On the Interaction of Compressibility and Adversarial Robustness

TL;DR

This work analyzes how structured compressibility—specifically neuron-level sparsity and spectral compression—affects adversarial robustness in neural networks. By linking compressibility to layer operator norms and Lipschitz constants, the authors derive a bound that reveals a small set of adversarial directions that become highly sensitive under compression. Empirically, they demonstrate robustness gaps across diverse architectures and tasks, showing persistence under adversarial training and transfer, and the emergence of universal adversarial perturbations. They also propose practical mitigation strategies based on per-layer compression targets and spread control, emphasizing the trade-off between efficiency and security in modern models.

Abstract

Modern neural networks are expected to simultaneously satisfy a host of desirable properties: accurate fitting to training data, generalization to unseen inputs, parameter and computational efficiency, and robustness to adversarial perturbations. While compressibility and robustness have each been studied extensively, a unified understanding of their interaction still remains elusive. In this work, we develop a principled framework to analyze how different forms of compressibility - such as neuron-level sparsity and spectral compressibility - affect adversarial robustness. We show that these forms of compression can induce a small number of highly sensitive directions in the representation space, which adversaries can exploit to construct effective perturbations. Our analysis yields a simple yet instructive robustness bound, revealing how neuron and spectral compressibility impact $L_\infty$ and $L_2$ robustness via their effects on the learned representations. Crucially, the vulnerabilities we identify arise irrespective of how compression is achieved - whether via regularization, architectural bias, or implicit learning dynamics. Through empirical evaluations across synthetic and realistic tasks, we confirm our theoretical predictions, and further demonstrate that these vulnerabilities persist under adversarial training and transfer learning, and contribute to the emergence of universal adversarial perturbations. Our findings show a fundamental tension between structured compressibility and robustness, and suggest new pathways for designing models that are both efficient and secure.

Figures (16)

• Figure 1: A visual preview of our findings. (Left) Sparsification expedites compression but creates sensitive latent directions. (Center) Adversaries exploit these sensitive directions to increase their potency. (Right) This leads to decreased adversarial robustness.
• Figure 2: Decision boundaries under compressibility.
• Figure 3: \ref{['thm:fcn_bound_pi']} vs. empirical robustness gap.
• Figure 4: Model statistics under increasing strength of nuclear norm regularization ($\alpha$).
• Figure 5: Results with FCN (top) and ResNet18 (bottom) trained on CIFAR-10 dataset.

Theorems & Definitions (24)

• Definition 2.1: ($q, k, \epsilon$)-compressibility
• Theorem 3.1
• Theorem 3.2
• Corollary 3.3
• Lemma A.1
• proof
• Lemma A.2
• proof
• Proposition A.3
• proof : Proof of Proposition \ref{['thm:adv_bound_dual_cls']}