Adversarial Noise Attacks of Deep Learning Architectures -- Stability Analysis via Sparse Modeled Signals
This work addresses the vulnerability of deep learning models to adversarial attacks, which is a critical security issue for AI systems, though it is incremental as it builds on existing sparse representation theory.
The paper analyzes the stability of deep learning classifiers to adversarial perturbations by modeling signals with sparse representations, linking classification stability to sparsity levels and showing that layered Basis Pursuit is more robust than layered Thresholding in experiments on MNIST, CIFAR-10, and CIFAR-100.
Despite their impressive performance, deep convolutional neural networks (CNNs) have been shown to be sensitive to small adversarial perturbations. These nuisances, which one can barely notice, are powerful enough to fool sophisticated and well performing classifiers, leading to ridiculous misclassification results. In this paper we analyze the stability of state-of-the-art deep-learning classification machines to adversarial perturbations, where we assume that the signals belong to the (possibly multi-layer) sparse representation model. We start with convolutional sparsity and then proceed to its multi-layered version, which is tightly connected to CNNs. Our analysis links between the stability of the classification to noise and the underlying structure of the signal, quantified by the sparsity of its representation under a fixed dictionary. In addition, we offer similar stability theorems for two practical pursuit algorithms, which are posed as two different deep-learning architectures - the layered Thresholding and the layered Basis Pursuit. Our analysis establishes the better robustness of the later to adversarial attacks. We corroborate these theoretical results by numerical experiments on three datasets: MNIST, CIFAR-10 and CIFAR-100.