(A) study on multiple aspects of deep classifier robustness

Abstract

Despite their success, convolutional neural networks (CNNs) are susceptible to adversarial examples, mostly imperceptible, carefully crafted perturbations, which can fool CNN classifiers. This robustness issue constitutes a fundamental issue of deep learning motivating various research studies on the robustness of CNNs. Since the robustness of CNNs is still not fully understood, it poses a threat for humans and machines in applications leveraging the predictive power of CNNs. This thesis aims to broaden our knowledge about CNN robustness and proposes to investigate CNN robustness along multiple aspects.

First, we investigate class-discriminative robustness. This part mainly discusses the robustness properties of universal adversarial perturbations (UAPs), where a single perturbation can fool a classifier for most images. Most UAPs crafted by previous methods are designed to attack samples from all classes, which can raise suspicion. To this end, we propose class-discriminative attacks, which provide a flexible choice of the classes to attack, for a more stealthy universal attack technique. We propose an untargeted and targeted variant of class-discriminative universal attacks, showing that it is possible to achieve class discrimination with a single adversarial perturbation. We further investigate the robustness of Deep Classifiers against universal adversarial examples. Specifically, we propose Universal Adversarial Training with Class-Wise Perturbations, showing performance improvements over the previous universal adversarial training technique, successfully increasing the security of a model against UAPs.

Second, we discuss fairness-oriented robustness. While previous robustness evaluations mainly focus on a single metric, we investigate a more fine-grained evaluation via the class-wise accuracy or class-wise robustness. We first identify the class-wise robustness issue, showing that CNNs are not only vulnerable to external influences but do also exhibit an internal robustness imbalance, where certain classes are more robust than others. After an in-depth study of this phenomenon, we explore solutions to mitigate the class-wise robustness issue. Borrowing from the field of long-tail distributions we propose a re-weighting strategy as a fair adversarial training strategy.

Finally, we investigate the influence of batch normalization (BN) on model robustness, starting with the influence of BN on model robustness to natural occurring corruptions. By simply adapting the BN statistics we can mitigate the vulnerability to naturally occurring corruptions. However, this technique has limited influence when applied for adversarial examples. Hence, we investigate the influence of BN on adversarial robustness. We observe that a model with BN exhibits a higher adversarial vulnerability, despite a higher standard accuracy. We link the increased adversarial vulnerability to an increased utilization of non-robust features for models with BN.