Adversarial samples are slightly perturbed inputs that can make neural networks misclassify. They are carefully crafted by searching for variations in the input that, for example, could decrease the soft-labels of the correct class. Since they were discovered some years ago 3 , the number of adversarial samples have grown in both number and types. Random noise were shown to be recognized with high confidence by neural networks 7 , universal perturbations, that can be added to almost any image to generate an adversarial sample, were shown to exist moosavi2017universal and the addition of crafted patches were shown to cause networks to misclassify brown2017adversarial . Actually, only one pixel is enough to make networks misclassify su2017one . Such attacks can also be easily transferred to real world scenarios kurakin2016adversarial ,athalye2017synthesizing which confers a big issue as well as security risk for current deep neural networks’ applications.
Albeit the existence of many defenses, there is not any known learning algorithm or procedure that can defend against adversarial attacks consistently. Many works have tried to defend by hiding or modifying the gradients to make neural networks harder to attack. However, a recent paper show that most of these defenses falls into the class of obfuscated gradients which have their own shortcomings (e.g., they can be easily bypassed by transferable attacks) athalye2018obfuscated . Additionally, the use of an augmented dataset with adversarial samples (named adversarial training) is perhaps one of the most successful approaches to construct robust neural networks goodfellow2014explaining ,huang2015learning , madry2017towards . However, it is still vulnerable to attacks and has a strong bias to the type of adversarial samples used in training tramer2017ensemble .
This shows that a deeper understanding of the issues are needed to enable more consistent defenses to be created. Few works focused on understanding the reason behind such lack of robustness. In goodfellow2014explaining it is argued that Deep Neural Networks’s (DNN) linearity are one of the main reasons. Another recent investigation proposes that attacks are actually changing where the algorithm is paying attention vargas2019understanding .
In this paper, we reveal a link between deep representations’ quality and attack susceptibility. We propose a test called Raw Zero-Shot and two metrics to evaluate DNN’s representations. The idea is that unknown classes provides hints over the representation of common features and attributes learned.
2 Related Work
Adversarial machine learning can be defined as a constrained optimization problem in which the objective is to find adversarial samples. Let be the output of a learning algorithm denoted by function in which is the input of the algorithm for input and output of sizes (images with three channels are considered) and . Adversarial samples x’ can be defined as follows:
in which is a slightly perturbed input. Adversarial machine learning can be defined as the following constrained optimization problem (untargeted black-box attacks are considered):
in which denotes the correct class’s soft-label . The optimization is constrained by a threshold to disallow perturbations which could make x unrecognizable or have enough modifications to cause a change in its correct class. Therefore, the constraint is a formal definition of what constitutes an imperceptible perturbation. Many different norms are used in the literature (e.g., , , and ) which results in different types of attacks.
2.1 Recent Advances in Attacks and Defenses
DNNs were shown vulnerable to many types of attacks. For example, they output high confidency results to noise images7 , universal perturbations in which a single perturbation can be added to almost any input to create an adversarial sample are possible moosavi2017universal , the addition of image patches can also make them misclassify brown2017adversarial . Moreover, the vulnerability can be exploited even with a single pixel, i.e., changing a single pixel is often enough to make a DNNs misclassify su2017one . Most of these attacks can be transformed into real world attacks by simply printing the adversarial samples kurakin2016adversarial . Moreover, crafted glasses sharif2016accessorize or even general 3d adversarial objects athalye2017synthesizing can be used as attacks.
Although many defensive systems were proposed to tackle the current problems, there is still no consistent solution available. Defensive distillation in which a smaller neural network squeezes the content learned by the original DNN was proposedpapernot2016distillation . However, it was shown to not be robust enough carlini2017towards . Adversarial training was also proposed as a defense, in which adversarial samples are used to augment the training dataset goodfellow2014explaining ,huang2015learning , madry2017towards . With adversarial training, DNNs increase slightly in robustness but not without a bias towards the adversarial samples used and while still being vulnerable to attacks in general tramer2017ensemble . There are many recent variations of defenses in which the objective is to hide the gradients (obfuscated gradients) ma2018characterizing , guo2017countering song2017pixeldefend . However, they can be bypassed by various types of attacks (such as attacks not using gradients, transfer of adversarial samples, etc) athalye2018obfuscated ,uesato2018adversarial .
There are a couple of works which are trying to understand the reason behind such lack of robustness. In goodfellow2014explaining , it is argued that the main reason may lie in DNNs’ lack of non-linearity. Another work argues that the perturbations causes a change in the saliency of images which makes the model switch the attention to another part of it vargas2019understanding .
2.2 Zero-Shot learning
Zero-Shot learning is a method used to estimate unknown classes which do not appear in the training data. The motivation of Zero-Shot learning is to transfer knowledge from training classes to unknown classes.
Existing methods basically approach the problem by estimating unknown classes from an attribute vector defined manually. Attribute vectors are annotated to both known and unknown classes, and for each class, whether an attribute, such as “color” and “shape”, belongs to the class or not is represented by 1 or 0. In transfer learning, the attribute vector is called source data and the feature vector generated from an image is called target data. Inlampert2009learning the authors proposed Direct Attribute Prediction (DAP)
model which learns each parameter for estimating the attributes from the target data. Afterwards, it estimates an unknown class of the source data which is estimated from the target data by using these parameters. In other words, this method projects target data into the source domain to classify the unknown classes. Based on this research, other Zero-Shot learning methods have been proposed which uses an embedded representation generated using a natural language processing algorithm instead of a manually created attribute vectorzhang2016zero ; fu2015transductive ; norouzi2013zero ; akata2015evaluation ; bucher2016improving . The opposite direction was proposed in shigeto2015ridge which learned how to project from the source domain to the target data.
In zhang2015zero a different approach to estimate unknown classes is proposed. This method constructs the histogram of known classes distribution for an unknown class. In this approach it is assumed that the unknown classes are the same if these histograms generated in the target domain and in the source domain are similar. This is similar to our approach because our method approach to represent an unknown class as the distribution of known classes. However, our objective is not estimating the unknown class and we do not use the source domain. Our objective here is to analyze DNNs’ representation by using this distribution.
3 Raw Zero-Shot
In this paper, we propose to evaluate the representation learned by conducting experiments over the soft-labels of the image in unknown classes. This is based on the hypothesis that if a model is capable of learning useful features, an unknown class would also trigger some of these features inside the model. We call this type of test over unknown classes and without any other information, Raw Zero-Shot (Figure 1).
The Raw Zero-Shot is a supervised learning test in which onlyof the classes are shown to the classifier during training. The classifier also has only possible outputs. During testing, only unknown classes are presented to the classifier. The soft-labels outputted for the given unknown class is recorded and the process is repeated for all possible classes, removing a different class each time.
To evaluate the representation quality, metrics are used to process the soft-labels. These metrics are based on hypothesis of what defines a feature or a class. The following subsections define two of them.
3.1 Davies-Bouldin Metric - Clustering Hypothesis
Soft labels of a classifier composes a space in which a given image would be classified as a weighted vector in relation to the previous classes learned. Considering that a cluster in this space would constitute a class, we can use clustering validation techniques to evaluate the representation.
Here we choose for simplicity one of the most used metric in internal cluster validation, Davies-Bouldin Index (DBI). DBI is defined as follows:
in which cn is the centroid of the cluster, e is one soft-label and is the number of samples.
3.2 Amalgam Metric - Amalgam Hypothesis
If DNNs are able to learn the features present in the classes, it would be reasonable to consider that the soft-labels describe a given image as a combination of the previous learned classes. This is also true when an image contains an unknown class. Similar to a vector space in linear algebra, the soft-labels can be combined to describe unknown objects in this space. This is analogous to how children describe previously unseen objects as a combination of previously seen objects. Differently from the previous metric, here we are interested in the exact values of the soft-labels. However, what would constitute the correct soft-labels for a given unknown class needs to be determined.
To calculate the correct soft-label of a given unknown class (amalgam proportion) automatically, we use here the assumption that accurate classifiers should output a good approximation of the amalgam proportion already. Therefore, if a classifier is trained in the classes, the soft-labels of the remaining classes is the amalgam proportion. Consequently, the Amalgam Metric (AM) is defined as:
in which, e’ is the normalized (such that they sum to one) soft-label from the classifier trained over classes and e is the soft-labels from the classifier trained over classes.
4 Raw Zero-Shot Experiments
Here, we conduct Raw Zero-Shot experiments to evaluate the representation of DNNs. To obtain results over a wide range of architectures, we chose to evaluate CapsNet (a recently proposed completely different architecture based on dynamic routing and capsules) sabour2017dynamic , ResNet (a state-of-the-art architecture based on skip connections)he2016deep , Network in Network (NIN) (an architecture which uses micro neural networks instead of linear filters) 31
, All Convolutional Network (AllConv) (an architecture without max pooling and fully connected layers)21 and LeNet (a simpler architecture which is also a historical mark) lecun1998gradient . All the experiments are run over the CIFAR dataset by using a training dataset with all the samples of one specific class removed. This process is repeated for all classes, removing the samples of a different class each time.
To link the results obtained here with the robustness of neural networks, we conducted adversarial attacks on all the architectures tested. Attacks of both and norms are conducted using the Covariance matrix adaptation evolution strategy (CMAES) hansen2003reducing as the optimization algorithm. Table 1 shows the robustness results. The total successful results is the sum of four attacks with different thresholds (thresholds of , , and are used) for each attack type ( and ).
4.1 Experiments on DBI Metric
Table 2 shows the results with the DBI metric (the smallest the better). According to this metric, CapsNet possesses a better representation when compared to other architectures. This also matches with the attacks in which CapsNet is the most robust of all architectures. LeNet is the only architecture which does not match well with the attacks, in which it is the least robust architecture but here receives a slightly better evaluation than AllConv, ResNet and NIN. Here we formulate two possible interpretations for the results. One interpretation is that this might be related with one of the shortcomings of the DBI’s metric which is explained below. Another possible interpretation is that albeit the lower accuracy and robustness, LeNet’s representation is actually better. Below we explain how this might be possible without contradicting the results.
Interpretation 1: DBI’s shortcoming
- The DBI metric measures the within cluster distance which is an internal cluster validity criteria. Therefore, it favors clusters in which points are close together. The employment of this metric is based on the principle that soft-labels acquired from the unknown class should be similar to each other. This per se is not a problem, however, what is close and what is far away depends on the feature space. In this way, comparing very different feature spaces may result in incomparable results which might be the case of LeNet which has around ten times less variables and consequently a possibly more compact feature space.
Interpretation 2: LeNet’s representation is actually better
- A possible interesting interpretation is that shallower networks possess a better representation than deeper networks. To achieve higher accuracy, however, deeper networks increase in parameter size but end up with a worse representation. In this case, the lack of robustness of LeNet is not because its representation alone has failed but because it is easier to find adversarial samples in shallower architectures (less complex search space).
Figure 2 shows a visualization of DBI’s results. DBI results are visualized using a projection into two dimensions while preserving the high-dimensional distance between the points. Here we use the Isomap tenenbaum2000global to achieve this. It can be easily observed that CapsNet’s results are visually closer than other architectures.
4.2 Experiments on Amalgam Metric
Here we evaluated the AM of CapsNet, AllConv, ResNet, NIN and LeNet. The results are shown on Table 3. The histograms’ absolute difference ( from Equation 4) as well as the histograms themselves ( and from Equation 4) are plotted in Figures 3 and 6 respectively.
AllConv and CapsNet received the best scores which is in accordance with their top robustness score (attacks are less successful). NIN and ResNet perform poorly also in accordance with the robustness results. LeNet, however, is again the exception with a middle AM score while being the worst in terms of robustness (easily attacked). This points out to a higher likelihood for a better LeNet representation rather than a simple shortcoming of the metrics.
It is interesting to note that in Figure 6 the histograms from CapsNet is clearly different from the other ones, in accordance with the complete different architecture used by CapsNet. This demonstrates that this metric is able to capture the representation differences present in the architectures. In Figure 3
, the absolute difference between histograms for each class is plotted. Albeit some variance in the mean, there is no strong influence of classes in the AM result, with top and low scorers keeping most of their difference throughout.
Here we proposed the Raw Zero-Shot method to evaluate the representation of classifiers. In order to score the soft-labels, two metrics were formally defined based on two different hypothesis of representation quality.
We show that the evaluation of representation of both metrics (DBI and AM) are linked with the robustness of neural networks. In other words, easily attacked neural networks have a lower representation score. Moreover, the behavior of different architectures spotted in the DBI and AM scores could be seen in the histograms and Isomap plots, showing that the metrics indeed capture some of the present representation differences. Interestingly, LeNet scores well in both metrics albeit being both the least accurate and robust (adversarial attacks succeed easily) which suggests that deeper architectures might be trading-off representation quality for accuracy.
Thus, the Raw Zero-Shot was able to investigate the representation quality of DNNs and explain some of the results in adversarial machine learning. It also opens up new possibilities for both evaluation and development (e.g., as a loss function) of neural networks.
This work was supported by JST, ACT-I Grant Number JP-50166, Japan. Additionally, we would like to thank Prof. Junichi Murata for the kind support without which it would not be possible to conduct this research.
-  Z. Akata, S. Reed, D. Walter, H. Lee, and B. Schiele. Evaluation of output embeddings for fine-grained image classification. In , pages 2927–2936, 2015.
-  A. Athalye, N. Carlini, and D. Wagner. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In ICML, 2018.
-  A. Athalye and I. Sutskever. Synthesizing robust adversarial examples. In ICML, 2018.
-  T. B. Brown, D. Mané, A. Roy, M. Abadi, and J. Gilmer. Adversarial patch. arXiv preprint arXiv:1712.09665, 2017.
-  M. Bucher, S. Herbin, and F. Jurie. Improving semantic embedding consistency by metric learning for zero-shot classiffication. In European Conference on Computer Vision, pages 730–746. Springer, 2016.
-  N. Carlini and D. Wagner. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP), pages 39–57. IEEE, 2017.
-  Y. Fu, Y. Yang, T. Hospedales, T. Xiang, and S. Gong. Transductive multi-label zero-shot learning. arXiv preprint arXiv:1503.07790, 2015.
-  I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
-  C. Guo, M. Rana, M. Cisse, and L. van der Maaten. Countering adversarial images using input transformations. In ICLR, 2018.
-  N. Hansen, S. D. Müller, and P. Koumoutsakos. Reducing the time complexity of the derandomized evolution strategy with covariance matrix adaptation (cma-es). Evolutionary computation, 11(1):1–18, 2003.
-  K. He, X. Zhang, S. Ren, and J. Sun. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016.
-  R. Huang, B. Xu, D. Schuurmans, and C. Szepesvári. Learning with a strong adversary. arXiv preprint arXiv:1511.03034, 2015.
-  A. Kurakin, I. Goodfellow, and S. Bengio. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533, 2016.
-  C. H. Lampert, H. Nickisch, and S. Harmeling. Learning to detect unseen object classes by between-class attribute transfer. In 2009 IEEE Conference on Computer Vision and Pattern Recognition, pages 951–958. IEEE, 2009.
-  Y. LeCun, L. Bottou, Y. Bengio, P. Haffner, et al. Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11):2278–2324, 1998.
-  M. Lin, Q. Chen, and S. Yan. Network in network. arXiv preprint arXiv:1312.4400, 2013.
-  X. Ma, B. Li, Y. Wang, S. M. Erfani, S. Wijewickrema, G. Schoenebeck, D. Song, M. E. Houle, and J. Bailey. Characterizing adversarial subspaces using local intrinsic dimensionality. arXiv preprint arXiv:1801.02613, 2018.
A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu.
Towards deep learning models resistant to adversarial attacks.In ICLR, 2018.
-  S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard. Universal adversarial perturbations. In 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 86–94. IEEE, 2017.
-  A. Nguyen, J. Yosinski, and J. Clune. Deep neural networks are easily fooled: High confidence predictions for unrecognizable images. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 427–436, 2015.
-  M. Norouzi, T. Mikolov, S. Bengio, Y. Singer, J. Shlens, A. Frome, G. S. Corrado, and J. Dean. Zero-shot learning by convex combination of semantic embeddings. arXiv preprint arXiv:1312.5650, 2013.
-  N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami. Distillation as a defense to adversarial perturbations against deep neural networks. In 2016 IEEE Symposium on Security and Privacy (SP), pages 582–597. IEEE, 2016.
-  S. Sabour, N. Frosst, and G. E. Hinton. Dynamic routing between capsules. In Advances in neural information processing systems, pages 3856–3866, 2017.
M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter.
Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition.In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1528–1540. ACM, 2016.
-  Y. Shigeto, I. Suzuki, K. Hara, M. Shimbo, and Y. Matsumoto. Ridge regression, hubness, and zero-shot learning. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases, pages 135–151. Springer, 2015.
-  Y. Song, T. Kim, S. Nowozin, S. Ermon, and N. Kushman. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples. In ICLR, 2018.
-  J. Springenberg, A. Dosovitskiy, T. Brox, and M. Riedmiller. Striving for simplicity: The all convolutional net. In ICLR (workshop track), 2015.
-  J. Su, D. V. Vargas, and S. Kouichi. One pixel attack for fooling deep neural networks. arXiv preprint arXiv:1710.08864, 2017.
-  C. e. a. Szegedy. Intriguing properties of neural networks. In In ICLR. Citeseer, 2014.
-  J. B. Tenenbaum, V. De Silva, and J. C. Langford. A global geometric framework for nonlinear dimensionality reduction. science, 290(5500):2319–2323, 2000.
-  F. Tramèr, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh, and P. McDaniel. Ensemble adversarial training: Attacks and defenses. In ICLR, 2018.
-  J. Uesato, B. O’Donoghue, P. Kohli, and A. Oord. Adversarial risk and the dangers of evaluating against weak attacks. In International Conference on Machine Learning, pages 5032–5041, 2018.
-  D. V. Vargas and S. Kotyan. Model agnostic dual quality assessment for adversarial machine learning and an analysis of current neural networks and defenses. arXiv preprint, 2019.
-  D. V. Vargas and J. Su. Understanding the one-pixel attack: Propagation maps and locality analysis. arXiv preprint arXiv:1902.02947, 2019.
-  Z. Zhang and V. Saligrama. Zero-shot learning via semantic similarity embedding. In Proceedings of the IEEE international conference on computer vision, pages 4166–4174, 2015.
-  Z. Zhang and V. Saligrama. Zero-shot recognition via structured prediction. In European conference on computer vision, pages 533–548. Springer, 2016.
Appendix A Extended Analysis of DBI Metric
Figure 5 shows a visualization of DBI’s results using the multidimensional scaling method entitled t-Distributed Stochastic Neighbour Embedding (t-SNE). t-SNE provides an alternative vizualization for the Isomap plot from the main text. Similarly to the Isomap plot, t-SNE also verifies the closer distribution of points in high-dimensional space for CapsNet.
Appendix B Extended Analysis of Amalgam Metric
Figure 6 shows a visualization of equation 5 which is part of the main equation of Amalgam Metric. This equation shows the difference of the histograms. It can be noted from the figure that for most labels of CapsNet and AllConv the difference is relatively small.