Understanding Adversarial Behavior of DNNs by Disentangling Non-Robust and Robust Components in Performance Metric
This work addresses the problem of understanding adversarial vulnerabilities in DNNs for the machine learning community, offering a theoretical framework that could guide future research, though it is incremental in building on existing studies.
The authors tackled the relationship between generalization performance and adversarial behavior in deep neural networks by introducing a metric that disentangles robust and non-robust components, showing that current DNNs heavily rely on non-robust components for performance.
The vulnerability to slight input perturbations is a worrying yet intriguing property of deep neural networks (DNNs). Despite many previous works studying the reason behind such adversarial behavior, the relationship between the generalization performance and adversarial behavior of DNNs is still little understood. In this work, we reveal such relation by introducing a metric characterizing the generalization performance of a DNN. The metric can be disentangled into an information-theoretic non-robust component, responsible for adversarial behavior, and a robust component. Then, we show by experiments that current DNNs rely heavily on optimizing the non-robust component in achieving decent performance. We also demonstrate that current state-of-the-art adversarial training algorithms indeed try to robustify the DNNs by preventing them from using the non-robust component to distinguish samples from different categories. Also, based on our findings, we take a step forward and point out the possible direction for achieving decent standard performance and adversarial robustness simultaneously. We believe that our theory could further inspire the community to make more interesting discoveries about the relationship between standard generalization and adversarial generalization of deep learning models.