An Information-Theoretic Explanation for the Adversarial Fragility of AI Classifiers

Xie, Hui; Yi, Jirong; Xu, Weiyu; Mudumbai, Raghuraman

doi:10.1109/isit.2019.8849757

Cited by 3 publications

(2 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Conversely, adversarial attacks can have significantly more dramatic effects when redundant observations of the source variable are not available. This lends support to our recently proposed "feature compression" hypothesis [11,14] as an explanation for the adversarial fragility of deep learning systems. Under this hypothesis, deep learning systems are vulnerable to adversarial attacks because they compress their data into a minimal number of features that contain enough information about the source data to allow for sufficiently accurate classification under no adversarial attacks.…”

Section: Introductionsupporting

confidence: 83%

“…Deep learning methods have revolutionized many data processing applications that had previously been considered intractable such as computer vision, natural language processing and speech recognition [1][2][3][4][5][6]. However, deep learning systems have been shown to be vulnerable to adversarial attacks [7,[7][8][9][10][11][12][13][14][15][16][17][18][19]. Specifically, it has been shown that the outputs of many deep learning systems can be manipulated with imperceptibly small perturbations applied to the inputs [10,16,[20][21][22][23].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Derivation of Information-Theoretically Optimal Adversarial Attacks with Applications to Robust Machine Learning

Yi¹,

Mudumbai²,

Xu³

2020

Preprint

Self Cite

View full text Add to dashboard Cite

We consider the theoretical problem of designing an optimal adversarial attack on a decision system that maximally degrades the achievable performance of the system as measured by the mutual information between the degraded signal and the label of interest. This problem is motivated by the existence of adversarial examples for machine learning classifiers. By adopting an information theoretic perspective, we seek to identify conditions under which adversarial vulnerability is unavoidable i.e. even optimally designed classifiers will be vulnerable to small adversarial perturbations. We present derivations of the optimal adversarial attacks for discrete and continuous signals of interest, i.e., finding the optimal perturbation distributions to minimize the mutual information between the degraded signal and a signal following a continuous or discrete distribution. In addition, we show that it is much harder to achieve adversarial attacks for minimizing mutual information when multiple redundant copies of the input signal are available. This provides additional support to the recently proposed "feature compression" hypothesis as an explanation for the adversarial vulnerability of deep learning classifiers. We also report on results from computational experiments to illustrate our theoretical results.

show abstract

Section: Introductionsupporting

confidence: 83%

Section: Introductionmentioning

confidence: 99%

Derivation of Information-Theoretically Optimal Adversarial Attacks with Applications to Robust Machine Learning

Yi¹,

Mudumbai²,

Xu³

2020

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

Artificial Intelligence: Clinical Relevance and Workflow

Moore

2022

Artificial Intelligence in Cardiothoracic Imaging

View full text Add to dashboard Cite