Skip to main content
SpringerLink
Log in

Adversarial Examples are a Manifestation of the Fitting-Generalization Trade-off

  • Conference paper
  • First Online:
Advances in Computational Intelligence (IWANN 2019)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 11506))

Included in the following conference series:

Abstract

In recent scientific literature, some studies have been published where recognition rates obtained with Deep Learning (DL) surpass those obtained by humans on the same task. In contrast to this, other studies have shown that DL networks have a somewhat strange behavior which is very different from human responses when confronted with the same task. The case of the so-called “adversarial examples” is perhaps the best example in this regard. Despite the biological plausibility of neural networks, the fact that they can produce such implausible misclassifications still points to a fundamental difference between human and machine learning. This paper delves into the possible causes of this intriguing phenomenon. We first contend that, if adversarial examples are pointing to an implausibility it is because our perception of them relies on our capability to recognise the classes of the images. For this reason we focus on what we call cognitively adversarial examples, which are those obtained from samples that the classifier can in fact recognise correctly. Additionally, in this paper we argue that the phenomenon of adversarial examples is rooted in the inescapable trade-off that exists in machine learning (including DL) between fitting and generalization. This hypothesis is supported by experiments carried out in which the robustness to adversarial examples is measured with respect to the degree of fitting to the training samples.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Airplane, automobile, bird, cat, deer, dog, frog, horse, ship and truck.

References

  1. Yuille, A.L., Liu, C.: Deep nets: What have they ever done for vision? CoRR abs/1805.04025 (2018). http://arXiv.org/abs/1805.04025

  2. Szegedy, C., et al.: Intriguing properties of neural networks, CoRR abs/1312.6199 (2013). http://dblp.uni-trier.de/db/journals/corr/corr1312.html#SzegedyZSBEGF13

  3. Athalye, A., Engstrom, L., Ilyas, A., Kwok, K.: Synthesizing robust adversarial examples, CoRR abs/1707.07397 (2017). arXiv:1707.07397

  4. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples, arXiv preprint arXiv:1412.6572 (2014)

  5. Fawzi, A., Fawzi, O., Frossard, P.: Fundamental limits on adversarial robustness. In: Proceedings of ICML, Workshop on Deep Learning (2015). http://infoscience.epfl.ch/record/214923

  6. Tabacof, P., Valle, E.: Exploring the space of adversarial images. In: 2016 International Joint Conference on Neural Networks (IJCNN), pp. 426–433 (2016)

    Google Scholar 

  7. Serban, A.C., Poll, E.: Adversarial examples: a complete characterisation of the phenomenon, CoRR abs/1810.01185 (2018). arXiv:1810.01185

  8. Tanay, T., Griffin, L.D.: A boundary tilting persepective on the phenomenon of adversarial examples, CoRR abs/1608.07690 (2016). arXiv:1608.07690

  9. Fawzi, A., Moosavi-Dezfooli, S., Frossard, P.: Robustness of classifiers: from adversarial to random noise, CoRR abs/1608.08967 (2016). arXiv:1608.08967

  10. Gilmer, J., et al.: Adversarial spheres, CoRR abs/1801.02774 (2018). arXiv:1801.02774

  11. Schmidt, L., Santurkar, S., Tsipras, D., Talwar, K., Madry, A.: Adversarially robust generalization requires more data, CoRR abs/1804.11285 (2018). arXiv:1804.11285

  12. Simon-Gabriel, C.-J., Ollivier, Y., Schölkopf, B., Bottou, L., Lopez-Paz, D.: Adversarial vulnerability of neural networks increases with input dimension, CoRR abs/1802.01421 (2018)

    Google Scholar 

  13. Papernot, N., McDaniel, P.D.: Deep k-nearest neighbors: towards confident, interpretable and robust deep learning, CoRR abs/1803.04765 (2018). arXiv:1803.04765

  14. Papernot, N., McDaniel, P., Goodfellow, I.: Transferability in machine learning: from phenomena to black-box attacks using adversarial samples, arXiv preprint arXiv:1605.07277 (2016)

  15. Charles, Z.B., Rosenberg, H., Papailiopoulos, D.S.: A geometric perspective on the transferability of adversarial directions, CoRR abs/1811.03531 (2018)

    Google Scholar 

  16. Wang, Y., Jha, S., Chaudhuri, K.: Analyzing the robustness of nearest neighbors to adversarial examples. In: ICML (2018)

    Google Scholar 

  17. Bortolussi, L., Sanguinetti, L.: Intrinsic geometric vulnerability of high-dimensional artificial intelligence, CoRR abs/1811.03571 (2018). arXiv:1811.03571

  18. Tsipras, D., Santurkar, S., Engstrom, L., Turner, A., Madry, A.: Robustness may be at odds with accuracy. In: International Conference on Learning Representations (2019). https://openreview.net/forum?id=SyxAb30cY7

  19. Shamir, A., Safran, I., Ronen, I., Dunkelman, O.: A simple explanation for the existence of adversarial examples with small hamming distance, CoRR abs/1901.10861 (2019). arXiv:1901.10861

  20. LeCun, Y., Cortes, C.: MNIST handwritten digit database (2010). http://yann.lecun.com/exdb/mnist/. (cited 2016-01-14 14:24:11)

  21. Krizhevsky, A., Nair, V., Hinton, G.: CIFAR-10 (Canadian Institute for Advanced Research). http://www.cs.toronto.edu/~kriz/cifar.html

  22. Moosavi-Dezfooli, S., Fawzi, A., Frossard, P.: Deepfool: a simple and accurate method to fool deep neural networks, CoRR abs/1511.04599 (2015). arXiv:1511.04599

Download references

Acknowledgments

This work was partially funded by projects TIN2017-82113-C2-2-R by the Spanish Ministry of Economy and Business and SBPLY/17/180501/000543 by the Autonomous Government of Castilla-La Mancha and the ERDF.

Author information

Authors and Affiliations

  1. VISILAB, E.T.S. Ingenieros Industriales, Universidad de Castilla-La Mancha, Avda. Camilo Jose Cela s/n, 13071, Ciudad Real, Spain

    Oscar Deniz, Noelia Vallez & Gloria Bueno

Authors
  1. Oscar Deniz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Noelia Vallez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gloria Bueno
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Oscar Deniz .

Editor information

Editors and Affiliations

  1. University of Granada, Granada, Spain

    Ignacio Rojas

  2. University of Malaga, Malaga, Spain

    Gonzalo Joya

  3. Polytechnic University of Catalonia, Barcelona, Spain

    Andreu Catala

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Deniz, O., Vallez, N., Bueno, G. (2019). Adversarial Examples are a Manifestation of the Fitting-Generalization Trade-off. In: Rojas, I., Joya, G., Catala, A. (eds) Advances in Computational Intelligence. IWANN 2019. Lecture Notes in Computer Science(), vol 11506. Springer, Cham. https://doi.org/10.1007/978-3-030-20521-8_47

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-20521-8_47

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-20520-1

  • Online ISBN: 978-3-030-20521-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation