)$ and $p (θ^{'})$ ¹¹1Treatment of $θ$ and $θ^{'}$

as random variables as in

kingma2014 allows for model averaging yuchen2017 which we leverage..

Definition 2.2.

Adversarial Learning Objective. Let $(X, d), (Z, d)$ be metric spaces and $l_{ϕ} : Z \to X$ a mapping function. We want to learn $θ$ , $θ^{'}$ , and $ϕ$ s.t the divergence $D_{f} (p (θ) ∥ p (θ^{'}))$ is arbitrarily small, and for any $u \in X$ , $d (h (u), h^{'} (u))$ is also arbitrarily small and $g (u) \neq g (l_{ϕ} \circ h^{'} (u))$ .

Model Architecture. To attain our adversarial learning objective, we propose as a framework the architecture illustrated in Figure 2 that we design according to Definition 2.2. Our framework is essentially a variational auto-encoder with two encoders that learn to approximate the variational posterior over $D$ instead of its reparameterized form kingma2014 . To succeed in this task, we introduce two inference mechanisms – implicit manifold learning via Stein variational inference and Gram-Schmidt basis sign method – to draw instances of model parameters from the implicit distributions $p (θ)$ and $p (θ^{'})$ that we parameterize the two encoders with. Both encoders optimize the uncertainty inherent to embedding $D$ while guaranteeing easy sampling via Bayesian ensembling. The decoder $p_{ϕ}$ acts as a generative model for crafting adversarial examples and a proxy for creating latent targets in the $Z$ space in order to optimize the first encoder; a process we refer to as inversion and depict in Figure 2.

Unlike most perturbation-based approaches athalye2017 ; Shaham2018UnderstandingAT that search for adversarial examples in the input space of $D$ , we leverage the dense representation of the latent space of $D$ ; the intuition being here that the latent space captures well the semantics of $D$ . Thus, rather than finding the adversarial example of a given input $x$ in $D$ , we learn to perturb its latent code $z$ in a way that the perturbed version $z^{'}$ and $z$ lie in the same manifold. Then, we construct $x^{'}$ using our decoder $p_{ϕ}$ . By learning to efficiently perturb the latent codes, and then mapping these low-dimensional representations back onto the input space, we control the perturbations we inject to the adversarial examples thereby ensuring that they are perceptually similar to the inputs. In the following, we refer to the manifold of $D$ as the set $M$ of locally Euclidean latent representations (or points) 10.1088/2053-2571/ab0281ch6 of instances of $D$ .

Figure 1: Architecture. The model instances

θ_{m}

and

θ_{m}^{'}

are generated from the networks

f_{η}

and

f_{η^{'}}

and used to sample

z_{m}

and

z_{m}^{'}

given an input

x \in D

, for any

m \in {1, . . ., M}

x^{'}

is generated from posterior sampling (in red) of a

z^{'}

, via Bayesian ensembling, that is passed to the decoder

p_{ϕ}

Figure 2: Inversion. During an inner update, noise

ξ

is fed to

f_{η}

to generate

θ

. Given

x \in D

, we sample

z \sim p (z | x; θ)

and reconstruct to

~ x

. Then, using

~ x

we sample again

~ z \sim p (z | ~ x; θ)

. Now,

~ z

becomes the target of

z

. At the next update,

~ z

becomes the prediction, and we repeat this process to create a target for

~ z

3 Technical Background

Manifold Learning. To uncover structure in some high dimensional data $D$ and understand its meta-properties, it is common practice to map $D$ to a low dimensional subspace where explanatory hidden features may become apparent. Manifold learning is based on the assumption that the data of interest lies on or near lower dimensional manifolds in its embedding space. In the variational auto-encoder (VAE) kingma2014 setting upon which we build our work, the datapoints $x_{n} \in D$ are modeled via a decoder $x_{n} | z_{n} \sim p_{ϕ} (x_{n} | z_{n})$ with a prior $p (z)$ placed on the latent codes $z_{n}$ . To learn the parameters $ϕ$ , one typically maximizes a variational approximation to the empirical expected log-likelihood, $1 / N \sum_{n = 1}^{N} log p_{ϕ} (x_{n})$ , called evidence lower bound (ELBO) and defined by:

\begin{matrix} L_{e} (ϕ, ψ; x) = E_{z | x; ψ} log [\frac{p (x | z; ϕ) p (z)}{q (z | x; ψ)}] = - D_{K L} (q (z | x; ψ) ∥ p (z | x; ϕ)) + log p (x; ϕ) . \end{matrix}

(1)

To evaluate the objective $L_{e}$ , we require the ability to sample efficiently from $q (z | x; ψ)$ , the encoder distribution which approximates the posterior inference $p (z | x; ϕ)$ . Specifically, we need a closed and differentiable form for $q_{ψ}$ in order to evaluate the expectation. The reparameterization trick kingma2014 provides a simple way to rewrite the expectation $E_{z | x; ψ}$

such that the Monte Carlo estimate of

L_{e}

is differentiable w.r.t

ψ

. More formally, under some mild differentiability conditions kingma2014 , the random variable

z \sim q_{ψ} (z | x)

can be reparameterized using a differentiable transformation

g_{ψ} (ϵ, x)

of an auxiliary noise variable

ϵ

z = g_{ψ} (ϵ, x) with ϵ \sim p (ϵ)

where the prior

p (ϵ)

is generally confined to a family of simple and tractable distributions

like a Gaussian distribution.

Stein Variational Gradient Descent (SVGD) qiangliu2016 is a nonparametric variational inference method that combines the advantages of MCMC sampling and variational inference. Unlike variational bayes in VAEs kingma2014 , SVGD does not confine the target distributions it approximates to simple or tractable parametric distributions while still remaining efficient. To approximate the target distribution $p (θ)$ , SVGD maintains $M$ particles $Θ = {θ_{m}}_{m = 1}^{M}$ , initially sampled from a simple distribution, it iteratively transports via functional gradient descent. Henceforward, we shall consider these particles as instances of model parameters. At iteration $t$ , each particle $θ_{t} \in Θ_{t}$ is updated as follows:

\begin{matrix} θ_{t + 1} \leftarrow θ_{t} + α_{t} τ (θ_{t}) where \begin{matrix} τ (θ_{t}) = \frac{1}{M} M \sum j = 1 [ & k (θ_{t}^{j}, θ_{t}) \nabla_{θ_{t}^{j}} log p (θ_{t}^{j}) + \nabla_{θ_{t}^{j}} k (θ_{t}^{j}, θ_{t})], \end{matrix} \end{matrix}

(2)

where $α_{t}$ is a step-size and $k (., .)$ is a positive-definite kernel. In eq. (2), each particle determines its update direction by consulting with other particles and asking their gradients. The importance of the latter particles is weighted according to the distance measure $k (., .)$ . Closer particles are given higher consideration than those lying further away. The term $\nabla_{θ^{j}} k (θ^{j}, θ)$ is a regularizer that acts as a repulsive force between the particles to prevent them from collapsing into one particle. The resulting particles can thus be used to approximate the predictive posterior distribution over $D$ :

(3)

4 Proposed Method

We first describe a novel variational inference method to learn $M$ the manifold of $D$ . Then, we introduce a technique to perturb the elements of $M$ while ensuring $M$ is invariant to the perturbations. Finally, we describe our end-to-end process for generating manifold preserving adversarial examples.

4.1 Implicit Manifold Learning

As described in section 3, it is customary to optimize the ELBO in eq. (1) when training VAEs due to the intractability of the data-likelihood. Moreover, we need a closed and differentiable form for the encoder $q_{ψ}$ . This is achieved by reparameterizing the encoder $q_{ψ}$ using a differentiable transformation of some auxiliary Gaussian noise variable. Constraining the noise to be Gaussian is however too restrictive 2015arXiv150505770J and may lead to learning poorly the manifold of the data DBLP:journals/corr/ZhaoSE17b . To alleviate this issue, one can minimize the divergence $D_{K L} (q (z | x; ψ) ∥ p (z | x; ϕ))$ as in yuchen2017 instead of optimizing the ELBO explicitly. In yuchen2017 , for an input $x \in D$ , the authors draw $M$ latent codes using a recognition network and update them via SVGD. Similar to yuchen2017 , we focus on the $D_{K L}$ term and use a recognition network to sample $M$ model instances $Θ = {θ_{m}}_{m = 1}^{M}$ we denote particles. Unlike yuchen2017 , however, we generate the latent codes using $Θ$ instead of applying dropout noise on the recognition network.

We aim to leverage $Θ$ to map $D$ to some manifold $M$ in the latent space $Z$ . This encoding inherently induces uncertainty we ought to capture in order to learn $M$ efficiently. Bayesian methods provide a principled way to model uncertainty through the posterior distribution over model parameters. Thus, we let every particle $θ_{m} \in Θ$

define the weights and biases of a Bayesian neural network. For large

M

, maintaining the particles can be computationally prohibitive because of the memory footprint. Furthermore, the need to generate the particles during inference for each test example is undesirable. To remedy this, we train a recognition network

f_{η}

parameterized by

η

that takes as input some noise

ξ_{m} \sim N (0, I)

and outputs

θ_{m} \sim f (ξ_{m}; η)

. The parameters

η

are updated through a small number of gradient steps in order to produce good generalization performance. If we let

η^{n}

be the parameters of

f

at iteration

n

, and given

τ

which we defined in eq. (2), we get

η^{n + 1}

by:

\begin{matrix} η^{n + 1} \leftarrow argmin η M \sum m = 1 ∥ f (ξ_{m}; η^{n})      θ_{m}^{n} - θ_{m}^{n + 1} ∥_{2}^{2} where θ_{m}^{n + 1} \leftarrow θ_{m}^{n} + ϵ τ (θ_{m}^{n}) . \end{matrix}

(4)

In the following, we shall use SVGD $_{τ} (Θ$ ) to denote an SVGD update of $Θ$ using $τ$ . To apply SVGD $_{τ}$ , we need to evaluate $τ$ which no longer depends on the prior $p (θ_{t}^{j})$ but on the posterior $p (z | x; D)$ (eq. 3) as $D$ is observed. Computing this posterior requires having a target $z$ for $x$ . Hence, we use our decoder $p_{ϕ}$ to create a target for $x$ by first sampling $z \sim p (z | x; D)$ , then reconstructing $~ x \sim p (x | z; ϕ)$ , and then re-sampling the target $~ z \sim p (z | ~ x; D)$ . We summarize this procedure in Figure 2.

As in yuchen2017 , $f_{η}$ plays a role analogous to $q_{ψ}$ in eq. (1). It gives us means to sample latent codes from a particle $θ_{m}$ given an input $x$ without imposing an explicit and functional parametric form for $q_{ψ}$ . Unlike yuchen2017 , we do not apply SVGD on the latent codes but on the particles that generate the codes. By also being Bayesian, every particle $θ_{m}$ provides some prior information $p (θ_{m})$ on how to sample these codes. During training and inference, we use Bayesian model averaging to get a latent code $z$ from $x$ ; formally, if $x \in D$ , for instance, then $z \sim p (z | x; D)$ where the posterior $p$ is given in eq. (3).

4.2 Perturbation Invariance

Previously, we described a method to encode $D$ in its manifold $M$ . Here, we focus on learning to perturb the elements of $M$ . We require the perturbed elements to reside in $M$ so that they exhibit the features of $M$ . Intuitively, we seek a linear mapping $h : M \to M$ such that if $U \subset M$ : $v \in U \Rightarrow h (v) \in U$ 10.1088/2053-2571/ab0281ch6 . Linear spans, for instance, satisfy this condition. We say then that $U$ is $h$ -invariant or preserved under $h$ . Rather than finding $h$ directly, we introduce a new set of model instances $Θ^{'} = {θ^{'}}_{m = 1}^{M}$ and let every $θ_{m}^{'}$ denote the weights and biases of a Bayesian neural network. Then, if $x \in D$ and $z \in M$ is its latent code with $z \sim p (z | x; D)$ in eq.(3), we can set $h (z) = z^{'}$

\begin{matrix} where z^{'} \sim p (z^{'} | x; D) = \int p (z^{'} | x; θ^{'}) p (θ^{'} | D) d θ^{'} \approx \frac{1}{M} M \sum m = 1 p (z^{'} | x; θ_{m}^{'}) with θ_{m}^{'} \sim p (θ^{'} | D) . \end{matrix}

We leverage the local smoothness of $M$ to learn each $θ_{m}^{'} \in Θ^{'}$ in a way to encourage $z^{'}$ to reside in $M$ in a close neighborhood of $z$ using a novel technique called Gram-Schmidt Basis Sign Method.

Gram-Schmidt Basis Sign Method (GBSM). Let $B_{x}$ be a minibatch of samples of $D$ . For $1 \leq m \leq M$ , let $B_{z}^{m}$ be a set of latent codes $z_{i m} \sim p (z | x_{i}; θ_{m})$ where $x_{i} \in B_{x}$ and $θ_{m} \in Θ$ . We aim to learn $θ_{m}^{'}$ in a way to generate perturbed versions of $z_{i m} \in B_{z}^{m}$ along the directions of an orthonormal basis $U_{m}$ . Given that $M$ is locally Euclidean, we can compute the dimensions of its subspace $B_{z}^{m}$ by applying Gram-Schmidt to orthogonalize the span of representative local points. We formalize this objective as an optimization problem where we jointly learn the perturbations $λ_{m}$ , the directions $sign (U_{m})$ along which we should perturb $B_{z}^{m}$ , and $θ_{m}^{'}$ . Formally, we minimize the objective $σ$ :

argminλm,θ′mσ(λm,θ′m)\coloneqq∑zim∥∥z′im−[zim+λm⊙sign(uim)]∥∥22where z′im∼p(z′|xi;θ′m),uim=zim−i−1∑j=1projujm(zim) % and projuj(zi)=⟨uj,zi⟩∥uj∥22uj.

(5)

To describe more the minimization process in eq. (5), we first sample a model instance $θ_{m}^{'}$ given $m$ . Then, we generate the codes $z_{i m}^{'} \sim p (z^{'} | x_{i}; θ_{m}^{'})$ for all $x_{i} \in B_{x}$ . We orthogonalize $B_{z}^{m}$

and find the noise tensor

λ_{m}

that minimizes

σ

along the directions of the basis vectors

u_{i m} \in U_{m}

. The goal is to get the values of

λ_{m}

to be as small as possible. With

λ_{m}

fixed, we update

θ_{m}^{'}

by minimizing

σ

again.

Maintaining $Θ^{'}$ for a large $M$ can however be computationally prohibitive. Thus, as in section 4.1, we use a recognition network $f_{η^{'}}$ that takes as input some noise $ξ_{m}^{'} \sim N (0, I)$ and generates $θ_{m}^{'} \sim f (ξ_{m}^{'}; η^{'})$ . Here also, using eq. (5), we update $η^{'}$ through a small number of gradient steps.

\begin{matrix} η^{' n + 1} \leftarrow argmin η^{'} M \sum m = 1 ∥ f (ξ_{m}^{'}; η^{^{'} n})      θ_{m}^{^{'} j} - θ_{m}^{^{'} n + 1} ∥_{2}^{2} where θ_{m}^{^{'} n + 1} \leftarrow θ_{m}^{^{'} n} - α \nabla_{θ_{m}^{^{'} n}} σ (λ_{m}, θ_{m}^{^{'} n}) . \end{matrix}

(6)

In the following, we use the notation GBSM $(Θ^{'}, λ)$ where $λ = [λ_{1}, . . ., λ_{M}]^{⊤}$ to update $Θ^{'}$ at once.

Distribution Alignment. Although GBSM confers us clear benefits in the forms of latent noise imperceptibility and sampling speed, $Θ^{'}$ may deviate from $Θ$ in which case the manifolds they learn may differ. This understandably contradicts the requirement in Definition 2.2 that the divergence $D_{f} (p (θ) ∥ p (θ^{'}))$ between the implicit distributions $p (θ)$ and $p (θ^{'})$ , hence between their samples $Θ$ and $Θ^{'}$ , needs to be small; the intuition being to get the adversarial examples to reflect the semantics of the inputs by aligning their manifolds. To remedy this, we further regularize each $θ_{m}^{'} \in Θ^{'}$ after every GBSM update. In essence, we slightly modify SVGD $_{τ}$ to ensure the model instances $θ_{t}^{'} \in Θ_{t}^{'}$ follow the transform maps constructed by $θ_{t} \in Θ_{t}$ junhan2017 at each iteration $t$ using the operator $π$ :

\begin{matrix} θ_{t + 1}^{'} \leftarrow θ_{t}^{'} + α_{t} π (θ_{t}^{'}) where \begin{matrix} π (θ_{t}^{'}) = \frac{1}{M} M \sum j = 1 [ & k (θ_{t}^{'}, θ_{t}^{j}) \nabla_{θ_{t}^{j}} log p (θ_{t}^{j}) + \nabla_{θ_{t}^{j}} k (θ_{t}^{'}, θ_{t}^{j})] . \end{matrix} \end{matrix}

(7)

Unlike $τ$ in eq. (2), with $π$ the parameters $Θ^{'}$ determine their own update direction by consulting the particles $Θ$ alone instead of consulting each other. In the following, we shall use SVGD $_{π}$ to denote the application of the gradient update rule in eq. (7) using the kernelized operator $π$ .

4.3 Manifold Preserving Adversarial Learning

In general, one can produce adversarial examples via white-box ianj.goodfellow2014 or black-box Papernot:2017:PBA:3052973.3053009 attack. In the more standard black-box case, which is the main focus of this study, we only have access to the predictions of a classifier $g$ and need to generate adversarial examples not knowing the intricacies of $g$

nor having access to its loss function. In this setting, adversarial examples are produced by maximizing an auxiliary loss, here the log-likelihood

P (y^{'} | x^{'})

, of a target class

y^{'} \in Y ∖ {y}

over an

ϵ

-radius ball around the input

x

athalye2017 . This is formalized as:

\begin{matrix} x^{'} = argmax x^{'} log P (y^{'} | x^{'}) such that ∥ x^{'} - x ∥_{% p} \leq ϵ_{attack} . \end{matrix}

(8)

Previously, we decomposed the adversarial learning problem into: (i.) manifold learning where we develop a new method to encode high-dimensional data into a low dense representation that faithfully characterizes its topological structure, and (ii.) manifold perturbation where we ensure cases we perturb remain in the manifold of the true inputs. Here, we show how both methods can be unified in one learning procedure to generate adversarial examples without resorting to exhaustive search.

We illustrate this end-to-end procedure in Algorithm 1 and describe it here. First, we sample $Θ$ , the particles that learn to model the distribution of $D$ in its manifold $M$ , from $f_{η}$ . Then, we sample $Θ^{'}$ , a set of transformations from $f_{η^{'}}$ we want $M$ to be invariant to under the perturbations these transformations induce. Both $Θ$ and $Θ^{'}$ act as encoders of $D$ but $Θ$ more faithfully than $Θ^{'}$ . Both also attempt to capture the complex uncertainty structure of $D$ by learning to approximate its predictive posterior. To optimize $Θ$ , we have to compute this posterior. We do so after the first inner update by using the inversion mechanism we described in Figure 2 in an iterative fashion. From updating $Θ$ , we optimize $f_{η}$

using stochastic gradient descent. Then, we apply the objective

σ

in eq. (7) to optimize

Θ^{'}

, and subsequently update

η^{'}

. This summarizes the inner-training of the recognition networks

f_{η}

and

f_{η}^{'}

. To generate adversarial examples, we extend the objective in eq. (8) as follows:

\begin{matrix} L = L_{rec} + min y^{'} \in Y [1_{y = y^{'}} \cdot log (1 - P (y^{'} | x^{'}))] such that L_{rec} \leq ϵ_{attack}, \end{matrix}

(9)

where $L_{rec}$ is the reconstruction error of $x$ that we formalize in section 6. The second term is the cost incurred when failing to fool the classifier $g$ and $ϵ_{attack}$ is the strength of the adversarial examples.

(x, y) \in D \times Y, M, g, β, β^{'}

Initialize

η, η^{'}, λ = [λ_{1}, . . ., λ_{M}]^{⊤}, ξ = [ξ_{1}, . . ., ξ_{M}]^{⊤}

for

n = 1

N

(number of inner updates) do

Compute

Θ = {θ_{m}}_{m = 1}^{M}

and

Θ^{'} = {θ_{m}^{'}}_{m = 1}^{M}

where

θ_{m} \sim f_{η} (ξ_{m})

and

θ_{m}^{'} \sim f_{η^{'}} (ξ_{m})

Given

x

, sample

z

and

z^{'}

using

Θ

and

Θ^{'}

, then sample

~ x \sim p (x | z, ϕ)

and

x^{'} \sim p (x | z^{'}, ϕ)

n > 1

then

η \leftarrow η - β \nabla_{η} d (Θ,

SVGD

_{τ} (Θ))

# COMMENTapply the inversion on

~ x

and update

η

λ, Θ^{'} \leftarrow

GBSM

(Θ^{'}, λ)

# COMMENTupdate

λ

and

Θ^{'}

alternatively using GBSM

η^{'} \leftarrow η^{'} - β^{'} \nabla_{η^{'}} d (Θ^{'},

SVGD

_{π} (Θ^{'}))

# COMMENT alignment of

Θ^{'}

with

Θ

and update of

η^{'}

end if

end for

Compute loss

L

in eq. (9) on

x^{'}

and propagate back its gradient.

Algorithm 1 Manifold preserving adversarial learning.

d = ∥ . ∥_{2}

is the distance.

5 Related Work

Manifold Learning. VAEs are generally used to learn manifolds DBLP:journals/corr/abs-1808-06088 ; 2018arXiv180704689F ; higgins2016 by maximizing the ELBO of the data log-likelihood DBLP:journals/corr/abs-1711-00464 ; 2017arXiv170901846C . Optimizing the ELBO requires to reparameterize the encoder to a simple distribution like a Gaussian kingma2014 . The Gaussian prior assumption is however too restrictive 2015arXiv150505770J and may lead to learning poorly the manifold of the data DBLP:journals/corr/ZhaoSE17b . To alleviate this issue, one can optimize instead the divergence between the encoder and the posterior inference as in yuchen2017 . Although our work and yuchen2017 are similar since we both use recognition networks, our approach is more general. In our case, $f_{η}$ generates the particles, which are model instances, from which we can sample infinite latent codes rather than finite pointwise estimates yuchen2017 . Also, given that our particles are Bayesian, we learn to capture better the uncertainty inherent to encoding data using VAEs.

Adversarial Examples. Studies in adversarial deep learning DBLP:journals/corr/abs-1802-00420 ; DBLP:journals/corr/KurakinGB16 ; ianj.goodfellow2014 ; athalye2017 can be categorized into two groups. The first group DBLP:journals/corr/CarliniW16a ; athalye2017 ; DBLP:journals/corr/Moosavi-Dezfooli16 proposes to generate adversarial examples directly in the input space by distorting, occluding or changing illumination in images to cause changes in classification. The second group DBLP:conf/nips/SongSKE18 ; zhao2018generating , where our work belongs, uses generative models to search for adversarial examples in the dense and continuous representation of the data rather than in its input space.

Adversarial Images. Song et al. DBLP:conf/nips/SongSKE18 propose to construct unrestricted adversarial examples in the image domain by training a conditional GAN that constrains the search region for a latent code $z^{'}$ in the neighborhood of a target $z$ . Zhao et al. zhao2018generating use also a GAN to map input images to a latent space where they conduct their search for adversarial examples. Both studies are closely related to ours. Unlike DBLP:conf/nips/SongSKE18 , however, our adversarial examples are not restricted. Contrary to DBLP:conf/nips/SongSKE18 and zhao2018generating , we do not need to set the noise level to inject to the latent codes of the true inputs as the perturbations are automatically learned. Moreover, in contrast to DBLP:conf/nips/SongSKE18 and zhao2018generating , where the search for adversarial examples is exhaustive and decoupled from the training of the GANs, our approach is end-to-end. Lastly, by capturing the uncertainty induced by the mapping of the data to latent space, we learn to characterize the semantics of the data better; which allows us thus to generate more realistic adversarial examples.

Adversarial Text.

Previous studies on adversarial text generation

pmlr-v80-zhao18b ; DBLP:journals/corr/JiaL17 ; DBLP:journals/corr/Alvarez-MelisJ17 ; DBLP:journals/corr/LiMJ16a

perform word erasures and replacements directly in the input space using domain-specific rules or heuristics or require manual curation. Similar to us, Zhao et al.

zhao2018generating propose to search for textual adversarial examples in the latent representation of the data. However, in addition to the differences mentioned above, the search for adversarial examples is handled more gracefully in our case thanks to an efficient gradient-based optimization method in lieu of a computationally expensive search in the latent space.

6 Experiments & Results

We evaluate our approach on a number of black-box classification tasks of images and text, and illustrate in Appendix A with synthetic data that our adversarial examples are manifold-preserving.

Image Datasets. For image classification, we experiment with three standard datasets: MNIST LeCun:1989:BAH:1351079.1351090 , CelebA liu2015faceattributes and SVHN 37648 . For MNIST and SVHN, each image of a digit represents the class the image belongs to. For CelebA, we group the face images according to their gender (female, male), similar to DBLP:conf/nips/SongSKE18 , and focus on gender classification.

Text Datasets. For text classification, we consider the SNLI DBLP:journals/corr/BowmanAPM15 dataset. SNLI consists of sentence pairs where each pair contains a premise and a hypothesis, and a label indicating the relationship (entailment, neutral, contradiction) between the premise and hypothesis. For instance, the following pair is assigned the label entailment to indicate that the premise entails the hypothesis.
Premise: A soccer game with multiple males playing. Hypothesis: Some men are playing a sport.

Model Settings.

We embed the image and text inputs using a convolutional neural network (CNN). To generate adversarial images, we design the decoder

p_{ϕ}

as (i.) a transpose CNN, and (ii.) a pre-trained GAN pmlr-v70-odena17a . For adversarial text generation, we consider the following designs for

p_{ϕ}

: (i.) a transpose CNN, (ii.) a language model, and (iii.) using a pre-trained ARAE pmlr-v80-zhao18b model. The recognition networks

f_{η}

and

f_{η^{'}}

are fully connected neural networks of similar architecture. To evaluate our approach, we target a range of adversarial models. For more details on the architectures of these models, features extraction,

f_{η}

f_{η}^{'}

, and the decoder

p_{ϕ}

, we refer the reader to Appendix B.

6.1 Generating Adversarial Images

Setup. As argued in DBLP:journals/corr/abs-1802-00420 , the strongest non-certified defense available against adversarial attacks is adversarial training with Projected Gradient Descent (PGD) DBLP:journals/corr/MadryMSTV17 . Thus, we evaluate the strength of our MNIST, CelebA and SVHN adversarial examples against adversarially trained ResNet DBLP:journals/corr/HeZRS15 models with a 40-step PGD and noise margin $ϵ_{attack}$ less than 0.3. The ResNet models follow the architecture design of DBLP:conf/nips/SongSKE18 . For MNIST, we also target the certified defenses DBLP:journals/corr/abs-1801-09344 and DBLP:journals/corr/abs-1711-00851 with $ϵ_{attack}$ set to 0.1.

We formalize $L_{rec}$ in eq. (9) respectively as two $p$ -norm losses and a discriminative loss. For the p-norm case, we first reconstruct using the true inputs as targets, i.e., $L_{{rec}_{1}} = ∥ x - x^{'} ∥_{p}$ where $x \in D$ and $x^{'}$ are samples we generate. For the latter, we use a pre-trained Wasserstein formulation of AC-GAN pmlr-v70-odena17a to generate samples $^x$ and set $L_{{rec}_{2}} = ∥^x - x^{'} ∥_{p}$ . Finally, we use the discriminator of the same GAN to discriminate between $x$ and $x^{'}$ . We experiment with all three $L_{rec}$ variants and report only the results for $L_{{rec}_{1}}$ where the adversarial success rates and sample quality are higher.

Adversarial Success Rate (ASR). Against the non-certified defenses, we achieve an ASR of 97.2% for MNIST, 87.6% for SVHN, and 84.4% for CelebA. The certified defenses on MNIST guarantee that no attack with $ϵ_{attack}$ less than 0.1 can have a success rate larger than 35% and 5.8% respectively DBLP:journals/corr/abs-1801-09344 ; DBLP:journals/corr/abs-1711-00851 . However, our ASR against these defenses is 95.2% and 96.8%. For all the datasets, the latent noise levels are smaller than $ϵ_{attack}$ , and the accuracies of the target models are higher than 96.3%; thus proving the effectiveness of our method in generating strong adversarial examples.

Noise Level. We compute the latent strength of the adversarial examples by evaluating the average spectral norm of the learned perturbations over few minibatch samples. For MNIST, CelebA, and SVHN, the latent nuisances are respectively $0.004 \pm 0.0003, 0.026 \pm 0.005$ , and $0.033 \pm 0.008$ , all smaller than $ϵ_{attack}$ , and significantly lower than in DBLP:conf/nips/SongSKE18 ²²2Note that our results are not directly comparable with Song et al. DBLP:conf/nips/SongSKE18 as their reported success rates are for targeted unrestricted adversarial examples manually computed from Amazon MTurkers votes unlike ours.. Beyond the imperceptibility of our adversarial examples, these noise levels show that the distributions the particles $Θ$ and the model instances $Θ^{'}$ follow are similar. This is further illustrated in Figure 7, with the KDE plots, by the overlapping marginal distributions of the clean and perturbed latent codes generated respectively from using $Θ$ and $Θ^{'}$ ; thus resulting in good sample quality as exemplified in Figure 14.

True Input 1	P: A biker races. H: A person is riding a bike. Label: Entailment
Adversary 1	H: A man races. Label: Contradiction
True Input 2	P: The girls walk down the street. H: Girls walk down the street. Label: Entailment
Adversary 2	H: A choir walks down the street. Label: Neutral
True Input 3	P: Two dogs playing fetch. H: Two puppies play with a red ball. Label: Neutral
Adversary 3	H: Two people play in the snow. Label: Contradiction

Table 1: Test samples and adversarial hypotheses: (P) for premise, (H) for Hypothesis.

6.2 Generating Adversarial Text

Setup. We perturb the hypotheses sentences to attack our SNLI classifier with the premise sentences kept unchanged. Similar to zhao2018generating , we use ARAE pmlr-v80-zhao18b for word embedding, and a CNN for sentence embedding. To generate adversarial sentences from the perturbed latent codes, we experiment with three decoders: (i.) $p_{ϕ}$ is a transpose CNN, (ii.) $p_{ϕ}$ is a language model, and (iii.) we use the decoder of a pre-trained ARAE pmlr-v80-zhao18b model. In all three cases, we use as reconstruction loss $L_{rec}$ (see eq. 9) the cross-entropy loss and condition the generation of the adversarial hypotheses on the sentence pairs premises. We detail the configuration design of each decoder in Appendix B. We generate adversarial text at word level using a vocabulary of 11,000 words only similar to zhao2018generating .

Adversarial Success Rate (ASR). Using the transpose CNN, we achieve an ASR of 67.28% against the SNLI classifier that has an accuracy of 89.42%. Table 1 shows some examples of the generated adversarial hypotheses. The adversarial examples look legible and informative, and convey generally the meaning of the perturbed sentences. Sometimes, however, we notice slight changes in the meaning of the true hypotheses. We do not report the results we achieve with the other two designs of the decoder $p_{ϕ}$ as the generated adversarial examples are mostly illegible. We posit that this is due to the compounding effect of the perturbations on the language model and a distribution shift with ARAE. We discuss these limitations and provide more examples of adversarial text samples in Appendix A.

7 Conclusion

Many adversarial learning approaches fail to enforce the semantic-relatedness that ought to exist between true inputs and their adversarial counterparts. Motivated by this fact, we developed an approach tailored to ensuring that the true inputs and their adversarial examples exhibit similar semantics by restricting the search for adversarial examples in the manifold of the true inputs. Our success rates against certified and non-certified defenses known to be resilient to traditional adversarial attacks illustrate also the effectiveness of our approach in generating strong adversarial examples.

=0mu plus 1mu

References

[1] Anish Athalye, Nicholas Carlini, and David A. Wagner. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. CoRR, abs/1802.00420, 2018.
[2] Yang Song, Rui Shu, Nate Kushman, and Stefano Ermon. Constructing unrestricted adversarial examples with generative models. In Advances in Neural Information Processing Systems 31: Annual Conference on Neural Information Processing Systems 2018, NeurIPS 2018, 3-8 December 2018, Montréal, Canada., pages 8322–8333, 2018.
[3] Zhengli Zhao, Dheeru Dua, and Sameer Singh. Generating natural adversarial examples. In International Conference on Learning Representations, 2018.
[4] Chen Liu, Ryota Tomioka, and Volkan Cevher. On certifying non-uniform bound against adversarial attacks. CoRR, abs/1903.06603, 2019.
[5] Aman Sinha, Hongseok Namkoong, and John Duchi. Certifiable distributional robustness with principled adversarial training. In International Conference on Learning Representations, 2018.
[6] Aditi Raghunathan, Jacob Steinhardt, and Percy Liang. Certified defenses against adversarial examples. CoRR, abs/1801.09344, 2018.
[7] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. CoRR, abs/1706.06083, 2017.
[8] J. Zico Kolter and Eric Wong. Provable defenses against adversarial examples via the convex outer adversarial polytope. CoRR, abs/1711.00851, 2017.
[9] Nicholas Carlini and David A. Wagner. Towards evaluating the robustness of neural networks. CoRR, abs/1608.04644, 2016.
[10] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. In International Conference on Learning Representations, 2014.
[11] Alexey Kurakin, Ian J. Goodfellow, and Samy Bengio. Adversarial examples in the physical world. CoRR, abs/1607.02533, 2016.
[12] Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harvesting adversarial examples. CoRR abs/1412.6572, 2014.
[13] Marc R Roussel. Invariant manifolds. In Nonlinear Dynamics, 2053-2571, pages 6–1 to 6–20. Morgan & Claypool Publishers, 2019.
[14] Diederik P. Kingma and Max Welling. Auto-encoding variational bayes. International Conference on Learning Representations (ICLR), 2014.
[15] Anish Athalye, Logan Engstrom, Andrew Ilyas, and Kevin Kwok. Synthesizing robust adversarial examples. CoRR, abs/1707.07397, 2017.
[16] Yunchen Pu, Zhe Gan, Ricardo Henao, Chunyuan Li, Shaobo Han, and Lawrence Carin. VAE learning via Stein variational gradient descent. Neural Information Processing Systems (NIPS), 2017.
[17] Uri Shaham, Yutaro Yamada, and Sahand Negahban. Understanding adversarial training: Increasing local stability of supervised models through robust optimization. Neurocomputing, 307:195–204, 2018.
[18] Qiang Liu and Dilin Wang.
Stein variational gradient descent: A general purpose Bayesian inference algorithm.
Neural Information Processing Systems (NIPS), 2016.
[19] Danilo Jimenez Rezende and Shakir Mohamed. Variational Inference with Normalizing Flows. arXiv e-prints, page arXiv:1505.05770, May 2015.
[20] Shengjia Zhao, Jiaming Song, and Stefano Ermon. InfoVAE: Information maximizing variational autoencoders. CoRR, abs/1706.02262, 2017.
[21] Jun Han and Qiang Liu. Stein variational adaptive importance sampling.
Conference on Uncertainty in Artificial Intelligence (UAI)
, 2017.
[22] Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS ’17, pages 506–519, New York, NY, USA, 2017. ACM.
[23] Bing Yu, Jingfeng Wu, and Zhanxing Zhu. Tangent-normal adversarial regularization for semi-supervised learning. CoRR, abs/1808.06088, 2018.
[24] Luca Falorsi, Pim de Haan, Tim R. Davidson, Nicola De Cao, Maurice Weiler, Patrick Forré, and Taco S. Cohen. Explorations in Homeomorphic Variational Auto-Encoding. arXiv e-prints, page arXiv:1807.04689, Jul 2018.
[25] Irina Higgins, Loic Matthey, Xavier Glorot, Arka Pal, Benigno Uria, Charles Blundell, Shakir Mohamed, and Alexander Lerchner. Early Visual Concept Learning with Unsupervised Deep Learning. arXiv e-prints, page arXiv:1606.05579, Jun 2016.
[26] Alexander A. Alemi, Ben Poole, Ian Fischer, Joshua V. Dillon, Rif A. Saurous, and Kevin Murphy. An information-theoretic analysis of deep latent-variable models. CoRR, abs/1711.00464, 2017.
[27] Liqun Chen, Shuyang Dai, Yunchen Pu, Chunyuan Li, Qinliang Su, and Lawrence Carin. Symmetric Variational Autoencoder and Connections to Adversarial Learning. arXiv e-prints, page arXiv:1709.01846, Sep 2017.
[28] Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. Universal adversarial perturbations. CoRR, abs/1610.08401, 2016.
[29] Junbo Zhao, Yoon Kim, Kelly Zhang, Alexander Rush, and Yann LeCun. Adversarially regularized autoencoders. In Jennifer Dy and Andreas Krause, editors, Proceedings of the 35th International Conference on Machine Learning, volume 80 of Proceedings of Machine Learning Research, pages 5902–5911, Stockholmsmässan, Stockholm Sweden, 10–15 Jul 2018. PMLR.
[30] Robin Jia and Percy Liang. Adversarial examples for evaluating reading comprehension systems. CoRR, abs/1707.07328, 2017.
[31] David Alvarez-Melis and Tommi S. Jaakkola. A causal framework for explaining the predictions of black-box sequence-to-sequence models. CoRR, abs/1707.01943, 2017.
[32] Jiwei Li, Will Monroe, and Dan Jurafsky. Understanding neural networks through representation erasure. CoRR, abs/1612.08220, 2016.
[33] Y. LeCun, B. Boser, J. S. Denker, D. Henderson, R. E. Howard, W. Hubbard, and L. D. Jackel. Backpropagation applied to handwritten zip code recognition. Neural Comput., 1(4):541–551, December 1989.
[34] Ziwei Liu, Ping Luo, Xiaogang Wang, and Xiaoou Tang. Deep learning face attributes in the wild. In
Proceedings of International Conference on Computer Vision (ICCV)
, December 2015.
[35] Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Y. Ng. Reading digits in natural images with unsupervised feature learning. In NIPS Workshop on Deep Learning and Unsupervised Feature Learning 2011, 2011.
[36] Samuel R. Bowman, Gabor Angeli, Christopher Potts, and Christopher D. Manning. A large annotated corpus for learning natural language inference. CoRR, abs/1508.05326, 2015.
[37] Augustus Odena, Christopher Olah, and Jonathon Shlens. Conditional image synthesis with auxiliary classifier GANs. In Doina Precup and Yee Whye Teh, editors, Proceedings of the 34th International Conference on Machine Learning, volume 70 of Proceedings of Machine Learning Research, pages 2642–2651, International Convention Centre, Sydney, Australia, 06–11 Aug 2017. PMLR.
[38] Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition. CoRR, abs/1512.03385, 2015.
[39] Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. BERT: pre-training of deep bidirectional transformers for language understanding. CoRR, abs/1810.04805, 2018.
[40] Alec Radford. Improving language understanding by generative pre-training. In arXiv, 2018.
[41] Martin Heusel, Hubert Ramsauer, Thomas Unterthiner, Bernhard Nessler, Günter Klambauer, and Sepp Hochreiter. GANs trained by a two time-scale update rule converge to a nash equilibrium. CoRR, abs/1706.08500, 2017.

Appendix A: Discussion & Additional Results

Discussion: Here, we discuss some of the choices pertaining to the design of our approach, and our pilot study to manually evaluate adversarial examples we generate. We also discuss the limitations of our method and argue why a fair side-by-side comparison with [2, 3] is impossible. Finally, via empirical validation using toy data, we show that our adversarial examples are manifold-preserving.

Space/Time Complexity. As noted in [19], the Gaussian prior assumption in VAEs might be too restrictive to generate meaningful enough latent codes [20]. To relax this assumption and produce informative and diverse latent codes, we used SVGD. To generate manifold preserving adversarial examples, we proposed GBSM. Both SVGD and GBSM maintain a set of $M$ model instances. As ensemble methods, both inherit the advantages of ensemble models but also their shortcomings most notably in space/time complexity. Thus, instead of maintaining $2 * M$ model instances, we maintain only $f_{η}$ and $f_{η^{'}}$ from which we sample these model instances. We experimented with $M$ set to $2, 5, 10$ and $15$ . As $M$ increases, we notice some increase in sample quality at the expense of longer runtimes. One way to alleviate the computational overhead during training is to enforce weight-sharing for the lower layers both for the particles $θ_{m} \in Θ$ and the model instances $θ_{m}^{'} \in Θ^{'}$ . The overhead that occurs as $M$ takes on larger values reduces however drastically during inference as we need only $f_{η^{'}}$ to sample the model instances $θ_{m}^{'} \in Θ^{'}$ in order to generate adversarial examples.

Preserving Textual Meaning. To generate text adversaries, we experimented with three architecture designs for the decoder $p_{ϕ}$ : (i.) a transpose CNN, (ii.) a language model, and (iii.) the decoder of a pre-trained ARAE [29] model. The transpose CNN generates more legible text than the other two designs although we notice sometimes some changes in meaning in the generated adversarial examples. Adversarial text generation is challenging in that small perturbations in the latent codes can go unnoticed at generation whereas high noise levels can render the outputs nonsensical or uninformative. To produce text adversaries that faithfully preserve the meaning of their clean counterparts, we need powerful sentence generators (e.g. BERT [39] or GPT [40]) trained on large corpora. Training such large language models requires however time and computational resources. Furthermore, in our experiments, we only considered a vocabulary of size 10,000 words and sentences of length no more than 10 words to align our evaluation with the experimental choices of [3].

Measuring Perceptual Quality is desirable when the method relied upon to generate adversarial examples uses GANs or VAEs both known to produce often samples of limited quality. From [2, 3]’s results we illustrate in Figure 24 on page 24, we can notice that some of their adversarial images are not legitimate due to mode collapse that GANs suffer from. VAEs have also their own shortcomings in that the Gaussian prior might be too restrictive [19] to produce meaningful enough latent codes [20]. By using SVGD and GBSM, however, we alleviate this risk since we are not optimizing the ELBO explicitly. Moreover, the sampling of clean and perturbed latent codes is conditioned on the true inputs; which make them thus informative about the inputs. To effectively measure the quality of our adversarial examples, it seems therefore relevant to rely on human evaluation. Thus, for validation purposes, we carry out a pilot study which we detail below. However, a fair side-by-side comparison of our results with [2, 3], either manually or using metrics like mutual information or frechet inception distance [41], seems impossible as [2] or [3] either perform unrestricted targeted attacks – their adversarial examples might totally differ from the true inputs – or they do not target any defenses.

Human Evaluation: We carry out a pilot study to evaluate the coherence of the generated adversarial examples by asking three yes-or-no questions: (Q1) are the adversarial examples semantically sound?, (Q2) are the true inputs similar perceptually or in meaning to their adversarial counterparts? and (Q3) are there any interpretable visual cues in the adversarial images that support their misclassification? For all the datasets, we randomly select a number of samples, generate their adversarial examples and record their classes, and present a questionnaire to 10 human subjects for evaluation.

For MNIST, we pick 50 images (5 for each digit), generate adversarial examples against a 40-step PGD ResNet model with $ϵ_{attack} \leq 0.3$ and the certified defenses [6] and [8] with $ϵ_{attack} = 0.1$ . We do the same for SVHN except we only attack the 40-step PGD ResNet model. For CelebA, we also pick randomly 50 images (25 for each gender: male or female), generate adversarial examples against the 40-step PGD ResNet model. We carry out a similar pilot study for the SNLI dataset by considering only adversarial examples generated when the decoder $p_{ϕ}$ is a transpose CNN. We randomly select 20 pairs of sentences (premise and hypothesis), generate adversarial hypotheses for each sentence pair with the premise sentence kept unchanged. Next, we present the results of this pilot study along with samples of adversarial examples we generate, and compare qualitatively our samples with [2, 3].

Adversarial Images: CelebA

Here, we provide few random samples of non-targeted adversarial examples we generate with our approach on the CelebA dataset. We also provide the results of the pilot study.

Table 2: CelebA samples and their adversarial examples. Only the images in red boxes are adversarial; i.e., the gender gets changed to female if the corresponding true images were male and vice-versa.

Questionnaire	Against 40-steps PGD - Adversarial CelebA Images (%)
Question 1 (Q1): Yes	100
Question 2 (Q2): Yes	100
Question 3 (Q3): No	100

Table 3: Pilot Study

Adversarial Images: SVHN

Here, we provide few random samples of non-targeted adversarial examples we generate with our approach on the SVHN dataset. We also provide the results of the pilot study.

Table 4: SVHN samples and their adversarial examples. Images in red boxes are all adversarial.

Questionnaire	Against 40-steps PGD - Adversarial SVHN Images (%)
Question 1 (Q1): Yes	95 $^{†}$
Question 2 (Q2): Yes	100
Question 3 (Q3): No	100

Table 5: Pilot Study

$^{†}$ Some adversarial images and clean ones were difficult to evaluate due to blurriness reported in both.

Adversarial Images: MNIST

Here, we provide few random samples of non-targeted adversarial examples we generate with our approach on the MNIST dataset. We also provide the results of the pilot study.

Table 6: MNIST samples and their adversarial examples. Images in red boxes are all adversarial.

Questionnaire	Against 40-steps PGD (%)	Against Aditi et al. [6] (%)	Against Wong et al. [8] (%)
Question 1 (Q1): Yes	100	100	100
Question 2 (Q2): Yes	100	100	100
Question 3 (Q3): No	100	100	100

Table 7: Pilot Study

Adversarial Text: SNLI

Here, we provide few random samples of non-targeted adversarial examples we generate with our approach on the SNLI dataset. We also provide the results of the pilot study.

True Input 1	P: A biker races.
	H: A person is riding a bike.
	Label: Entailment
Adversary	H: A man races. Label: Contradiction
True Input 2	P: The girls walk down the street.
	H: Girls walk down the street.
	Label: Entailment
Adversary	H: A choir walks down the street. Label: Neutral
True Input 3	P: Two wrestlers in an intense match.
True Input 3	H: Two wrestlers are competing and are brothers.
	Label: Neutral
Adversary	H: Two women are playing together. Label: Contradiction
True Input 4	P: A group of people celebrate their asian culture.
	H: A group of people celebrate.
	Label: Entailment
Adversary	H: A group of people cruising in the water. Label: Neutral
True Input 5	P: Cheerleaders standing on a football field.
	H: Cheerleaders are wearing outside.
	Label: Entailment
Adversary	H: Person standing on a playing field. Label: Neutral
True Input 6	P: People are enjoying food at a crowded restaurant.
	H: People are eating in this picture.
	Label: Entailment
Adversary	H: People are enjoying looking at a crowded restaurant.
Adversary	Label: Contradiction
True Input 7	P: A wrestler celebrating his victory.
	H: A wrestler won a championship.
	Label: Entailment
Adversary	H: A rider won the championship.
Adversary	Label: Contradiction

Table 8: Examples of adversarially generated hypotheses with the true premises kept unchanged.

Questionnaire	Adversarial Hypotheses (SNLI)
Question 1 (Q1): Yes	83 %
Question 2 (Q2): Yes	75 %

Table 9: Pilot Study

Manifold Preservation: Illustration with Synthetic Data

To validate empirically that the adversarial examples we generate reside in the manifold of their original counterparts, we evaluate our approach on the 3D non-linear Swiss Roll dataset which comprises 1600 datapoints grouped in 4 classes. We illustrate in Figure 19.a the 2D plots of the manifold learned by our approach before (left) and after (right) perturbing its elements. The points in orange refer to the latent codes (of all the points in blue) whose perturbed versions (in green) induced adversariality. In Figure 19.a, we can see that the topological structure of the manifold is well preserved with the exception of few perturbed points lying a bit away from the boundary delineated by the blue points. As a result, we can see in Figure 19.c and Figure 19.d, how close the adversarial examples are to their clean counterparts.

Adversarial Sampling Quality: High-Level Comparison with Song et al. [2] & Zhao et al. [3]

As argued in the Discussion section, a fair side-by-side comparison of our results and the results from [2, 3] would not be possible given the reasons we discussed before. For illustration purposes only then, and to showcase the differences in sampling quality between our approach and [2] and [3], we show below some adversarial examples they generate. Unlike us, some of their images are not valid (see N/A marks). In contrast to us also, few of their adversarial examples, although semantically sound, fail to preserve the structure of the true inputs; for instance, in Figure 24.b row 1, we can notice the changes in structure of source class 1. The same holds for the classes 7, 8, 0 in Figure 24.d row 4.

Appendix B: Detailed Experimental Settings

	Configuration	Replicate Block
Initial Layer	$3 \times 3$ conv. $m$ maps. $1 \times 1$ stride.	_

Residual Block 1	batch normalization, leaky relu $3 \times 3$ conv. $m$ maps $1 \times 1$ stride batch normalization, leaky relu $3 \times 3$ conv. $m$ maps. $1 \times 1$ stride residual addition	$\times 10$

Residual Block 1	batch normalization, leaky relu $3 \times 3$ conv. $2 m$ maps $2 \times 2$ stride batch normalization, leaky relu $3 \times 3$ conv. $2 m$ maps. $1 \times 1$ stride average pooling, padding	_

Residual Block 2	batch normalization, leaky relu $3 \times 3$ conv. $2 m$ maps $2 \times 2$ stride batch normalization, leaky relu $3 \times 3$ conv. $2 m$ maps. $1 \times 1$ stride average pooling, padding	$\times 9$

Residual Block 2	batch normalization, leaky relu $3 \times 3$ conv. $2 m$ maps $2 \times 2$ stride batch normalization, leaky relu $3 \times 3$ conv. $2 m$ maps. $1 \times 1$ stride average pooling, padding	_

Residual Block 3	batch normalization, leaky relu $3 \times 3$ conv. $2 m$ maps $2 \times 2$ stride batch normalization, leaky relu $3 \times 3$ conv. $2 m$ maps. $1 \times 1$ stride average pooling, padding	$\times 9$

Pooling Layer	$3 \times 3$ conv. $m$ maps. $1 \times 1$ stride.	_

Output Layer	$3 \times 3$ conv. $m$ maps. $1 \times 1$ stride.	_

Table 10: ResNet Classifier.

	Name	Configuration
Recognition Networks	$f_{η}$	Input Dim: 50, Hidden Layers: [60, 70], Output Dim: Num weights & biases in $θ_{m}$
Recognition Networks	$f_{η}^{'}$	Input Dim: 50, Hidden Layers: [60, 70], Output Dim: Num weights & biases in $θ_{m}^{'}$

Model Instances	Particles $θ_{m}$	Input Dim: $28 \times 28$ (MNIST), $64 \times 64$ (CelebA), $32 \times 32$ (SVHN), 300 (SNLI) Hidden Layers: [40, 40] Output Dim (latent code): 100
Model Instances	Parameters $θ_{m}^{'}$	Input Dim: $28 \times 28$ (MNIST), $64 \times 64$ (CelebA), $32 \times 32$ (SVHN), 100 (SNLI) Hidden Layers: [40, 40] Output Dim (latent code): 100

Feature Extractor	Input Dim: $28 \times 28 \times 1$ (MNIST), $64 \times 64 \times 3$ (CelebA), $32 \times 32 \times 3$ (SVHN), $10 \times 100$ (SNLI) Hidden Layers: [40, 40] Output Dim: $28 \times 28$ (MNIST), $64 \times 64$ (CelebA), $32 \times 32$ (SVHN), $100$ (SNLI)

Decoder	Transpose CNN	For CelebA & SVHN: [filters: 64, stride: 2, kernel: 5] $\times$ 3 For SNLI: [filters: 64, stride: 1, kernel: 5] $\times$ 3
Decoder	Language Model	Vocabulary Size: 11,000 words Max Sentence Length: 10 words

SNLI classifier	Input Dim: 200, Hidden Layers: [100, 100, 100], Output Dim: 3
Learning Rates	Adam Optimizer $(δ = {5.10}^{- 4}), α = 10^{- 3}, β = β^{'} = 10^{- 2}$
More settings	Batch size: 64, Inner-updates: 3, Training epochs: 500, $M = 5$

Table 11: Model Configurations + SNLI Classifier + Hyper-parameters.

Manifold Preserving Adversarial Learning

Authors

Approximate Manifold Defense Against Multiple Adversarial Perturbations

Adversarial Gain

On Need for Topology-Aware Generative Models for Manifold-Based Defenses

Variational Inference with Latent Space Quantization for Adversarial Resilience

Gotta Catch 'Em All: Using Concealed Trapdoors to Detect Adversarial Attacks on Neural Networks

Adversarial Risk and the Dangers of Evaluating Against Weak Attacks

1 Introduction

2 Problem Setup & Architecture

Definition 2.1.

Definition 2.2.

3 Technical Background

4 Proposed Method

4.1 Implicit Manifold Learning

4.2 Perturbation Invariance

4.3 Manifold Preserving Adversarial Learning

5 Related Work

6 Experiments & Results

6.1 Generating Adversarial Images

6.2 Generating Adversarial Text

7 Conclusion

References

Appendix A: Discussion & Additional Results

Adversarial Images: CelebA

Adversarial Images: SVHN

Adversarial Images: MNIST

Adversarial Text: SNLI

Manifold Preservation: Illustration with Synthetic Data

Adversarial Sampling Quality: High-Level Comparison with Song et al. [2] & Zhao et al. [3]

Appendix B: Detailed Experimental Settings

Manifold Preserving Adversarial Learning

Authors

Approximate Manifold Defense Against Multiple Adversarial Perturbations

Adversarial Gain

On Need for Topology-Aware Generative Models for Manifold-Based Defenses

Variational Inference with Latent Space Quantization for Adversarial Resilience

Gotta Catch 'Em All: Using Concealed Trapdoors to Detect Adversarial Attacks on Neural Networks

Adversarial Risk and the Dangers of Evaluating Against Weak Attacks

This week in AI

1 Introduction

2 Problem Setup & Architecture

Definition 2.1.

Definition 2.2.

3 Technical Background

4 Proposed Method

4.1 Implicit Manifold Learning

4.2 Perturbation Invariance

4.3 Manifold Preserving Adversarial Learning

5 Related Work

6 Experiments & Results

6.1 Generating Adversarial Images

6.2 Generating Adversarial Text

7 Conclusion

References

Appendix A: Discussion & Additional Results

Adversarial Images: CelebA

Adversarial Images: SVHN

Adversarial Images: MNIST

Adversarial Text: SNLI

Manifold Preservation: Illustration with Synthetic Data

Adversarial Sampling Quality: High-Level Comparison with Song et al. [2] & Zhao et al. [3]

Appendix B: Detailed Experimental Settings