Chaos Theory and Adversarial Robustness Jonathan S. Kent jonathan.s.kentlmco.com Advanced Technology Center
2025-04-30
0
0
702.8KB
14 页
10玖币
侵权投诉
Chaos Theory and Adversarial Robustness
Jonathan S. Kent jonathan.s.kent@lmco.com
Advanced Technology Center
Lockheed Martin
Sunnyvale, CA 94089, USA
Abstract
Neural networks, being susceptible to adversarial attacks, should face a strict level of scrutiny
before being deployed in critical or adversarial applications. This paper uses ideas from
Chaos Theory to explain, analyze, and quantify the degree to which neural networks are
susceptible to or robust against adversarial attacks. To this end, we present a new metric,
the "susceptibility ratio," given by ˆ
Ψ(h, θ), which captures how greatly a model’s output will
be changed by perturbations to a given input.
Our results show that susceptibility to attack grows significantly with the depth of the model,
which has safety implications for the design of neural networks for production environments.
We provide experimental evidence of the relationship between ˆ
Ψand the post-attack accu-
racy of classification models, as well as a discussion of its application to tasks lacking hard
decision boundaries. We also demonstrate how to quickly and easily approximate the certi-
fied robustness radii for extremely large models, which until now has been computationally
infeasible to calculate directly.
1 Introduction
The current state of Machine Learning research presents neural networks as black boxes due to the high
dimensionality of their parameter space, which means that understanding what is happening inside of a model
regarding domain expertise is highly nontrivial, when it is even possible. However, the actual mechanics by
which neural networks operate - the composition of multiple nonlinear transforms, with parameters optimized
by a gradient method - were human-designed, and as such are well understood. In this paper, we will apply
this understanding, via analogy to Chaos Theory, to the problem of explaining and measuring susceptibility
of neural networks to adversarial methods.
It is well-known that neural networks can be adversarially attacked, producing obviously incorrect outputs
as a result of making extremely small perturbations to the input (Goodfellow et al., 2014; Szegedy et al.,
2013). Prior work, like Shao et al. (2021); Wang et al. (2018) and Carmon et al. (2019) discuss "adversarial
robustness" in terms of metrics like accuracy after being attacked or the success rates of attacks, which
can limit the discussion entirely to models with hard decision boundaries like classifiers, ignoring tasks
like segmentation or generative modeling (He et al., 2018). Other work, like Li et al. (2020) and Weber
et al. (2020), develop "certification radii," which can be used to guarantee that a given input cannot be
misclassified by a model without an adversarial perturbation with a size exceeding that radius. However,
calculating these radii is computationally onerous when it is even possible, and is again limited only to
models with hard decision boundaries.
Gowal et al. (2021) provides a brief study of the effects of changes in model scale, but admits that there
has been a dearth of experiments that vary the depth and width of models in the context of adversarial
robustness, which this paper provides. Huang et al. (2022a) also studies the effects of architectural design
decisions on robustness, and provides theoretical justification on the basis of deeper and wider models having
a greater upper bound on the Lipschitz constant of the function represented by those models. Our own work’s
connection to the Lipschitz constant is discussed in Appendix C. Wu et al. (2021a) studies the effects of model
width on robustness, and specifically discusses how robust accuracy is closely related to the perturbation
1
arXiv:2210.13235v2 [cs.LG] 5 Jul 2023
Figure 1: In a dynamical system, two trajectories with similar starting points may, over time, drift farther
and farther away from one another, typically modeled as exponential growth in the distance between them.
This growth characterizes a system as exhibiting "sensitive dependence," known colloquially as the "butterfly
effect," where small changes in initial conditions eventually grow into very large changes in the eventual
results.
stability of the underlying model, with an additional connection to the local Lipschitzness of the represented
function. Our experimental results contradict those found in these papers in a few places, namely as to
the relationship between depth and robustness. Additionally, previous work is limited to studying advanced
State-of-the-Art CNN architectures, which introduces a number of effects that are never accounted for during
their ablations.
Regarding the existence of adversarial attacks ab origine, Pedraza et al. (2020) and Prabhu et al. (2018)
have explained this behaviour of neural networks on the basis that they are dynamical systems, and then
use results from that analysis to try and classify adversarial inputs based on their Lyapunov exponents.
However, this classification methodology rests on loose theoretical ground, as the Lyapunov exponents of a
single input must be relative to those of similar inputs, and it is entirely possible to construct a scenario
wherein an input does not become more potent a basis for further attack solely because it is itself adversarial.
In this work, we re-do these Chaos Theoretic analyses in order to understand, not particular inputs, but
the neural networks themselves. We show that neural networks are dynamical systems, and then continuing
that analogy past where Pedraza et al. (2020) and Prabhu et al. (2018) leave off, investigate what neural-
networks-as-dynamical-systems means for their susceptibility to attack, through a combination of analysis
and experimentation. We develop this into a theory of adversarial susceptibility, the "susceptibility ratio" as a
measure of how effective attacks will be against a neural network, and show how to numerically approximate
this value. Returning to the work in Li et al. (2020) and Weber et al. (2020), we use the susceptibility ratio
to quickly and accurately estimate the certification radii of very large neural networks, aligning this paper
with prior work.
2 Neural Networks as Dynamical Systems
We will now re-write the conventional feed-forward neural network formulation in the language of dynamical
systems, in order to facilitate the transfer of the analysis of dynamical systems back to neural networks. To
begin with, we first introduce the definition of a dynamical system, per standard literature (Alligood et al.,
1998).
2.1 Dynamical Systems
In Chaos Theory, a dynamical system is defined as a tuple of three basic components, written in standard
notation as (T, X, Φ). The first, T, referred to as "time," takes the form of a domain obeying time-like
algebraic properties, namely associative addition. The second, X, is the state space. Depending on the
system, elements of Xmight describe the positions of a pendulum, the states of memory in a computer
2
program, or the arrangements of particles in an enclosed volume, with Xbeing the space of all possibilities
thereof. The final component, Φ : T×X→X, is the "evolution function" of the system. When Φis given
a state xi,t ∈Xand a change in time ∆t, it returns xi,t+∆t, which is the new state of the system after ∆t
time has elapsed. The xi,t notation will be explained in greater detail later. We will write this as
xi,t+∆t= Φ(∆t, xi,t)
In order to stay well defined, this has to possess certain properties, namely a self-consistency of the evolution
function over the domain T. A state that is progressed forward ∆tain Tby Φand then progressed again
∆tbshould yield the same state as one that is progressed ∆ta+ ∆tbin a single operation:
Φ∆tb,Φ(∆ta, xi,t)= Φ(∆ta+ ∆tb, xi,t)
Relying partially on this self-consistency, we can take a "trajectory" of the initial state xi,0over time, a set
containing elements represented by t, Φ(t, xi,0)∀t∈T. To clarify; because each element within Xcan
be progressed through time by the injective and self-consistent function Φ, and therefore belongs to a given
trajectory,1it becomes both explanatory and efficient to denote every element in the same trajectory with
the same subscript index i, and to differentiate between the elements in the same trajectory at different
times with t. In order to simplify the notation, and following on from the notion that the evolution of state
within a dynamic system over time is equivalent to the composition of multiple instances of the evolution
function, we will write the elements of this trajectory as
Φ(t, xi,0)=Φt(xi) = xi,t
with an additional simplification of notation using xi=xi,0, omitting the subscript twhen t= 0.
From these trajectories we may derive our notion of chaos, which concerns the relationship between trajec-
tories with similar initial conditions. Consider xi, and xi+δx, where δx is of limited magnitude, and may
be contextualized as a subtle reorientation of the arms of a double pendulum prior to setting it into motion.
We also require some notion of the distance between two elements of the state space, but we will assume
that the space is a vector space equipped with a length or distance metric written with | · |, and proceed
from there. For the initial condition, we may immediately take
|Φ0(xi)−Φ0(xi+δx)|=|δx|
However, meaningful analysis only arises when we model the progression of this difference over time. In
some systems, minor differences in the initial condition result in negligible effect, such as with the state
of a damped oscillator; regardless of its initial position or velocity, it approaches the resting state as time
progresses, and no further activity of significance occurs. However, in some systems, minor differences in the
initial condition end up compounding on themselves, like the flaps of a butterfly’s wings eventually resulting
in a hurricane. Both of these can be approximately or heuristically modeled by an exponential function,
|Φt(xi)−Φt(xi+δx)| ≈ |δx|eλt
In each of these cases, the growing or shrinking differences between the trajectories are described by λ, also
called the Lyapunov exponent. If λ < 0, these differences disappear over time, and the trajectories of two
similar initial conditions will eventually align with one another. However, if λ > 0, these differences increase
over time, and the trajectories of two similar initial conditions will grow farther and farther apart, with their
relationship becoming indistinguishable from that of two trajectories with wholly different initial conditions.
This is called "sensitive dependence," and is the mark of a chaotic system.2It must be noted, however, that
the exponential nature of this growth is a shorthand model, with obvious limits, and is not fully descriptive
of the underlying behavior.
1Multiple trajectories may contain the same elements. For example, two trajectories such that the state at t= 1 of the first
is taken as the initial condition of the second. Similarly, in a system for which Φis not bijective, two trajectories with different
initial conditions may eventually reduce to the same state at the same time. This neither impedes our analysis nor invalidates
our notation, with the caveat that neither i̸=jnor ta̸=tbguarantees that xi,ta̸=xj,tb.
2This is closely related to the concept of entropy, as it appears in Statistical Mechanics, but further discussion of the topic
is beyond the scope of this paper.
3
摘要:
展开>>
收起<<
ChaosTheoryandAdversarialRobustnessJonathanS.Kentjonathan.s.kent@lmco.comAdvancedTechnologyCenterLockheedMartinSunnyvale,CA94089,USAAbstractNeuralnetworks,beingsusceptibletoadversarialattacks,shouldfaceastrictlevelofscrutinybeforebeingdeployedincriticaloradversarialapplications.Thispaperusesideasfro...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
【词汇变形总汇】2025高考词汇变形总汇 - 教师版VIP免费
2024-12-06 3 -
【超简37页】新课标高考英语考纲3500词汇VIP免费
2024-12-06 4 -
《高考英语3500词详解》(WORD版)VIP免费
2024-12-06 13 -
《高考英语3500词详解》VIP免费
2024-12-06 11 -
高中英语-[教师版]80天通关高考3500词汇VIP免费
2024-12-06 12 -
高中人教选修7课文逐句翻译VIP免费
2024-12-06 7 -
高中人教选修7课文原文及翻译VIP免费
2024-12-06 13 -
高中人教必修4课文逐句翻译VIP免费
2024-12-06 7 -
高中人教必修4课文原文及翻译VIP免费
2024-12-06 13 -
高考英语核心高频688词汇VIP免费
2024-12-06 10
分类:图书资源
价格:10玖币
属性:14 页
大小:702.8KB
格式:PDF
时间:2025-04-30
作者详情
-
Optimal Persistent Monitoring of Mobile Targets in One Dimension Jonas Hall1 Sean Andersson12 Christos G. Cassandras13 Abstract This work shows the existence of opti-10 玖币0人下载
-
Optimal metabolic strategies for microbial growth in stationary random environments Anna Paola Muntoni and Andrea De Martino10 玖币0人下载
相关内容
-
3-专题三 牛顿运动定律 2-教师专用试题
分类:中学教育
时间:2025-04-07
标签:无
格式:DOCX
价格:5.9 玖币
-
2-专题二 相互作用 2-教师专用试题
分类:中学教育
时间:2025-04-07
标签:无
格式:DOCX
价格:5.9 玖币
-
6-专题六 机械能 2-教师专用试题
分类:中学教育
时间:2025-04-07
标签:无
格式:DOCX
价格:5.9 玖币
-
4-专题四 曲线运动 2-教师专用试题
分类:中学教育
时间:2025-04-08
标签:无
格式:DOCX
价格:5.9 玖币
-
5-专题五 万有引力与航天 2-教师专用试题
分类:中学教育
时间:2025-04-08
标签:无
格式:DOCX
价格:5.9 玖币
渝公网安备50010702506394
