Skip to main content
SpringerLink
Log in

A study on the uncertainty of convolutional layers in deep neural networks

  • Original Article
  • Published:
International Journal of Machine Learning and Cybernetics Aims and scope Submit manuscript

Abstract

This paper shows a Min–Max property existing in the connection weights of the convolutional layers in a neural network structure, i.e., the LeNet. Specifically, the Min–Max property means that, during the back propagation-based training for LeNet, the weights of the convolutional layers will become far away from their centers of intervals, i.e., decreasing to their minimum or increasing to their maximum. From the perspective of uncertainty, we demonstrate that the Min–Max property corresponds to minimizing the fuzziness of the model parameters through a simplified formulation of convolution. It is experimentally confirmed that the model with the Min–Max property has a stronger adversarial robustness, thus this property can be incorporated into the design of loss function. This paper points out a changing tendency of uncertainty in the convolutional layers of LeNet structure, and gives some insights to the interpretability of convolution.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Abbasi M, Gagné C (2017) Robustness to adversarial examples through an ensemble of specialists. In: Proceedings of the 5th international conference on learning representations (ICLR), Toulon, France, April 24–26, 2017

  2. Athalye A, Carlini N, Wagner D (2018) Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: Proceedings of the 35th international conference on machine learning (ICML), Stockholm, Sweden, July 10–15, 2018, pp 274–283

  3. Basak J, De RK, Pal SK (1998) Unsupervised feature selection using a neuro-fuzzy approach. Pattern Recognit Lett 19(11):997–1006

    Article  Google Scholar 

  4. Bradshaw J, Matthews AGdG, Ghahramani Z (2017) Adversarial examples, uncertainty, and transfer testing robustness in gaussian process hybrid deep networks. arXiv preprint arXiv:1707.02476

  5. Brown TB, Mané D, Roy A, Abadi M, Gilmer J (2017) Adversarial patch. arXiv preprint arXiv:1712.09665

  6. Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy (sp), pp 39–57. IEEE

  7. Chen HY, Liang JH, Chang SC, Pan JY, Chen YT, Wei W, Juan DC (2019) Improving adversarial robustness via guided complement entropy. In: Proceedings of the IEEE international conference on computer vision, pp 4881–4889

  8. Chen PY, Zhang H, Sharma Y, Yi J, Hsieh CJ (2017) Zoo: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM Workshop on artificial intelligence and security, pp 15–26

  9. Clevert D, Unterthiner T, Hochreiter S (2016) Fast and accurate deep network learning by exponential linear units (elus). In: Bengio Y, LeCun Y (eds) 4th international conference on learning representations, ICLR 2016, San Juan, Puerto Rico, May 2–4, 2016, conference track proceedings. http://arxiv.org/abs/1511.07289

  10. Deng L (2012) The mnist database of handwritten digit images for machine learning research [best of the web]. IEEE Signal Process Mag 29(6):141–142

    Article  Google Scholar 

  11. Ding GW, Wang L, Jin X (2019) AdverTorch v0.1: an adversarial robustness toolbox based on pytorch. arXiv preprint arXiv:1902.07623

  12. Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J (2018) Boosting adversarial attacks with momentum. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 9185–9193

  13. Eykholt K, Evtimov I, Fernandes E, Li B, Rahmati A, Xiao C, Prakash A, Kohno T, Song D (2018) Robust physical-world attacks on deep learning visual classification. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 1625–1634

  14. Glorot X, Bordes A, Bengio Y (2011) Deep sparse rectifier neural networks. In: Proceedings of the fourteenth international conference on artificial intelligence and statistics, pp 315–323

  15. Goodfellow IJ, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. In: Bengio Y, LeCun Y (eds) 3rd international conference on learning representations, ICLR 2015, San Diego, CA, USA, May 7–9, 2015, conference track proceedings. http://arxiv.org/abs/1412.6572

  16. Haykin S, Kosko B (2001) Gradient based learning applied to document recognition, pp 306–351

  17. Hein M, Andriushchenko M (2017) Formal guarantees on the robustness of a classifier against adversarial manipulation. In: Advances in neural information processing systems, pp 2266–2276

  18. Jia Y, Liu H, Hou J, Kwong S (2020) Pairwise constraint propagation with dual adversarial manifold regularization. IEEE Trans Neural Netw Learn Syst. https://doi.org/10.1109/TNNLS.2020.2970195

    Article  MathSciNet  Google Scholar 

  19. Jia Y, Liu H, Hou J, Kwong S (2020) Semisupervised adaptive symmetric non-negative matrix factorization. IEEE Trans Cybern. https://doi.org/10.1109/TCYB.2020.2969684

    Article  Google Scholar 

  20. Karmon D, Zoran D, Goldberg Y (2018) Lavan: localized and visible adversarial noise. In: Dy JG, Krause A (eds) Proceedings of the 35th international conference on machine learning, ICML 2018, Stockholmsmässan, Stockholm, Sweden, July 10–15, 2018, Proceedings of Machine Learning Research, vol. 80, pp 2512–2520. PMLR. http://proceedings.mlr.press/v80/karmon18a.html

  21. Krippendorff K (2009) Figure 12 in Klaus Krippendorff’s ’ross Ashby’s information theory: a bit of history, some solutions to problems, and what we face today. Int J Gen Syst 38:189–212. https://doi.org/10.1080/03081070902993178(Int. J. Gen. Syst. 38(6), 667–668 (2009))

    Article  MathSciNet  MATH  Google Scholar 

  22. Krizhevsky A, Hinton G et al (2009) Learning multiple layers of features from tiny images

  23. Kurakin A, Goodfellow IJ, Bengio S (2017) Adversarial examples in the physical world. In: Proceedings of the 5th international conference on learning representations (ICLR), Toulon, France, April 24–26, 2017

  24. Kurakin A, Goodfellow IJ, Bengio S (2017) Adversarial machine learning at scale. In: 5th International conference on learning representations, ICLR 2017, Toulon, France, April 24–26, 2017, conference track proceedings. OpenReview.net. https://openreview.net/forum?id=HJGU3Rodl

  25. Lin J (1991) Divergence measures based on the Shannon entropy. IEEE Trans Inf Theory 37(1):145–151

    Article  MathSciNet  Google Scholar 

  26. Liu H, Ji R, Li J, Zhang B, Gao Y, Wu Y, Huang F (2019) Universal adversarial perturbation via prior driven uncertainty approximation. In: Proceedings of the IEEE/CVF international conference on computer vision (ICCV)

  27. Liu H, Jia Y, Hou J, Zhang Q (2019) Imbalance-aware pairwise constraint propagation. In: Proceedings of the 27th ACM international conference on multimedia, pp 1605–1613

  28. Liu X, Yang H, Liu Z, Song L, Chen Y, Li H (2019) DPATCH: an adversarial patch attack on object detectors. In: Proceedings of the AAAI workshop on artificial intelligence safety (SafeAI), Honolulu, Hawaii, USA, January 27, 2019

  29. Liu Y, Chen X, Liu C, Song D (2016) Delving into transferable adversarial examples and black-box attacks. arXiv preprint. https://arxiv.org/abs/1611.02770

  30. Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A (2018) Towards deep learning models resistant to adversarial attacks. In: Proceedings of the 6th international conference on learning representations (ICLR), Vancouver, BC, Canada, April 30–May 3, 2018

  31. Mishkin D, Matas J (2016) All you need is a good init. In: Bengio Y, LeCun Y (eds) 4th International conference on learning representations, ICLR 2016, San Juan, Puerto Rico, May 2–4, 2016, conference track proceedings. http://arxiv.org/abs/1511.06422

  32. Moosavi-Dezfooli SM, Fawzi A, Frossard P (2016) Deepfool: a simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 2574–2582

  33. Papernot N, McDaniel P, Goodfellow I (2016) Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277

  34. Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A (2016) The limitations of deep learning in adversarial settings. In: 2016 IEEE European symposium on security and privacy (EuroS&P), pp. 372–387. IEEE

  35. Papernot N, McDaniel P, Wu X, Jha S, Swami A (2016) Distillation as a defense to adversarial perturbations against deep neural networks. In: 2016 IEEE symposium on security and privacy (SP), pp 582–597. IEEE

  36. Pinto L, Davidson J, Sukthankar R, Gupta A (2017) Robust adversarial reinforcement learning. In: Proceedings of the 34th international conference on machine learning (ICML), Sydney, NSW, Australia, August 6–11, 2017

  37. Pourpanah F, Abdar M, Luo Y, Zhou X, Wang R, Lim CP, Wang XZ (2020) A review of generalized zero-shot learning methods. arXiv preprint arXiv:2011.08641

  38. Qin C, Martens J, Gowal S, Krishnan D, Dvijotham K, Fawzi A, De S, Stanforth R, Kohli P (2019) Adversarial robustness through local linearization. In: Advances in neural information processing systems, pp 13847–13856

  39. Raghunathan A, Steinhardt J, Liang P (2018) Certified defenses against adversarial examples. In: Proceedings of the 6th international conference on learning representations (ICLR), Vancouver, BC, Canada, April 30–May 3, 2018

  40. Seeger M (2004) Gaussian processes for machine learning. Int J Neural Syst 14(02):69–106

    Article  Google Scholar 

  41. Shannon CE (2001) A mathematical theory of communication. ACM SIGMOBILE Mobile Comput Commun Rev 5(1):3–55

    Article  MathSciNet  Google Scholar 

  42. Sharif M, Bhagavatula S, Bauer L, Reiter MK (2016) Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In: Proceedings of the 2016 ACM sigsac conference on computer and communications security, pp 1528–1540

  43. Shen H, Chen S, Wang R, Wang X (2020) Generalized adversarial examples: Attacks and defenses. arXiv preprint arXiv:2011.14045

  44. Sinha A, Namkoong H, Duchi JC (2018) Certifying some distributional robustness with principled adversarial training. In: Proceedings of the 6th international conference on learning representations (ICLR), Vancouver, BC, Canada, April 30–May 3, 2018

  45. Smith L, Gal Y (2018) Understanding measures of uncertainty for adversarial example detection. In: Proceedings of the 34th conference on uncertainty in artificial intelligence (UAI), Monterey, California, USA, August 6–10, 2018, pp 560–569

  46. Springenberg JT, Dosovitskiy A, Brox T, Riedmiller MA (2015) Striving for simplicity: The all convolutional net. In: Bengio Y, LeCun Y (eds) 3rd International conference on learning representations, ICLR 2015, San Diego, CA, USA, May 7–9, 2015, workshop track proceedings. http://auai.org/uai2018/proceedings/papers/207.pdf

  47. Su D, Zhang H, Chen H, Yi J, Chen PY, Gao Y (2018) Is robustness the cost of accuracy?—a comprehensive study on the robustness of 18 deep image classification models. In: Proceedings of the European conference on computer vision (ECCV), pp 631–648

  48. Su J, Vargas DV, Sakurai K (2019) One pixel attack for fooling deep neural networks. IEEE Trans Evolut Comput 23(5):828–841

    Article  Google Scholar 

  49. Szegedy C, Vanhoucke V, Ioffe S, Shlens J, Wojna Z (2016) Rethinking the inception architecture for computer vision. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 2818–2826

  50. Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow IJ, Fergus R (2014) Intriguing properties of neural networks. In: Bengio Y, LeCun Y (eds) 2nd international conference on learning representations, ICLR 2014, Banff, AB, Canada, April 14–16, 2014, conference track proceedings. http://arxiv.org/abs/1312.6199

  51. Terzi M, Susto GA, Chaudhari P (2020) Directional adversarial training for cost sensitive deep learning classification applications. Eng Appl Artif Intell 91:103550

    Article  Google Scholar 

  52. Tramér F, Kurakin A, Papernot N, Goodfellow IJ, Boneh D, McDaniel PD (2018) Ensemble adversarial training: Attacks and defenses. In: Proceedings of the 6th international conference on learning representations (ICLR), Vancouver, BC, Canada, April 30–May 3, 2018

  53. Tsipras D, Santurkar S, Engstrom L, Turne, A, Madry A(2019) Robustness may be at odds with accuracy. In: Proceedings of the 7th international conference on learning representations (ICLR), New Orleans, LA, USA, May 6–9, 2019

  54. Wong E, Kolter JZ (2018) Provable defenses against adversarial examples via the convex outer adversarial polytope. In: Proceedings of the 35th international conference on machine learning (ICML), Stockholm, Sweden, July 10–15, 2018, pp 8405–8423

  55. Xiao H, Rasul K, Vollgraf R (2017) Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms

  56. Yeung DS, Wang X (2002) Improving performance of similarity-based clustering by feature weight learning. IEEE Trans Pattern Anal Mach Intell 24(4):556–561

    Article  Google Scholar 

  57. Zhang H, Yu Y, Jiao J, Xing EP, Ghaoui LE, Jordan MI (2019) Theoretically principled trade-off between robustness and accuracy. In: Proceedings of the 36th international conference on machine learning (ICML), Long Beach, California, USA, June 9–15, 2019, pp 12907–12929

  58. Zhao Z, Dua D, Singh S (2018) Generating natural adversarial examples. In: Proceedings of the 6th international conference on learning representations (ICLR), Vancouver, BC, Canada, April 30–May 3, 2018

Download references

Acknowledgements

This work was supported in part by Natural Science Foundation of China (Grants 61732011 and 61976141, 61772344), in part by the Natural Science Foundation of SZU (827-000230), in part by the Interdisciplinary Innovation Team of Shenzhen University, and in part by Natural Science Foundation of Guangdong Province of China (Grant 2020B1515310008).

Author information

Authors and Affiliations

  1. Big Data Institute, College of Computer Science and Software Engineering, Shenzhen University, Shenzhen, 518060, China

    Haojing Shen & Sihong Chen

  2. College of Mathematics and Statistics, Shenzhen University, Shenzhen, 518060, China

    Ran Wang

  3. Guangdong Key Laboratory of Intelligent Information Processing, Shenzhen University, Shenzhen, 518060, China

    Haojing Shen, Sihong Chen & Ran Wang

  4. Shenzhen Key Laboratory of Advanced Machine Learning and Applications, Shenzhen University, Shenzhen, 518060, China

    Ran Wang

Authors
  1. Haojing Shen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sihong Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ran Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ran Wang.

Ethics declarations

Conflict of interest

The authors declare that there is no conflict of interests regarding the publication of this article.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shen, H., Chen, S. & Wang, R. A study on the uncertainty of convolutional layers in deep neural networks. Int. J. Mach. Learn. & Cyber. 12, 1853–1865 (2021). https://doi.org/10.1007/s13042-021-01278-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13042-021-01278-9

Keywords

Search

Navigation