Associate Professor (Reader) in Machine Learning
School of Mathematics, The University of Edinburgh
The Maxwell Institute for Mathematical Sciences
Alan Turing Institute | Bayes Centre | Gen AI Lab
School of Mathematics, Gran Sasso Science Institute
email: f dot tudisco at ed.ac.uk
Neural networks for image classification are vulnerable to adversarial attacks; an imperceptible perturbation to an image can cause a change in classification. Standard attack algorithms use explicit or approximate partial derivative information with respect to the input data. Here, we explore the idea of using a less expensive, universal affine surrogate. We find that this approach can match, or even outperform, a traditional gradient-based algorithm. Training the affine attack model leads us naturally towards transformations that are close to low rank, reflecting the structure of the problem. Truncating to a precisely low rank transformation does not degrade the performance of the model.
This paper is to appear in the Springer INdAM Series, following the INdAM Workshop on Low-Rank Structures and Numerical Methods in Matrix and Tensor Computations.
Keywords: low rank transformations image classifiers adversarial robustness deep learning neural networks