The Curse of Concentration in Robust Learning: Evasion and Poisoning Attacks from Concentration of Measure

Mahloujifar, Saeed; Diochnos, Dimitrios I.; Mahmoody, Mohammad

doi:10.1609/aaai.v33i01.33014536

Cited by 84 publications

(90 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The setup holds asymptotically with respect to the representational dimension. In the context of metric probability spaces, Mahloujifar et al [33] blend the aforementioned approaches, by arguing that the isoperimetric inequalities hold approximately over a much larger distribution family as the dimension m goes to infinity.…”

Section: Differences With Previous Studiesmentioning

confidence: 99%

High Intrinsic Dimensionality Facilitates Adversarial Attack: Theoretical Evidence

Amsaleg

Bailey

Barbe

et al. 2021

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Machine learning systems are vulnerable to adversarial attack. By applying to the input object a small, carefully-designed perturbation, a classifier can be tricked into making an incorrect prediction. This phenomenon has drawn wide interest, with many attempts made to explain it. However, a complete understanding is yet to emerge. In this paper we adopt a slightly different perspective, still relevant to classification. We consider retrieval, where the output is a set of objects most similar to a user-supplied query object, corresponding to the set of k-nearest neighbors. We investigate the effect of adversarial perturbation on the ranking of objects with respect to a query. Through theoretical analysis, supported by experiments, we demonstrate that as the intrinsic dimensionality of the data domain rises, the amount of perturbation required to subvert neighborhood rankings diminishes, and the vulnerability to adversarial attack rises. We examine two modes of perturbation of the query: either 'closer' to the target point, or 'farther' from it. We also consider two perspectives: 'query-centric', examining the effect of perturbation on the query's own neighborhood ranking, and 'target-centric', considering the ranking of the query point in the target's neighborhood set. All four cases correspond to practical scenarios involving classification and retrieval.

show abstract

Section: Differences With Previous Studiesmentioning

confidence: 99%

High Intrinsic Dimensionality Facilitates Adversarial Attack: Theoretical Evidence

Amsaleg

Bailey

Barbe

et al. 2021

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…In such so-called evasion attacks [BFR14, CW17, SZS + 14, GMP18] that find "adversarial examples", the goal of the adversary is to perturb the test input x into a "close" input x under some metric d (perhaps because this small perturbation is imperceptible to humans) in such a way that this tampering makes the hypothesis h make a mistake. In [MDM19], it was also shown that the concentration of measure can potentially lead to inherent evasion attacks, as long as the input metric probability space (X , d, µ) is concentrated. This holds e.g., if the space is a Normal Lévy family [Lév51,AM85].…”

Section: Polynomial-time Attacks On Robust Learningmentioning

confidence: 99%

Computational Concentration of Measure: Optimal Bounds, Reductions, and More

Etesami¹,

Mahloujifar²,

Mahmoody³

2020

Proceedings of the Fourteenth Annual ACM-SIAM Symposium on Discrete Algorithms

Self Cite

View full text Add to dashboard Cite

Product measures of dimension n are known to be "concentrated" under Hamming distance. More precisely, for any set S in the product space of probability Pr[S] ≥ ε, a random point in the space, with probability 1 − δ, has a neighbor in S that is different from the original point in only O( n · ln( 1 /εδ)) coordinates (and this is optimal). In this work, we obtain the tight computational (algorithmic) version of this result, showing how given a random point and access to an S-membership query oracle, we can find such a close point of Hamming distance O( n · ln( 1 /εδ)) in time poly(n, 1/ε, 1/δ). This resolves an open question of [MM19] who proved a weaker result (that works only for ε ≫ 1/ √ n). As corollaries, we obtain polynomial-time poisoning and (in certain settings) evasion attacks against learning algorithms when the original vulnerabilities have any cryptographically non-negligible probability.We call our algorithm MUCIO (short for "MUltiplicative Conditional Influence Optimizer") since proceeding through the coordinates of the product space, it decides to change each coordinate of the given point based on a multiplicative version of the influence of a variable, where the influence is computed conditioned on the value of all previously updated coordinates. MUCIO is an online algorithm in that it decides on the i'th coordinate of the output given only the first i coordinates of the input. It also does not make any convexity assumption about the set S.Motivated by obtaining algorithmic variants of measure concentration in other metric probability spaces, we define a new notion of algorithmic reduction between computational concentration of measure in different probability metric spaces. This notion, whose definition has some subtlety, requires two (inverse) algorithmic mappings one of which is an algorithmic Lipschitz mapping and the other one is an algorithmic coupling connecting the two distributions. As an application, we apply this notion of reduction to obtain computational concentration of measure for high-dimensional Gaussian distributions under the ℓ 1 distance.We further prove several extensions to the results above as follows.(1) Generalizing in another dimension, our computational concentration result is also true when the Hamming distance is weighted.(2) As measure concentration is usually proved for concentration around mean, we show how to use our results above to obtain algorithmic concentration for that setting as well. In particular, we prove a computational variant of McDiarmid's inequality, when properly defined. (3) Our result generalizes to discrete random processes (instead of just product distributions), and this generalization leads to new tampering algorithms for collective coin tossing protocols. (4) Finally, we prove exponential lower bounds on the average running time of non-adaptive query algorithms for proving computational concentration for the case of product spaces. Perhaps surprisingly, such lower bound shows any efficient algorithm must query about S-membership of points tha...

show abstract

“…Most notably, Katz et al [9] and Weng et al [21] have found that computing a provably secure region of the input space is approximately computationally hard. Mahloujifar et al [14] explain the prevalence of adversarial examples by making a connection to the "concentration of measure" in metric spaces. Recently, Zhange et al [23] found that adversaries are more dense sufficiently far from the manifold of training data.…”

Section: Related Workmentioning

confidence: 99%

Characterizing the Shape of Activation Space in Deep Neural Networks

Gebhart

Schrater

Hylton

2019

2019 18th IEEE International Conference on Machine Learning and Applications (ICMLA)

View full text Add to dashboard Cite

The representations learned by deep neural networks are difficult to interpret in part due to their large parameter space and the complexities introduced by their multi-layer structure. We introduce a method for computing persistent homology over the graphical activation structure of neural networks, which provides access to the task-relevant substructures activated throughout the network for a given input. This topological perspective provides unique insights into the distributed representations encoded by neural networks in terms of the shape of their activation structures. We demonstrate the value of this approach by showing an alternative explanation for the existence of adversarial examples. By studying the topology of network activations across multiple architectures and datasets, we find that adversarial perturbations do not add activations that target the semantic structure of the adversarial class as previously hypothesized. Rather, adversarial examples are explainable as alterations to the dominant activation structures induced by the original image, suggesting the class representations learned by deep networks are problematically sparse on the input space.Preprint. Under review.

show abstract

The Curse of Concentration in Robust Learning: Evasion and Poisoning Attacks from Concentration of Measure

Cited by 84 publications

References 15 publications

High Intrinsic Dimensionality Facilitates Adversarial Attack: Theoretical Evidence

High Intrinsic Dimensionality Facilitates Adversarial Attack: Theoretical Evidence

Computational Concentration of Measure: Optimal Bounds, Reductions, and More

Characterizing the Shape of Activation Space in Deep Neural Networks

Contact Info

Product

Resources

About