The mathematics of adversarial attacks in AI - Why deep learning is unstable despite the existence of stable neural networks

The unprecedented success of deep learning (DL) makes it unchallenged when it comes to classification problems. However, it is well established that the current DL methodology produces universally unstable neural networks (NNs). The instability problem has caused an enormous research effort – with a vast literature on so-called adversarial attacks – yet there has been no solution to the problem. Our paper addresses why there has been no solution to the problem, as we prove the following mathematical paradox: any training procedure based on training neural networks for classification problems with a fixed architecture will yield neural networks that are either inaccurate or unstable (if accurate) – despite the provable existence of both accurate and stable neural networks for the same classification problems. The key is that the stable and accurate neural networks must have variable dimensions depending on the input, in particular, variable dimensions is a necessary condition for stability. Our result points towards the paradox that accurate and stable neural networks exist, however, modern algorithms do not compute them. This yields the question: if the existence of neural networks with desirable properties can be proven, can one also find algorithms that compute them? There are cases in mathematics where provable existence implies computability, but will this be the case for neural networks? The contrary is true, as we demonstrate how neural networks can provably exist as approximate minimisers to standard optimisation problems with standard cost functions, however, no randomised algorithm can compute them with probability better than 1/2. CONTENTS

[1]  Ling Liu,et al.  Some Investigations on Robustness of Deep Learning in Limited Angle Tomography , 2018, MICCAI.

[2]  David L. Donoho,et al.  Prevalence of neural collapse during the terminal phase of deep learning training , 2020, Proceedings of the National Academy of Sciences.

[3]  Douglas Heaven,et al.  Why deep-learning AIs are so easy to fool , 2019, Nature.

[4]  Allan Pinkus,et al.  Approximation theory of the MLP model in neural networks , 1999, Acta Numerica.

[5]  Marco Marletta,et al.  Computing the Sound of the Sea in a Seashell , 2020, Foundations of Computational Mathematics.

[6]  Andrew L. Maas Rectifier Nonlinearities Improve Neural Network Acoustic Models , 2013 .

[7]  Seyed-Mohsen Moosavi-Dezfooli,et al.  DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[8]  Hamza Fawzi,et al.  Adversarial vulnerability for any classifier , 2018, NeurIPS.

[9]  Alexander Bastounis,et al.  The extended Smale's 9th problem -- On computational barriers and paradoxes in estimation, regularisation, computer-assisted proofs and learning , 2021 .

[10]  Mark Braverman,et al.  Computing over the Reals: Foundations for Scientific Computing , 2005, ArXiv.

[11]  A. Turing On Computable Numbers, with an Application to the Entscheidungsproblem. , 1937 .

[12]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[13]  Houman Owhadi,et al.  On the Brittleness of Bayesian Inference , 2013, SIAM Rev..

[14]  Erik Massop Hilbert's tenth problem , 2012 .

[15]  B. Poonen UNDECIDABLE PROBLEMS: A SAMPLER , 2012, 1204.0299.

[16]  A. Hansen,et al.  Compressive Imaging: Structure, Sampling, Learning , 2021 .

[17]  Matthew J. Colbrook,et al.  Can stable and accurate neural networks be computed? -- On the barriers of deep learning and Smale's 18th problem , 2021 .

[18]  Matthew J. Colbrook,et al.  On the Solvability Complexity Index Hierarchy and Towers of Algorithms , 2015 .

[19]  A. M. Turing,et al.  Computing Machinery and Intelligence , 1950, The Philosophy of Artificial Intelligence.

[20]  Boris Hanin,et al.  Neural network approximation , 2020, Acta Numerica.

[21]  Ker-I Ko,et al.  Complexity Theory of Real Functions , 1991, Progress in Theoretical Computer Science.

[22]  Sanchez Martin Jose Ignacio,et al.  Robustness and Explainability of Artificial Intelligence , 2020 .

[23]  László Lovász,et al.  Algorithmic theory of numbers, graphs and convexity , 1986, CBMS-NSF regional conference series in applied mathematics.

[24]  S. Smale Mathematical problems for the next century , 1998 .

[25]  Ben Adcock,et al.  The gap between theory and practice in function approximation with deep neural networks , 2021, SIAM J. Math. Data Sci..

[26]  Arkadi Nemirovski,et al.  Lectures on modern convex optimization - analysis, algorithms, and engineering applications , 2001, MPS-SIAM series on optimization.

[27]  Tom Goldstein,et al.  Are adversarial examples inevitable? , 2018, ICLR.

[28]  Aleksander Madry,et al.  Adversarial Examples Are Not Bugs, They Are Features , 2019, NeurIPS.

[29]  David S. Melnick,et al.  International evaluation of an AI system for breast cancer screening , 2020, Nature.

[30]  Bo'az Klartag,et al.  Fitting a $C^m$-Smooth Function to Data II , 2009 .

[31]  Guigang Zhang,et al.  Deep Learning , 2016, Int. J. Semantic Comput..

[32]  Francesco Renna,et al.  On instabilities of deep learning in image reconstruction and the potential costs of AI , 2019, Proceedings of the National Academy of Sciences.

[33]  Ajmal Mian,et al.  Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey , 2018, IEEE Access.

[34]  Shai Ben-David,et al.  Understanding Machine Learning: From Theory to Algorithms , 2014 .

[35]  C. Fefferman,et al.  Fitting a Cm-Smooth Function to Data , 2005 .

[36]  Desmond J. Higham,et al.  On Adversarial Examples and Stealth Attacks in Artificial Intelligence Systems , 2020, 2020 International Joint Conference on Neural Networks (IJCNN).

[37]  E. Bishop Foundations of Constructive Analysis , 2012 .

[38]  S. Smale,et al.  On a theory of computation and complexity over the real numbers; np-completeness , 1989 .

[39]  Laurent El Ghaoui,et al.  Robust Optimization , 2021, ICORES.

[40]  Peter Smith,et al.  An Introduction to Gödel's Theorems , 2007 .

[41]  Andrew L. Beam,et al.  Adversarial attacks on medical machine learning , 2019, Science.

[42]  Felipe Cucker,et al.  Complexity estimates depending on condition and round-off error , 1998, JACM.

[43]  Sanjeev Arora,et al.  Computational Complexity: A Modern Approach , 2009 .

[44]  C. Scovel,et al.  Brittleness of Bayesian Inference Under Finite Information in a Continuous World , 2013, 1304.6772.

[45]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[46]  Seyed-Mohsen Moosavi-Dezfooli,et al.  The Robustness of Deep Networks: A Geometrical Perspective , 2017, IEEE Signal Processing Magazine.

[47]  Seyed-Mohsen Moosavi-Dezfooli,et al.  Universal Adversarial Perturbations , 2016, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[48]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[49]  Anders C. Hansen,et al.  On the Solvability Complexity Index, the n-pseudospectrum and approximations of spectra of operators , 2011 .

[50]  Anders C. Hansen,et al.  New barriers in complexity theory: On the solvability complexity index and the towers of algorithms , 2015 .

[51]  Arkadi Nemirovski,et al.  Robust solutions of Linear Programming problems contaminated with uncertain data , 2000, Math. Program..

[52]  Gizem Karaali Book Review: Computers, Rigidity, and Moduli: The Large-Scale Fractal Geometry of Riemannian Moduli Space , 2005 .

[53]  Stephen Smale,et al.  A Topological View of Unsupervised Learning from Noisy Data , 2011, SIAM J. Comput..

[54]  Jian Sun,et al.  Delving Deep into Rectifiers: Surpassing Human-Level Performance on ImageNet Classification , 2015, 2015 IEEE International Conference on Computer Vision (ICCV).

[55]  David A. Wagner,et al.  Audio Adversarial Examples: Targeted Attacks on Speech-to-Text , 2018, 2018 IEEE Security and Privacy Workshops (SPW).