Theoretical evidence for adversarial robustness through randomization

Thumbnail
Date
2019
Link to item file
https://hal.archives-ouvertes.fr/hal-02892188
Dewey
Informatique générale
Sujet
Machine Learning
Conference name
33rd Conference on Neural Information Processing Systems (NIPS 2019)
Conference date
12-2019
Conference city
Vancouver
Conference country
Canada
URI
https://basepub.dauphine.fr/handle/123456789/21152
Collections
Metadata
Show full item record
Author
Pinot, Rafael
989 Laboratoire d'analyse et modélisation de systèmes pour l'aide à la décision [LAMSADE]
Meunier, Laurent
989 Laboratoire d'analyse et modélisation de systèmes pour l'aide à la décision [LAMSADE]
Araújo, Alexandre
989 Laboratoire d'analyse et modélisation de systèmes pour l'aide à la décision [LAMSADE]
Kashima, Hisashi
Yger, Florian
989 Laboratoire d'analyse et modélisation de systèmes pour l'aide à la décision [LAMSADE]
Gouy-Pailler, Cedric
Atif, Jamal
989 Laboratoire d'analyse et modélisation de systèmes pour l'aide à la décision [LAMSADE]
Type
Communication / Conférence
Abstract (EN)
This paper investigates the theory of robustness against adversarial attacks. It focuses on the family of randomization techniques that consist in injecting noise in the network at inference time. These techniques have proven effective in many contexts, but lack theoretical arguments. We close this gap by presenting a theoretical analysis of these approaches, hence explaining why they perform well in practice. More precisely, we make two new contributions. The first one relates the randomization rate to robustness to adversarial attacks. This result applies for the general family of exponential distributions, and thus extends and unifies the previous approaches. The second contribution consists in devising a new upper bound on the adversarial generalization gap of randomized neural networks. We support our theoretical claims with a set of experiments.