Chaos Theory and Adversarial Robustness
Abstract: Neural networks, being susceptible to adversarial attacks, should face a strict level of scrutiny before being deployed in critical or adversarial applications. This paper uses ideas from Chaos Theory to explain, analyze, and quantify the degree to which neural networks are susceptible to or robust against adversarial attacks. To this end, we present a new metric, the "susceptibility ratio," given by $\hat \Psi(h, \theta)$, which captures how greatly a model's output will be changed by perturbations to a given input.
Our results show that susceptibility to attack grows significantly with the depth of the model, which has safety implications for the design of neural networks for production environments. We provide experimental evidence of the relationship between $\hat \Psi$ and the post-attack accuracy of classification models, as well as a discussion of its application to tasks lacking hard decision boundaries. We also demonstrate how to quickly and easily approximate the certified robustness radii for extremely large models, which until now has been computationally infeasible to calculate directly.
Submission Length: Regular submission (no more than 12 pages of main content)
Changes Since Last Submission: I have attempted to implement the suggestions of reviewers Vkrq and mqoP, regarding citing relevant literature, discussing the relationship to the Lipschitz constant, and improving prose. Primary additions are three appendices expanding the theoretical basis, and the addition of paragraphs in sections 1 and 2. Adding the experiments requested by reviewer rpfA will require a bit more labor, and I believe that there is a discussion to be had regarding whether or not the inclusion of experiments expanding the breadth of the paper distracts from the important results, i.e. the analytic connection to Chaos Theory and the basic experimental validation, rather than adding exponentially more experimental factors to explain and analyze. No paper is going to present a new theory and then completely explore all of its ends and implications, I only wish to write something that reaches the level of interest to readers and being worth publishing.
Assigned Action Editor: ~Changyou_Chen1
Submission Number: 1058
Loading