Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Adversarial Attacks on Hyperbolic Networks

Max van Spengler, Jan Zahálka, Pascal Mettes

TL;DR

It is found that these networks suffer from different types of vulnerabilities and that the newly proposed hyperbolic attacks cannot address these differences, and it is concluded that the shifts in adversarial robustness are due to the models learning distinct patterns resulting from their different geometries.

Abstract

As hyperbolic deep learning grows in popularity, so does the need for adversarial robustness in the context of such a non-Euclidean geometry. To this end, this paper proposes hyperbolic alternatives to the commonly used FGM and PGD adversarial attacks. Through interpretable synthetic benchmarks and experiments on existing datasets, we show how the existing and newly proposed attacks differ. Moreover, we investigate the differences in adversarial robustness between Euclidean and fully hyperbolic networks. We find that these networks suffer from different types of vulnerabilities and that the newly proposed hyperbolic attacks cannot address these differences. Therefore, we conclude that the shifts in adversarial robustness are due to the models learning distinct patterns resulting from their different geometries.

Adversarial Attacks on Hyperbolic Networks

TL;DR

It is found that these networks suffer from different types of vulnerabilities and that the newly proposed hyperbolic attacks cannot address these differences, and it is concluded that the shifts in adversarial robustness are due to the models learning distinct patterns resulting from their different geometries.

Abstract

As hyperbolic deep learning grows in popularity, so does the need for adversarial robustness in the context of such a non-Euclidean geometry. To this end, this paper proposes hyperbolic alternatives to the commonly used FGM and PGD adversarial attacks. Through interpretable synthetic benchmarks and experiments on existing datasets, we show how the existing and newly proposed attacks differ. Moreover, we investigate the differences in adversarial robustness between Euclidean and fully hyperbolic networks. We find that these networks suffer from different types of vulnerabilities and that the newly proposed hyperbolic attacks cannot address these differences. Therefore, we conclude that the shifts in adversarial robustness are due to the models learning distinct patterns resulting from their different geometries.

Paper Structure

This paper contains 19 sections, 25 equations, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related work
  3. Adversarial attacks
  4. Hyperbolic learning
  5. Background
  6. Hyperbolic attacks
  7. Hyperbolic FGM
  8. Hyperbolic PGD
  9. Objective functions
  10. Synthetic example
  11. Dataset
  12. Model
  13. Attack configuration
  14. Results
  15. Hyperbolic models
  16. ...and 4 more sections

Figures (5)

  • Figure 1: Visualizations of the generated dataset and the hyperbolic MLR model.
  • Figure 2: Examples of adversarial samples generated with the hyperbolic (Riemannian) FGM or the original Euclidean FGM with the four different objective functions and a perturbation size $\epsilon = 1.0$. The arrows represent the gradient used for the perturbation. When this gradient points inward towards the origin, the hyperbolic attack seems stronger, while the original FGM appears to be more powerful when the gradient points outwards.
  • Figure 3: The performance of the hyperbolic MLR model when attempting to classify adversarial samples generated with the different attacks for varying values of $\epsilon$.
  • Figure 4: Accuracy on CIFAR-10 of the Poincaré and Euclidean ResNets with depths 20 or 32 when attacked using the original FGSM or the hyperbolic FGSM with increasingly large perturbation size $\epsilon$.
  • Figure 5: Comparative misclassification matrix $M^{comp}$ showing for each label $i$, determined by the row, which of the models are easier to trick into predicting label $j$, determined by the column, when applying the original FGSM attack. Orange indicates that the hyperbolic models are easier to trick into the corresponding conversion, while blue indicates a weakness for the Euclidean models.