Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

It begins with a boundary: A geometric view on probabilistically robust learning

Leon Bungert, Nicolás García Trillos, Matt Jacobs, Daniel McKenzie, Đorđe Nikolić, Qingsong Wang

TL;DR

A mathematical framework is proposed for understanding PRL, which allows for existence of solutions to the original and modified problems using novel relaxation methods and to introduce a family of probabilistic nonlocal perimeter functionals to rectify them.

Abstract

Although deep neural networks have achieved super-human performance on many classification tasks, they often exhibit a worrying lack of robustness towards adversarially generated examples. Thus, considerable effort has been invested into reformulating standard Risk Minimization (RM) into an adversarially robust framework. Recently, attention has shifted towards approaches which interpolate between the robustness offered by adversarial training and the higher clean accuracy and faster training times of RM. In this paper, we take a fresh and geometric view on one such method -- Probabilistically Robust Learning (PRL). We propose a mathematical framework for understanding PRL, which allows us to identify geometric pathologies in its original formulation and to introduce a family of probabilistic nonlocal perimeter functionals to rectify them. We prove existence of solutions to the original and modified problems using novel relaxation methods and also study properties, as well as local limits, of the introduced perimeters. We also clarify, through a suitable $Γ$-convergence analysis, the way in which the original and modified PRL models interpolate between risk minimization and adversarial training.

It begins with a boundary: A geometric view on probabilistically robust learning

TL;DR

A mathematical framework is proposed for understanding PRL, which allows for existence of solutions to the original and modified problems using novel relaxation methods and to introduce a family of probabilistic nonlocal perimeter functionals to rectify them.

Abstract

Although deep neural networks have achieved super-human performance on many classification tasks, they often exhibit a worrying lack of robustness towards adversarially generated examples. Thus, considerable effort has been invested into reformulating standard Risk Minimization (RM) into an adversarially robust framework. Recently, attention has shifted towards approaches which interpolate between the robustness offered by adversarial training and the higher clean accuracy and faster training times of RM. In this paper, we take a fresh and geometric view on one such method -- Probabilistically Robust Learning (PRL). We propose a mathematical framework for understanding PRL, which allows us to identify geometric pathologies in its original formulation and to introduce a family of probabilistic nonlocal perimeter functionals to rectify them. We prove existence of solutions to the original and modified problems using novel relaxation methods and also study properties, as well as local limits, of the introduced perimeters. We also clarify, through a suitable -convergence analysis, the way in which the original and modified PRL models interpolate between risk minimization and adversarial training.
Paper Structure (28 sections, 22 theorems, 161 equations, 6 figures, 2 tables, 1 algorithm)

This paper contains 28 sections, 22 theorems, 161 equations, 6 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. From empirical risk minimization to robustness
  3. Modifying PRL for binary classification
  4. A larger class of PRL models for binary classification
  5. Informal statements of main results
  6. Existence of minimizers of PRL models
  7. Interpretation of $\mathop{\mathrm{ProbPer}}\nolimits_\Psi$ as a perimeter
  8. Interpolation properties of PRL and modified PRL
  9. Related work
  10. Outline
  11. Existence of probabilistically robust classifiers
  12. Preliminaries
  13. Model family for hard classifiers
  14. Model family for soft classifiers
  15. Existence proofs
  16. ...and 13 more sections

Key Result

Proposition 1

For the $0$-$1$ loss $\ell(\tilde{y},y) := \mathbf{1}_{\tilde{y}\neq y}$ we can rewrite the probabilistic risk $\mathop{\mathrm{ProbR}}\nolimits$ as in eq:OtherFormProbR. In that same setting, $\mathop{\mathrm{ProbR}}\nolimits$ can also be written as the expectation of a sample-wise maximum of the s

Figures (6)

  • Figure 1: Even for the simple task of classifying two data points one can easily construct a pathological solution (\ref{['fig:flaw']}) of PRL, observing that all but the small red set of perturbations of the misclassified blue point are correctly classified as blue. Both classifiers depicted in \ref{['fig:flaw', 'fig:no_flaw']} have zero PRL loss.
  • Figure 2: Non-compactness of minimizing sequences.
  • Figure 3: Histograms display the distribution of percentages of correctly classified perturbations among misclassified images for both original and m-PRL with parameter $p=0.01$. The inner plot excludes the prevalent $0\%$ case. The plots show that pathological data points---i.e. data points which are misclassified yet most perturbations to the data point are correctly classified---occur in real datasets.
  • Figure 4: Histograms showing the distribution of percentages of correctly classified perturbations among misclassified images for both original and m-PRL with parameter $p=0.1$.
  • Figure 5: Histograms showing the distribution of percentages of correctly classified perturbations among misclassified images for both original and m-PRL with parameter $p=0.3$.
  • ...and 1 more figures

Theorems & Definitions (64)

  • Proposition 1
  • Remark 1
  • Remark 2
  • Remark 3
  • proof : Proof of \ref{['prop:rewrite_max']}
  • Proposition 2
  • Proposition 3
  • proof : Proof of \ref{['prop:rewrite_max_Psi']}
  • Definition 1
  • Theorem 1
  • ...and 54 more