DeepAI
Log In Sign Up

Uncovering Why Deep Neural Networks Lack Robustness: Representation Metrics that Link to Adversarial Attacks

Neural networks have been shown vulnerable to adversarial samples. Slightly perturbed input images are able to change the classification of accurate models, showing that the representation learned is not as good as previously thought.To aid the development of better neural networks, it would be important to evaluate to what extent are current neural networks' representations capturing the existing features.Here we propose a test that can evaluate neural networks using a new type of zero-shot test, entitled Raw Zero-Shot.This test is based on the principle that some features are present on unknown classes and that unknown classes can be defined as a combination of previous learned features without learning bias. To evaluate the soft-labels of unknown classes, two metrics are proposed.One is based on clustering validation techniques (Davies-Bouldin Index) and the other is based on soft-label distance of a given correct soft-label.Experiments show that such metrics are in accordance with the robustness to adversarial attacks and might serve as a guidance to build better models as well as be used in loss functions to improve the models directly.Interestingly, the results suggests that dynamic routing networks such as CapsNet have better representation while some DNNs might be trading off representation quality for accuracy. Code available at <http://bit.ly/RepresentationMetrics>.

READ FULL TEXT VIEW PDF
08/17/2020

A Deep Dive into Adversarial Robustness in Zero-Shot Learning

Machine learning (ML) systems have introduced significant advances in va...
09/12/2019

Feedback Learning for Improving the Robustness of Neural Networks

Recent research studies revealed that neural networks are vulnerable to ...
06/27/2019

Evolving Robust Neural Architectures to Defend from Adversarial Attacks

Deep neural networks were shown to misclassify slightly modified input i...
01/26/2022

How Robust are Discriminatively Trained Zero-Shot Learning Models?

Data shift robustness has been primarily investigated from a fully super...
07/08/2020

How benign is benign overfitting?

We investigate two causes for adversarial vulnerability in deep neural n...
07/13/2021

Deep Neural Networks are Surprisingly Reversible: A Baseline for Zero-Shot Inversion

Understanding the behavior and vulnerability of pre-trained deep neural ...

1 Introduction

Adversarial samples are slightly perturbed inputs that can make neural networks misclassify. They are carefully crafted by searching for variations in the input that, for example, could decrease the soft-labels of the correct class. Since they were discovered some years ago 3 , the number of adversarial samples have grown in both number and types. Random noise were shown to be recognized with high confidence by neural networks 7 , universal perturbations, that can be added to almost any image to generate an adversarial sample, were shown to exist moosavi2017universal and the addition of crafted patches were shown to cause networks to misclassify brown2017adversarial . Actually, only one pixel is enough to make networks misclassify su2017one . Such attacks can also be easily transferred to real world scenarios kurakin2016adversarial ,athalye2017synthesizing which confers a big issue as well as security risk for current deep neural networks’ applications.

Albeit the existence of many defenses, there is not any known learning algorithm or procedure that can defend against adversarial attacks consistently. Many works have tried to defend by hiding or modifying the gradients to make neural networks harder to attack. However, a recent paper show that most of these defenses falls into the class of obfuscated gradients which have their own shortcomings (e.g., they can be easily bypassed by transferable attacks) athalye2018obfuscated . Additionally, the use of an augmented dataset with adversarial samples (named adversarial training) is perhaps one of the most successful approaches to construct robust neural networks goodfellow2014explaining ,huang2015learning , madry2017towards . However, it is still vulnerable to attacks and has a strong bias to the type of adversarial samples used in training tramer2017ensemble .

This shows that a deeper understanding of the issues are needed to enable more consistent defenses to be created. Few works focused on understanding the reason behind such lack of robustness. In goodfellow2014explaining it is argued that Deep Neural Networks’s (DNN) linearity are one of the main reasons. Another recent investigation proposes that attacks are actually changing where the algorithm is paying attention vargas2019understanding .

In this paper, we reveal a link between deep representations’ quality and attack susceptibility. We propose a test called Raw Zero-Shot and two metrics to evaluate DNN’s representations. The idea is that unknown classes provides hints over the representation of common features and attributes learned.

2 Related Work

Adversarial machine learning can be defined as a constrained optimization problem in which the objective is to find adversarial samples. Let be the output of a learning algorithm denoted by function in which is the input of the algorithm for input and output of sizes (images with three channels are considered) and . Adversarial samples x’ can be defined as follows:

(1)

in which is a slightly perturbed input. Adversarial machine learning can be defined as the following constrained optimization problem (untargeted black-box attacks are considered):

(2)
subject to

in which denotes the correct class’s soft-label . The optimization is constrained by a threshold to disallow perturbations which could make x unrecognizable or have enough modifications to cause a change in its correct class. Therefore, the constraint is a formal definition of what constitutes an imperceptible perturbation. Many different norms are used in the literature (e.g., , , and ) which results in different types of attacks.

2.1 Recent Advances in Attacks and Defenses

DNNs were shown vulnerable to many types of attacks. For example, they output high confidency results to noise images7 , universal perturbations in which a single perturbation can be added to almost any input to create an adversarial sample are possible moosavi2017universal , the addition of image patches can also make them misclassify brown2017adversarial . Moreover, the vulnerability can be exploited even with a single pixel, i.e., changing a single pixel is often enough to make a DNNs misclassify su2017one . Most of these attacks can be transformed into real world attacks by simply printing the adversarial samples kurakin2016adversarial . Moreover, crafted glasses sharif2016accessorize or even general 3d adversarial objects athalye2017synthesizing can be used as attacks.

Although many defensive systems were proposed to tackle the current problems, there is still no consistent solution available. Defensive distillation in which a smaller neural network squeezes the content learned by the original DNN was proposed

papernot2016distillation . However, it was shown to not be robust enough carlini2017towards . Adversarial training was also proposed as a defense, in which adversarial samples are used to augment the training dataset goodfellow2014explaining ,huang2015learning , madry2017towards . With adversarial training, DNNs increase slightly in robustness but not without a bias towards the adversarial samples used and while still being vulnerable to attacks in general tramer2017ensemble . There are many recent variations of defenses in which the objective is to hide the gradients (obfuscated gradients) ma2018characterizing , guo2017countering song2017pixeldefend . However, they can be bypassed by various types of attacks (such as attacks not using gradients, transfer of adversarial samples, etc) athalye2018obfuscated ,uesato2018adversarial .

There are a couple of works which are trying to understand the reason behind such lack of robustness. In goodfellow2014explaining , it is argued that the main reason may lie in DNNs’ lack of non-linearity. Another work argues that the perturbations causes a change in the saliency of images which makes the model switch the attention to another part of it vargas2019understanding .

2.2 Zero-Shot learning

Zero-Shot learning is a method used to estimate unknown classes which do not appear in the training data. The motivation of Zero-Shot learning is to transfer knowledge from training classes to unknown classes.

Existing methods basically approach the problem by estimating unknown classes from an attribute vector defined manually. Attribute vectors are annotated to both known and unknown classes, and for each class, whether an attribute, such as “color” and “shape”, belongs to the class or not is represented by 1 or 0. In transfer learning, the attribute vector is called source data and the feature vector generated from an image is called target data. In 

lampert2009learning the authors proposed Direct Attribute Prediction (DAP)

model which learns each parameter for estimating the attributes from the target data. Afterwards, it estimates an unknown class of the source data which is estimated from the target data by using these parameters. In other words, this method projects target data into the source domain to classify the unknown classes. Based on this research, other Zero-Shot learning methods have been proposed which uses an embedded representation generated using a natural language processing algorithm instead of a manually created attribute vector

zhang2016zero ; fu2015transductive ; norouzi2013zero ; akata2015evaluation ; bucher2016improving . The opposite direction was proposed in shigeto2015ridge which learned how to project from the source domain to the target data.

In zhang2015zero a different approach to estimate unknown classes is proposed. This method constructs the histogram of known classes distribution for an unknown class. In this approach it is assumed that the unknown classes are the same if these histograms generated in the target domain and in the source domain are similar. This is similar to our approach because our method approach to represent an unknown class as the distribution of known classes. However, our objective is not estimating the unknown class and we do not use the source domain. Our objective here is to analyze DNNs’ representation by using this distribution.

3 Raw Zero-Shot

In this paper, we propose to evaluate the representation learned by conducting experiments over the soft-labels of the image in unknown classes. This is based on the hypothesis that if a model is capable of learning useful features, an unknown class would also trigger some of these features inside the model. We call this type of test over unknown classes and without any other information, Raw Zero-Shot (Figure 1).

Figure 1: Raw Zero-Shot Illustration. Classifiers are trained on the dataset with one excluded class. In the test stage, images from the unknown class are presented and the soft-labels are recorded, which are used to infer the representation quality of the classifier. This is based on the principle that if the classifier learned general features, it should be able to use them to judge a sample from unknown class.

The Raw Zero-Shot is a supervised learning test in which only

of the classes are shown to the classifier during training. The classifier also has only possible outputs. During testing, only unknown classes are presented to the classifier. The soft-labels outputted for the given unknown class is recorded and the process is repeated for all possible classes, removing a different class each time.

To evaluate the representation quality, metrics are used to process the soft-labels. These metrics are based on hypothesis of what defines a feature or a class. The following subsections define two of them.

3.1 Davies-Bouldin Metric - Clustering Hypothesis

Soft labels of a classifier composes a space in which a given image would be classified as a weighted vector in relation to the previous classes learned. Considering that a cluster in this space would constitute a class, we can use clustering validation techniques to evaluate the representation.

Here we choose for simplicity one of the most used metric in internal cluster validation, Davies-Bouldin Index (DBI). DBI is defined as follows:

(3)

in which cn is the centroid of the cluster, e is one soft-label and is the number of samples.

3.2 Amalgam Metric - Amalgam Hypothesis

If DNNs are able to learn the features present in the classes, it would be reasonable to consider that the soft-labels describe a given image as a combination of the previous learned classes. This is also true when an image contains an unknown class. Similar to a vector space in linear algebra, the soft-labels can be combined to describe unknown objects in this space. This is analogous to how children describe previously unseen objects as a combination of previously seen objects. Differently from the previous metric, here we are interested in the exact values of the soft-labels. However, what would constitute the correct soft-labels for a given unknown class needs to be determined.

To calculate the correct soft-label of a given unknown class (amalgam proportion) automatically, we use here the assumption that accurate classifiers should output a good approximation of the amalgam proportion already. Therefore, if a classifier is trained in the classes, the soft-labels of the remaining classes is the amalgam proportion. Consequently, the Amalgam Metric (AM) is defined as:

(4)

in which, e’ is the normalized (such that they sum to one) soft-label from the classifier trained over classes and e is the soft-labels from the classifier trained over classes.

4 Raw Zero-Shot Experiments

Here, we conduct Raw Zero-Shot experiments to evaluate the representation of DNNs. To obtain results over a wide range of architectures, we chose to evaluate CapsNet (a recently proposed completely different architecture based on dynamic routing and capsules) sabour2017dynamic , ResNet (a state-of-the-art architecture based on skip connections)he2016deep , Network in Network (NIN) (an architecture which uses micro neural networks instead of linear filters) 31

, All Convolutional Network (AllConv) (an architecture without max pooling and fully connected layers)

21 and LeNet (a simpler architecture which is also a historical mark) lecun1998gradient . All the experiments are run over the CIFAR dataset by using a training dataset with all the samples of one specific class removed. This process is repeated for all classes, removing the samples of a different class each time.

Model Attack Attack Total
Capsnet 164 219 383
AllConv 176 227 403
Resnet 222 263 485
NIN 251 277 528
LeNet 337 340 677
Table 1: Number of successful and attacks on different architectures from a total of attacks. The attacks used the dual quality assessment vargas2019model .

To link the results obtained here with the robustness of neural networks, we conducted adversarial attacks on all the architectures tested. Attacks of both and norms are conducted using the Covariance matrix adaptation evolution strategy (CMAES) hansen2003reducing as the optimization algorithm. Table 1 shows the robustness results. The total successful results is the sum of four attacks with different thresholds (thresholds of , , and are used) for each attack type ( and ).

4.1 Experiments on DBI Metric

Table 2 shows the results with the DBI metric (the smallest the better). According to this metric, CapsNet possesses a better representation when compared to other architectures. This also matches with the attacks in which CapsNet is the most robust of all architectures. LeNet is the only architecture which does not match well with the attacks, in which it is the least robust architecture but here receives a slightly better evaluation than AllConv, ResNet and NIN. Here we formulate two possible interpretations for the results. One interpretation is that this might be related with one of the shortcomings of the DBI’s metric which is explained below. Another possible interpretation is that albeit the lower accuracy and robustness, LeNet’s representation is actually better. Below we explain how this might be possible without contradicting the results.

Model
CapsNet 0.23010.0163
AllConv 0.64320.1058
ResNet 0.63070.1337
NIN 0.62580.0952
LeNet 0.51610.0284
Table 2: Mean DBI of the soft-labels.
Figure 2: Visualization of the results in Table 2 using a topology preserving two-dimensional projection with Isomap. Each row shows the Isomap of one architecture. From top to bottom: CapsNet, AllConv, ResNet, NIN and LeNet.

Interpretation 1: DBI’s shortcoming

- The DBI metric measures the within cluster distance which is an internal cluster validity criteria. Therefore, it favors clusters in which points are close together. The employment of this metric is based on the principle that soft-labels acquired from the unknown class should be similar to each other. This per se is not a problem, however, what is close and what is far away depends on the feature space. In this way, comparing very different feature spaces may result in incomparable results which might be the case of LeNet which has around ten times less variables and consequently a possibly more compact feature space.

Interpretation 2: LeNet’s representation is actually better

- A possible interesting interpretation is that shallower networks possess a better representation than deeper networks. To achieve higher accuracy, however, deeper networks increase in parameter size but end up with a worse representation. In this case, the lack of robustness of LeNet is not because its representation alone has failed but because it is easier to find adversarial samples in shallower architectures (less complex search space).

Figure 2 shows a visualization of DBI’s results. DBI results are visualized using a projection into two dimensions while preserving the high-dimensional distance between the points. Here we use the Isomap tenenbaum2000global to achieve this. It can be easily observed that CapsNet’s results are visually closer than other architectures.

4.2 Experiments on Amalgam Metric

Model AM
CapsNet 124.488262.2379
AllConv 101.129954.9864
ResNet 281.2960107.8297
NIN 203.154293.0854
LeNet 144.106875.1839
Table 3: AM value for the five different architectures.

Here we evaluated the AM of CapsNet, AllConv, ResNet, NIN and LeNet. The results are shown on Table 3. The histograms’ absolute difference ( from Equation 4) as well as the histograms themselves ( and from Equation 4) are plotted in Figures 3 and 6 respectively.

Figure 3: Absolute difference between histograms for each class.
Figure 4: Histograms from which the AM is calculated. Each row shows the histograms of one architecture. From top to bottom: CapsNet, AllConv, ResNet, NIN and LeNet.

AllConv and CapsNet received the best scores which is in accordance with their top robustness score (attacks are less successful). NIN and ResNet perform poorly also in accordance with the robustness results. LeNet, however, is again the exception with a middle AM score while being the worst in terms of robustness (easily attacked). This points out to a higher likelihood for a better LeNet representation rather than a simple shortcoming of the metrics.

It is interesting to note that in Figure 6 the histograms from CapsNet is clearly different from the other ones, in accordance with the complete different architecture used by CapsNet. This demonstrates that this metric is able to capture the representation differences present in the architectures. In Figure 3

, the absolute difference between histograms for each class is plotted. Albeit some variance in the mean, there is no strong influence of classes in the AM result, with top and low scorers keeping most of their difference throughout.

5 Conclusions

Here we proposed the Raw Zero-Shot method to evaluate the representation of classifiers. In order to score the soft-labels, two metrics were formally defined based on two different hypothesis of representation quality.

We show that the evaluation of representation of both metrics (DBI and AM) are linked with the robustness of neural networks. In other words, easily attacked neural networks have a lower representation score. Moreover, the behavior of different architectures spotted in the DBI and AM scores could be seen in the histograms and Isomap plots, showing that the metrics indeed capture some of the present representation differences. Interestingly, LeNet scores well in both metrics albeit being both the least accurate and robust (adversarial attacks succeed easily) which suggests that deeper architectures might be trading-off representation quality for accuracy.

Thus, the Raw Zero-Shot was able to investigate the representation quality of DNNs and explain some of the results in adversarial machine learning. It also opens up new possibilities for both evaluation and development (e.g., as a loss function) of neural networks.

Acknowledgments

This work was supported by JST, ACT-I Grant Number JP-50166, Japan. Additionally, we would like to thank Prof. Junichi Murata for the kind support without which it would not be possible to conduct this research.

References

Supplementary Work

Appendix A Extended Analysis of DBI Metric

Figure 5 shows a visualization of DBI’s results using the multidimensional scaling method entitled t-Distributed Stochastic Neighbour Embedding (t-SNE). t-SNE provides an alternative vizualization for the Isomap plot from the main text. Similarly to the Isomap plot, t-SNE also verifies the closer distribution of points in high-dimensional space for CapsNet.

Figure 5: Visualization of the DBI Metric with t-Distributed Stochastic Neighbour Embedding (t-SNE) which focuses on the neighbour distances. Each row shows the t-SNE projections in two dimensional space for one architecture. From top to bottom: CapsNet, AllConv, ResNet, NIN and LeNet.

Appendix B Extended Analysis of Amalgam Metric

Figure 6 shows a visualization of equation 5 which is part of the main equation of Amalgam Metric. This equation shows the difference of the histograms. It can be noted from the figure that for most labels of CapsNet and AllConv the difference is relatively small.

(5)
Figure 6: Histograms of for each soft label. From top to bottom: CapsNet, AllConv, ResNet, NIN and LeNet.