The Vulnerability of Learning to Adversarial Perturbation Increases with Intrinsic Dimensionality

Laurent Amsaleg 1 James Bailey 2 Dominique Barbe 3 Sarah Erfani 2 Michael Houle 4 Vinh Nguyen 2 Miloš Radovanovic 5
1 LinkMedia - Creating and exploiting explicit links between multimedia fragments
Inria Rennes – Bretagne Atlantique , IRISA_D6 - MEDIA ET INTERACTIONS
2 Department of Computing and Information Systems
3 ENS Rennes - École normale supérieure - Rennes
4 NII - National Institute of Informatics [Tokyo]
5 Department of Mathematics and Informatics [Novi Sad]
Abstract : Recent research has shown that machine learning systems, including state-of-the-art deep neural networks, are vulnerable to adversarial attacks. By adding to the input object an imperceptible amount of adversarial noise, it is highly likely that the classifier can be tricked into assigning the modified object to any desired class. It has also been observed that these adversarial samples generalize well across models. A complete understanding of the nature of adversarial samples has not yet emerged. Towards this goal, we present a novel theoretical result formally linking the adversarial vulnerability of learning to the intrinsic dimensionality of the data. In particular, our investigation establishes that as the local intrinsic dimensionality (LID) increases, 1-NN classifiers become increasingly prone to being subverted. We show that in expectation, a k-nearest neighbor of a test point can be transformed into its 1-nearest neighbor by adding an amount of noise that diminishes as the LID increases. We also provide an experimental validation of the impact of LID on adversarial perturbation for both synthetic and real data, and discuss the implications of our result for general classifiers.
Type de document :
Communication dans un congrès
WIFS 2017 - 9th IEEE International Workshop on Information Forensics and Security, Dec 2017, Rennes, France
Liste complète des métadonnées

Littérature citée [25 références]  Voir  Masquer  Télécharger
https://hal.archives-ouvertes.fr/hal-01599355
Contributeur : Laurent Amsaleg <>
Soumis le : lundi 2 octobre 2017 - 16:02:03
Dernière modification le : lundi 9 octobre 2017 - 09:06:40

Fichier

wifs-v2 (1).pdf

Identifiants

  • HAL Id : hal-01599355, version 1

Collections

IRISA | INRIA | UR1-UFR-ISTIC

Citation

Laurent Amsaleg, James Bailey, Dominique Barbe, Sarah Erfani, Michael Houle, et al.. The Vulnerability of Learning to Adversarial Perturbation Increases with Intrinsic Dimensionality. WIFS 2017 - 9th IEEE International Workshop on Information Forensics and Security, Dec 2017, Rennes, France. 〈hal-01599355〉

Exporter

BibTeX TEI DC DCterms EndNote

Partager

Métriques

Consultations de
la notice

53

Téléchargements du document

7

Contact

support.ccsd.cnrs.fr
hal.support@ccsd.cnrs.fr
Logo CCSD