Timezone: »

 
Poster
Shift Invariance Can Reduce Adversarial Robustness
Vasu Singla · Songwei Ge · Basri Ronen · David Jacobs

Fri Dec 10 08:30 AM -- 10:00 AM (PST) @
in Poster Session 8 »

Shift invariance is a critical property of CNNs that improves performance on classification. However, we show that invariance to circular shifts can also lead to greater sensitivity to adversarial attacks. We first characterize the margin between classes when a shift-invariant {\em linear} classifier is used. We show that the margin can only depend on the DC component of the signals. Then, using results about infinitely wide networks, we show that in some simple cases, fully connected and shift-invariant neural networks produce linear decision boundaries. Using this, we prove that shift invariance in neural networks produces adversarial examples for the simple case of two classes, each consisting of a single image with a black or white dot on a gray background. This is more than a curiosity; we show empirically that with real datasets and realistic architectures, shift invariance reduces adversarial robustness. Finally, we describe initial experiments using synthetic data to probe the source of this connection.

Keywords: Deep Learning · Machine Learning · Robustness · Adversarial Robustness and Security

Author Information

Vasu Singla (University of Maryland)

I am a 3rd year Grad Student at the University of Maryland, interested in adversarial robustness.

Songwei Ge (University of Maryland, College Park)
Basri Ronen (Weizmann Inst.)
David Jacobs (University of Maryland, USA)

More from the Same Authors