Deep learning models are known to be vulnerable to adversarial attacks. Adversarial learning is therefore becoming a crucial task. We propose a new vision on neural network robustness using Riemannian geometry and foliation theory. The idea is illustrated by creating a new adversarial attack that takes into account the curvature of the data space. This new adversarial attack called the two-step spectral attack is a piece-wise linear approximation of a geodesic in the data space. The data space is treated as a (degenerate) Riemannian manifold equipped with the pullback of the Fisher Information Metric (FIM) of the neural network. In most cases, this metric is only semi-definite and its kernel becomes a central object to study. A canonical foliation is derived from this kernel. The curvature of transverse leaves gives the appropriate correction to get a two-step approximation of the geodesic and hence a new efficient adversarial attack. The method is first illustrated on a 2D toy example in order to visualize the neural network foliation and the corresponding attacks. Next, experiments on the MNIST dataset with the proposed technique and a state of the art attack presented in Zhao et al. (2019) are reported. The result show that the proposed attack is more efficient at all levels of available budget for the attack (norm of the attack), confirming that the curvature of the transverse neural network FIM foliation plays an important role in the robustness of neural networks.

翻译：深度学习模型易受对抗性攻击的影响，因此对抗性学习正成为关键研究方向。我们基于黎曼几何与叶状结构理论提出神经网络鲁棒性的新视角。通过构建考虑数据空间曲率的新型对抗性攻击方法阐述该思想：这种称为两步谱攻击的方法，本质是对数据空间测地线的分段线性逼近。我们将数据空间视为配备神经网络Fisher信息度量（FIM）拉回量的（退化）黎曼流形，该度量通常为半正定矩阵，其核空间成为核心研究对象。由此核空间导出典范叶状结构，横向叶片的曲率修正可得到测地线的两步逼近，从而形成高效的新型对抗性攻击。首先通过二维玩具示例可视化神经网络叶状结构及相应攻击，随后在MNIST数据集上对比本方法与Zhao等(2019)提出的最新攻击技术。结果表明：在攻击可用预算（攻击范数）的所有水平上，本方法均展现更高攻击效率，证实神经网络FIM叶状结构的横向曲率对神经网络鲁棒性具有重要影响。