Translational symmetry in convolutions with localized kernels causes an implicit bias toward high frequency adversarial examples

Josue O. Caro; Yilong Ju; Yilong Ju; Ryan Pyle; Ryan Pyle; Sourav Dey; Wieland Brendel; Fabio Anselmi; Fabio Anselmi; Fabio Anselmi; Ankit B. Patel; Ankit B. Patel

doi:10.3389/fncom.2024.1387077

Frontiers in Computational Neuroscience (Jun 2024)

Translational symmetry in convolutions with localized kernels causes an implicit bias toward high frequency adversarial examples

Josue O. Caro,
Yilong Ju,
Yilong Ju,
Ryan Pyle,
Ryan Pyle,
Sourav Dey,
Wieland Brendel,
Fabio Anselmi,
Fabio Anselmi,
Fabio Anselmi,
Ankit B. Patel,
Ankit B. Patel

Affiliations

Josue O. Caro: Department of Neuroscience, Baylor College of Medicine, Houston, TX, United States
Yilong Ju: Department of Neuroscience, Baylor College of Medicine, Houston, TX, United States
Yilong Ju: Department of Electrical and Computer Engineering, Rice University, Houston, TX, United States
Ryan Pyle: Department of Neuroscience, Baylor College of Medicine, Houston, TX, United States
Ryan Pyle: Department of Electrical and Computer Engineering, Rice University, Houston, TX, United States
Sourav Dey: Manifold AI, San Francisco, CA, United States
Wieland Brendel: Max Planck Institute for Intelligent Systems, University of Tübingen, Tübingen, Germany
Fabio Anselmi: Department of Neuroscience, Baylor College of Medicine, Houston, TX, United States
Fabio Anselmi: Department of Mathematics, Informatics and Geosciences, University of Trieste, Trieste, Italy
Fabio Anselmi: Massachusetts Institute of Technology (MIT), Cambridge, MA, United States
Ankit B. Patel: Department of Neuroscience, Baylor College of Medicine, Houston, TX, United States
Ankit B. Patel: Department of Electrical and Computer Engineering, Rice University, Houston, TX, United States

DOI: https://doi.org/10.3389/fncom.2024.1387077
Journal volume & issue: Vol. 18

Abstract

Read online

Adversarial attacks are still a significant challenge for neural networks. Recent efforts have shown that adversarial perturbations typically contain high-frequency features, but the root cause of this phenomenon remains unknown. Inspired by theoretical work on linear convolutional models, we hypothesize that translational symmetry in convolutional operations together with localized kernels implicitly bias the learning of high-frequency features, and that this is one of the main causes of high frequency adversarial examples. To test this hypothesis, we analyzed the impact of different choices of linear and non-linear architectures on the implicit bias of the learned features and adversarial perturbations, in spatial and frequency domains. We find that, independently of the training dataset, convolutional operations have higher frequency adversarial attacks compared to other architectural parameterizations, and that this phenomenon is exacerbated with stronger locality of the kernel (kernel size) end depth of the model. The explanation for the kernel size dependence involves the Fourier Uncertainty Principle: a spatially-limited filter (local kernel in the space domain) cannot also be frequency-limited (local in the frequency domain). Using larger convolution kernel sizes or avoiding convolutions (e.g., by using Vision Transformers or MLP-style architectures) significantly reduces this high-frequency bias. Looking forward, our work strongly suggests that understanding and controlling the implicit bias of architectures will be essential for achieving adversarial robustness.

Published in Frontiers in Computational Neuroscience

ISSN: 1662-5188 (Online)
Publisher: Frontiers Media S.A.
Country of publisher: Switzerland
LCC subjects: Medicine: Internal medicine: Neurosciences. Biological psychiatry. Neuropsychiatry
Website: http://www.frontiersin.org/computational_neuroscience

About the journal

Abstract

Keywords