Understanding Adversarial Robustness of Vision Transformers via Cauchy Problem
This work addresses the robustness of vision models for AI safety and reliability, providing a theoretical foundation that clarifies conflicting claims in the literature, though it is incremental as it builds on existing research on ViTs and adversarial attacks.
The paper tackles the problem of understanding the adversarial robustness of Vision Transformers (ViTs) by introducing a theoretical framework based on the Cauchy Problem, proving ViTs are Lipschitz continuous and identifying the first and last layers as critical factors, while empirically showing that Multi-head Self-Attention (MSA) only helps under weak attacks like FGSM and harms robustness under stronger attacks like PGD.
Recent research on the robustness of deep learning has shown that Vision Transformers (ViTs) surpass the Convolutional Neural Networks (CNNs) under some perturbations, e.g., natural corruption, adversarial attacks, etc. Some papers argue that the superior robustness of ViT comes from the segmentation of its input images; others say that the Multi-head Self-Attention (MSA) is the key to preserving the robustness. In this paper, we aim to introduce a principled and unified theoretical framework to investigate such an argument on ViT's robustness. We first theoretically prove that, unlike Transformers in Natural Language Processing, ViTs are Lipschitz continuous. Then we theoretically analyze the adversarial robustness of ViTs from the perspective of the Cauchy Problem, via which we can quantify how the robustness propagates through layers. We demonstrate that the first and last layers are the critical factors to affect the robustness of ViTs. Furthermore, based on our theory, we empirically show that unlike the claims from existing research, MSA only contributes to the adversarial robustness of ViTs under weak adversarial attacks, e.g., FGSM, and surprisingly, MSA actually comprises the model's adversarial robustness under stronger attacks, e.g., PGD attacks.