Adversarial Robustness Guarantees for Random Deep Neural Networks
This provides theoretical guarantees for adversarial robustness, addressing reliability issues in deep learning for researchers and practitioners, though it is incremental as it builds on prior equivalence results.
The paper tackles the problem of adversarial examples in deep neural networks by analyzing networks with random weights, proving that the distance to the classification boundary scales inversely with the square root of input dimension, and validating this with experiments on MNIST and CIFAR10.
The reliability of deep learning algorithms is fundamentally challenged by the existence of adversarial examples, which are incorrectly classified inputs that are extremely close to a correctly classified input. We explore the properties of adversarial examples for deep neural networks with random weights and biases, and prove that for any $p\ge1$, the $\ell^p$ distance of any given input from the classification boundary scales as one over the square root of the dimension of the input times the $\ell^p$ norm of the input. The results are based on the recently proved equivalence between Gaussian processes and deep neural networks in the limit of infinite width of the hidden layers, and are validated with experiments on both random deep neural networks and deep neural networks trained on the MNIST and CIFAR10 datasets. The results constitute a fundamental advance in the theoretical understanding of adversarial examples, and open the way to a thorough theoretical characterization of the relation between network architecture and robustness to adversarial perturbations.