Classification regions of deep neural networks
This work addresses the problem of understanding and improving the robustness of deep neural networks against adversarial attacks for researchers and practitioners in machine learning, though it is incremental in building on existing geometric analysis.
The paper analyzes the geometric properties of deep neural network classifiers, showing that state-of-the-art deep nets learn connected classification regions with flat decision boundaries near datapoints, and it proposes a geometric method for detecting small adversarial perturbations and recovering labels, achieving effectiveness in these tasks.
The goal of this paper is to analyze the geometric properties of deep neural network classifiers in the input space. We specifically study the topology of classification regions created by deep networks, as well as their associated decision boundary. Through a systematic empirical investigation, we show that state-of-the-art deep nets learn connected classification regions, and that the decision boundary in the vicinity of datapoints is flat along most directions. We further draw an essential connection between two seemingly unrelated properties of deep networks: their sensitivity to additive perturbations in the inputs, and the curvature of their decision boundary. The directions where the decision boundary is curved in fact remarkably characterize the directions to which the classifier is the most vulnerable. We finally leverage a fundamental asymmetry in the curvature of the decision boundary of deep nets, and propose a method to discriminate between original images, and images perturbed with small adversarial examples. We show the effectiveness of this purely geometric approach for detecting small adversarial perturbations in images, and for recovering the labels of perturbed images.