Perturbing the Phase: Analyzing Adversarial Robustness of Complex-Valued Neural Networks

TL;DR

This work investigates adversarial robustness of complex-valued neural networks (CVNNs) versus real-valued NN (RVNNs) and introduces Phase Attacks that perturb only the phase of complex inputs while preserving magnitude. By extending gradient-based attacks to the complex domain via Wirtinger calculus, it defines a set of complex attacks ($\mathbb{C}$FGSM, $\mathbb{C}$IFGSM, etc.) and, crucially, Phase Attacks that constrain $|Z|=|X|$ and optimize phase changes. The authors provide a practical toolbox and a thorough empirical study on two domains (PolSAR and FastMRI Prostate), showing that CVNNs can be as robust as or more robust than RVNNs in several settings, while both model types are highly sensitive to phase perturbations, with iterative Phase Attacks often outperforming other attacks. The findings highlight the importance of considering phase perturbations in safety-critical applications and motivate future work on improving phase-robustness and broader domain validation.

Abstract

Complex-valued neural networks (CVNNs) are rising in popularity for all kinds of applications. To safely use CVNNs in practice, analyzing their robustness against outliers is crucial. One well known technique to understand the behavior of deep neural networks is to investigate their behavior under adversarial attacks, which can be seen as worst case minimal perturbations. We design Phase Attacks, a kind of attack specifically targeting the phase information of complex-valued inputs. Additionally, we derive complex-valued versions of commonly used adversarial attacks. We show that in some scenarios CVNNs are more robust than RVNNs and that both are very susceptible to phase changes with the Phase Attacks decreasing the model performance more, than equally strong regular attacks, which can attack both phase and magnitude.

Figures (4)

• Figure 1: Visualization of search spaces for adversarial attack optimization problems. Black circle shows epsilon ball around pixel value $X$, search space in red. Left: Classical adversarial attack \ref{['eq:opt_full']}, center top/bottom: Phase Attack/Magnitude Attack for pixel $X$ far from zero, right top/bottom: Phase Attack/Magnitude Attack for pixel $X$ close to zero (\ref{['eq:opt_angle']}/\ref{['eq:opt_prob_mag']}).
• Figure 2: Visualization of optimization steps for Phase Attack optimization problems. Search space in red (see Fig. \ref{['fig:search_space']}), Wirtinger gradient in blue. Left: restricted phase perturbation \ref{['eq:optim_step_restricted']}, center: freely perturbed phase with outward pointing gradient \ref{['eq:optim_step_free_out']}, right: freely perturbed phase with inward pointing gradient \ref{['eq:inward']}.
• Figure 3: Comparison of robustness against (unrestricted) adversarial attacks of RVNNs and CVNNs on the FastMRI Prostate and PolSAR datasets without (Top two rows) and with (Bottom two rows) additional adversarial training. Left: ResNet, Right ConvNeXt. All plots show (normalized) performance against $\epsilon$-restriction.
• Figure 4: Comparison of Phase Attacks and unrestricted attacks without adversarial training. Left: ResNet, Right: ConvNeXt. All plots show (normalized) performance against $\epsilon$-restriction. Linestyle: straight line: Regular Attack, dashed line: Phase Attack, dotted Line: Magnitude Attack.

Theorems & Definitions (2)

• proof
• proof