Tandri Gauksson

Rima Alaifari, Giovanni S. Alberti, Tandri Gauksson

As interest in deep neural networks (DNNs) for image reconstruction tasks grows, their reliability has been called into question (Antun et al., 2020; Gottschling et al., 2020). However, recent work has shown that, compared to total variation (TV) minimization, when appropriately regularized, DNNs show similar robustness to adversarial noise in terms of $\ell^2$-reconstruction error (Genzel et al., 2022). We consider a different notion of robustness, using the $\ell^\infty$-norm, and argue that localized reconstruction artifacts are a more relevant defect than the $\ell^2$-error. We create adversarial perturbations to undersampled magnetic resonance imaging measurements (in the frequency domain) which induce severe localized artifacts in the TV-regularized reconstruction. Notably, the same attack method is not as effective against DNN based reconstruction. Finally, we show that this phenomenon is inherent to reconstruction methods for which exact recovery can be guaranteed, as with compressed sensing reconstructions with $\ell^1$- or TV-minimization.

Rima Alaifari, Giovanni S. Alberti, Tandri Gauksson

Stability is a key property of both forward models and inverse problems, and depends on the norms considered in the relevant function spaces. For instance, stability estimates for hyperbolic partial differential equations are often based on energy conservation principles, and are therefore expressed in terms of $L^2$ norms. The focus of this paper is on stability with respect to the $L^\infty$ norm, which is more relevant to detect localized phenomena. The linear wave equation is not stable in $L^\infty$, and we design an alternative solution method based on the regularization of Fourier multipliers, which is stable in $L^\infty$. Furthermore, we show how these ideas can be extended to inverse problems, and design a regularization method for the inversion of compact operators that is stable in $L^\infty$. We also discuss the connection with the stability of deep neural networks modeled by hyperbolic PDEs.

Rima Alaifari, Giovanni S. Alberti, Tandri Gauksson

While deep neural networks have proven to be a powerful tool for many recognition and classification tasks, their stability properties are still not well understood. In the past, image classifiers have been shown to be vulnerable to so-called adversarial attacks, which are created by additively perturbing the correctly classified image. In this paper, we propose the ADef algorithm to construct a different kind of adversarial attack created by iteratively applying small deformations to the image, found through a gradient descent step. We demonstrate our results on MNIST with convolutional neural networks and on ImageNet with Inception-v3 and ResNet-101.