Many recent works have shown that adversarial examples that fool classifiers can be found by minimally perturbing a normal input. Recent theoretical results, starting with Gilmer et al. (2018b), show that if the inputs are drawn from a concentrated metric probability space, then adversarial examples with small perturbation are inevitable. A concentrated space has the property that any subset with Ω(1) (e.g.,1/100) measure, according to the imposed distribution, has small distance to almost all (e.g., 99/100) of the points in the space. It is not clear, however, whether these theoretical results apply to actual distributions such as images. This paper presents a method for empirically measuring and bounding the concentration of a concrete dataset which is proven to converge to the actual concentration. We use it to empirically estimate the intrinsic robustness to and L2 and Linfinity perturbations of several image classification benchmarks. Code for our experiments is available at https://github.com/xiaozhanguva/Measure-Concentration.
Author Information
Saeed Mahloujifar (University of Virginia)
Xiao Zhang (University of Virginia)
Mohammad Mahmoody (University of Virginia)
David Evans (University of Virginia)
Related Events (a corresponding poster, oral, or spotlight)
-
2019 Spotlight: Empirically Measuring Concentration: Fundamental Limits on Intrinsic Robustness »
Tue Dec 10th 10:35 -- 10:40 AM Room West Exhibition Hall A
More from the Same Authors
-
2018 Poster: Adversarial Risk and Robustness: General Definitions and Implications for the Uniform Distribution »
Dimitrios Diochnos · Saeed Mahloujifar · Mohammad Mahmoody -
2018 Poster: Distributed Learning without Distress: Privacy-Preserving Empirical Risk Minimization »
Bargav Jayaraman · Lingxiao Wang · David Evans · Quanquan Gu -
2016 Workshop: Private Multi-Party Machine Learning »
Borja Balle · Aurélien Bellet · David Evans · Adrià Gascón
