6.4.8AI Safety & Alignment

Adversarial examples and robustness

3,038 words14 min readdifficulty · medium6 backlinks

What Are Adversarial Examples?

An adversarial example is an input x\mathbf{x}' created by adding a small perturbation δ\boldsymbol{\delta} to a correctly classified input x\mathbf{x}, such that:

x=x+δ\mathbf{x}' = \mathbf{x} + \boldsymbol{\delta}

where δpϵ|\boldsymbol{\delta}||_p \leq \epsilon (the perturbation is bounded), but the model's prediction changes: f(x)f(x)f(\mathbf{x}) \neq f(\mathbf{x}').

Deriving the Fast Gradient Sign Method (FGSM)

Goal: Find the direction input space that maximally increases the loss for a given sample.

Starting from the loss function L(θ,x,y)\mathcal{L}(\theta, \mathbf{x}, y) where θ\theta are model parameters,\mathbf{x}isinput,is input,y$ is true label:

Step 1: Linear approximation
For small perturbations, approximate loss with first-order Taylor expansion:

L(θ,x+δ,y)L(θ,x,y)+δTxL\mathcal{L}(\theta, \mathbf{x} + \boldsymbol{\delta}, y) \approx \mathcal{L}(\theta, \mathbf{x}, y) + \boldsymbol{\delta}^T \nabla_\mathbf{x} \mathcal{L}

Why this step? We assume the loss surface is locally linear near x\mathbf{x}. This makes the optimization tractable.

Step 2: Maximize loss subject to LL_\infty constraint
We want:

maxδϵδTxL\max_{|\boldsymbol{\delta}||_\infty \leq \epsilon} \boldsymbol{\delta}^T \nabla_\mathbf{x} \mathcal{L}

Why this step? The dot product δTxL\boldsymbol{\delta}^T \nabla_\mathbf{x} \mathcal{L} is maximized when δ\boldsymbol{\delta} points in the same direction as the gradient.

Step 3: Optimal perturbation
For LL_\infty ball, the optimal direction is:

δ=ϵsign(xL)\boldsymbol{\delta} = \epsilon \cdot \text{sign}(\nabla_\mathbf{x} \mathcal{L})

Why this step? The sign\text{sign} function gives +1+1 or 1-1 for each component. When the gradient component is positive, we push that input dimension up by ϵ\epsilon; when negative, down by ϵ\epsilon. This maximizes the dot product under LL_\infty constraint.

Iterative Attacks: Projected Gradient Descent (PGD)

FGSM is a single-step attack. Projected Gradient Descent (PGD) iteratively refines the perturbation for stronger attacks.

Derivation from first principles:

Initialize: x(0)=x\mathbf{x}^{(0)} = \mathbf{x}

For t=0,1,,T1t = 0, 1, \ldots, T-1:

Step 1: Gradient step

x(t+1)=x(t)+αsign(xL(θ,x(t),y))\mathbf{x}^{(t+1)} = \mathbf{x}^{(t)} + \alpha \cdot \text{sign}(\nabla_\mathbf{x} \mathcal{L}(\theta, \mathbf{x}^{(t)}, y))

Why? Take a small step α<ϵ\alpha < \epsilon in the gradient direction.

Step 2: Project back to ϵ\epsilon-ball

x(t+1)=Projx+Bϵ(x(t+1))\mathbf{x}^{(t+1)} = \text{Proj}_{\mathbf{x} + \mathcal{B}_\epsilon}(\mathbf{x}^{(t+1)})

where Bϵ={δ:δϵ}\mathcal{B}_\epsilon = \{\boldsymbol{\delta} : |\boldsymbol{\delta}||_\infty \leq \epsilon\}

Why this step? The gradient might violate the perturbation budget. Projection ensures x(t+1)xϵ|\mathbf{x}^{(t+1)} - \mathbf{x}||_\infty \leq \epsilon.

Projection formula LL_\infty:

Projx+Bϵ(z)=clip(z,xϵ,x+ϵ)\text{Proj}_{\mathbf{x} + \mathcal{B}_\epsilon}(\mathbf{z}) = \text{clip}(\mathbf{z}, \mathbf{x} - \epsilon, \mathbf{x} + \epsilon)

Clip each dimension: zimax(xiϵ,min(zi,xi+ϵ))z_i \leftarrow \max(\mathbf{x}_i - \epsilon, \min(z_i, \mathbf{x}_i + \epsilon))

Why Neural Networks Are Vulnerable

Three explanations (not mutually exclusive):

  1. Linear behavior in high dimensions: Neural networks often behave linearly in local regions. The FGSM derivation assumes linearity, and it works surprisingly well, suggesting models don't have enough curvature to resist linear attacks.

  2. Decision boundary proximity: Classification boundaries lie close to natural data manifolds in high-dimensional space. Small perturbations can cross boundaries even if images stay "natural-looking" to humans.

  3. Insufficiently expressive features: Models may rely on non-robust features—patterns that correlate with labels in training data but aren't causally meaningful. Adversarial perturbations exploit these spurious correlations.

Defense Strategies

1. Adversarial Training

Adversarial training augments training data with adversarial examples, forcing the model to learn robust features.

Objective (Madry et al., 2018):

minθE(x,y)D[maxδϵL(θ,x+δ,y)]\min_\theta \mathbb{E}_{(\mathbf{x}, y) \sim \mathcal{D}} \left[ \max_{|\boldsymbol{\delta}||_\infty \leq \epsilon} \mathcal{L}(\theta, \mathbf{x} + \boldsymbol{\delta}, y) \right]

Interpretation: Minimize the maximum loss within the ϵ\epsilon-ball around each training point. The inner max finds worst-case perturbation; the outer min trains the model on it.

Training loop:

For each batch (X, y):
    1. Generate adversarial batch: X_adv = PGD(X, y, epsilon, alpha, steps)
    2. Compute loss: L = CrossEntropy(model(X_adv), y)
    3. Backprop through model (not through PGD)
    4. Update θ

Why this step? We treat PGD as a fixed data augmentation—compute adversarial examples, then do standard training on them. The inner max is not differentiated.

2. Certified Defenses

Certified defenses provide mathematical guarantees that a prediction is robust within a ball.

Randomized smoothing (Cohen et al., 2019):

Define a smoothed classifier:

g(x)=argmaxcP(x+ϵ) where ϵN(0,σ2I))g(\mathbf{x}) = \arg\max_c \mathbb{P}(\mathbf{x} + \boldsymbol{\epsilon}) \text{ where } \boldsymbol{\epsilon} \sim \mathcal{N}(0, \sigma^2 I))

Intuition: Add Gaussian noise to input, classify the noisy version, return the majority vote over many samples.

Certification theorem: If for class cAc_A:

P(f(x+ϵ)=cA)pA\mathbb{P}(f(\mathbf{x} + \boldsymbol{\epsilon}) = c_A) \geq p_A

and for any other class cBc_B:

P(f(x+ϵ)=cB)pB\mathbb{P}(f(\mathbf{x} + \boldsymbol{\epsilon}) = c_B) \leq p_B

then g(x)=cAg(\mathbf{x}) = c_A for all x\mathbf{x}' with xx2σ2(Φ1(pA)Φ1(pB))||\mathbf{x}' - \mathbf{x}||_2 \leq \frac{\sigma}{2}(\Phi^{-1}(p_A) - \Phi^{-1}(p_B))

where Φ1\Phi^{-1} is the inverse CDF of standard normal.

Why this step? The Gaussian noise "blurs" the classifier. If class cAc_A has a strong enough probability mass, no L2L_2 perturbation smaller than the certified radius can flip the majority vote.

Trade-off: Certified radius is small (typically <1.0< 1.0 for ImageNet, weaker than empirical defenses) and requires expensive Monte Carlo sampling at test time.

3. Input Transformations

Examples:

  • JPEG compression (removes high-frequency noise)
  • Bit-depth reduction
  • Total variation denoising

Robustness Metrics

  1. Clean accuracy: Performance on unperturbed test data
  2. Robust accuracy: Accuracy on adversarially perturbed test data (usually PGD)
  3. AutoAttack success rate: Standardized ensemble of attacks (Croce & Hein, 2020)

Evaluation protocol:

  • For each test sample, run PGD with random restarts (e.g., 10 restarts)
  • Report accuracy on worst-case perturbations found
  • Use strong attacks: PGD with many steps (50-100), multiple norms (LL_\infty, L2L_2)

Connections to AI Safety

Why adversarial robustness matters:

  1. Specification gaming: If a model is rewarded for "high confidence" without robustness checks, it can achieve high validation accuracy while being trivially exploitable.

  2. Out-of-distribution detection: Adversarial examples are OD inputs that models confidently misclassify. Robustness and OD detection are dual problems.

  3. Trojan attacks: Adversarial training provides some defense against backdoor triggers (patterns that flip model behavior).

  4. Interpretability: Understanding why adversarial examples exist helps us understand model representations. Models that rely on non-robust features aren't learning the "right" concepts.

Recall Explain to a 12-year-old

Imagine you trained a robot to recognize cats and dogs. The robot gets really good—99% accuracy! But then someone discovers a trick: if you put a tiny sticker on a dog's ear (so small you wouldn't even notice), the robot suddenly screams "CAT!" with total confidence.

That's an adversarial example. The sticker is placed so carefully that it pushes the robot's "brain" over the edge from "definitely dog" to "definitely cat," even though to your eyes, it's obviously still a dog.

The scary part? This isn't a bug—it happens in almost every AI system. The robot's brain (neural network) divides the world into regions: "this is the cat region," "this is the dog region." But these regions have super weird, jagged borders in high-dimensional space (imagine a space with 150,000 dimensions, one for every pixel!). Tiny changes that look like nothing to us can hop across those borders.

Making the robot robust means training it to recognize cats and dogs even when someone tries to trick it with stickers. It's like teaching the robot: "Don't just memorize patterns—understand what makes a dog actually a dog." This is really hard, and it's one of the big unsolved problems in AI safety.

Connections:

  • Interpretability and explainability — adversarial examples reveal what features models rely on
  • AI Safety fundamentals — robustness is a safety requirement for deployed systems
  • Out-of-distribution detection — adversarial examples are a form of OOD input
  • Reward hacking — adversarial examples are specification gaming at test time
  • Neural network training — adversarial training is a form of data augmentation
  • Gradient descent optimization — PGD is gradient ascent on loss w.r.t. inputs

#flashcards/ai-ml

What is an adversarial example? :: An input x=x+δ\mathbf{x}' = \mathbf{x} + \boldsymbol{\delta} where the perturbation δ\boldsymbol{\delta} is small (bounded by ϵ\epsilon in some norm) but causes the model to change its prediction: f(x)f(x)f(\mathbf{x}) \neq f(\mathbf{x}'). The perturbation is often imperceptible to humans.

Derive the FGSM perturbation formula from first principles :: Start with loss L(θ,x,y)\mathcal{L}(\theta, \mathbf{x}, y). Linearize: L(x+δ)L(x)+δTxL\mathcal{L}(\mathbf{x} + \boldsymbol{\delta}) \approx \mathcal{L}(\mathbf{x}) + \boldsymbol{\delta}^T \nabla_\mathbf{x} \mathcal{L}. To maximize this subject to δϵ||\boldsymbol{\delta}||_\infty \leq \epsilon, set δ=ϵsign(xL)\boldsymbol{\delta} = \epsilon \cdot \text{sign}(\nabla_\mathbf{x} \mathcal{L}). This aligns the perturbation with the gradient's direction, maximizing the dot product.

Why is PGD stronger than FGSM?
PGD takes multiple small steps (α<ϵ\alpha < \epsilon) and projects back to the ϵ\epsilon-ball at each iteration, exploring the loss surface more thoroughly. FGSM uses a single-step linearization that may not find the worst-case perturbation if the loss surface has curvature or if a larger total perturbation budget allows better exploration.
What is the adversarial training objective?
minθE(x,y)[maxδϵL(θ,x+δ,y)]\min_\theta \mathbb{E}_{(\mathbf{x}, y)} \left[ \max_{||\boldsymbol{\delta}|| \leq \epsilon} \mathcal{L}(\theta, \mathbf{x} + \boldsymbol{\delta}, y) \right]. The inner max finds the worst-case adversarial perturbation for each sample; the outer min trains the model to be robust to these perturbations.
What trade-off does adversarial training introduce?
Adversarial training typically reduces clean accuracy (by ~5-10% on CIFAR-10) while significantly improving robust accuracy under attack. It learns more conservative decision boundaries that resist perturbations but may generalize worse to unperturbed data.
What is an adaptive attack and why does it break input preprocessing defenses?
An adaptive attack is one where the attacker knows the defense mechanism (e.g., JPEG compression, denoising) and optimizes the perturbation to remain adversarial after the defense is applied. If the attacker includes the preprocessing in the attack computation (e.g., xL(θ,T(x),y)\nabla_\mathbf{x} \mathcal{L}(\theta, T(\mathbf{x}), y)), simple preprocessing no longer removes the perturbation.
What does randomized smoothing provide?
Randomized smoothing provides a certified robustness guarantee. By classifying x+ϵ\mathbf{x} + \boldsymbol{\epsilon} where ϵN(0,σ2I)\boldsymbol{\epsilon} \sim \mathcal{N}(0, \sigma^2 I) and returning the majority vote, it guarantees that predictions are constant within a provable L2L_2 radius. The certified radius depends on the probability gap between the top two classes.
Why are neural networks vulnerable to adversarial examples in high dimensions?
In high dimensions, even imperceptible per-dimension perturbations accumulate. The perturbation's contribution to loss δTxL=iδiLxi\boldsymbol{\delta}^T \nabla_\mathbf{x} \mathcal{L} = \sum_i \delta_i \frac{\partial \mathcal{L}}{\partial x_i} can be large if all gradient components have the same sign, scaling as ϵd\epsilon \sqrt{d}. Neural networks often behave linearly locally, so small perturbations have predictable, large effects on loss.
What is the difference between untargeted and targeted adversarial attacks?
Untargeted attacks maximize loss to cause any misclassification: xadv=x+ϵsign(xL(θ,x,y))\mathbf{x}_{\text{adv}} = \mathbf{x} + \epsilon \cdot \text{sign}(\nabla_\mathbf{x} \mathcal{L}(\theta, \mathbf{x}, y)). Targeted attacks minimize loss for a specific target class tt to force that prediction: xadv=xϵsign(xL(θ,x,t))\mathbf{x}_{\text{adv}} = \mathbf{x} - \epsilon \cdot \text{sign}(\nabla_\mathbf{x} \mathcal{L}(\theta, \mathbf{x}, t)).
What is robust accuracy and how is it measured?
Robust accuracy is the fraction of test samples correctly classified under worst-case adversarial perturbations within budget ϵ\epsilon: Robust-Acc=1D1[minδϵf(x+δ)=y]\text{Robust-Acc} = \frac{1}{|\mathcal{D}|} \sum \mathbb{1}[\min_{||\boldsymbol{\delta}|| \leq \epsilon} f(\mathbf{x} + \boldsymbol{\delta}) = y]. In practice, use strong attacks (PGD with many steps, multiple random restarts) as a lower bound.

Concept Map

vulnerable to

added to input

constrained by

often uses

keeps perturbation imperceptible

causes

leads to

motivates

defends against

linearized by

maximized via

sign gives direction

generates

Neural Networks

Adversarial Example x prime

Perturbation delta

Lp Norm Bound epsilon

L-infinity Norm

Prediction Flips

Safety Risks

Adversarial Robustness

Loss Function

First-order Taylor Approx

Loss Gradient

FGSM Attack

Hinglish (regional understanding)

Intuition Hinglish mein samjho

Dekho, yaha basic idea ye hai ki neural networks jitne bhi powerful lagte hain, unmein ek chhupa hua weakness hai. Agar tum ek image mein bohot chhoti si, aankhon se dikhai na dene wali noise add kar do, toh model jo pehle 99% confidence se panda bol raha tha, wahi model ab 99% confidence se "gibbon" bol dega. Ye koi ek model ka bug nahi hai — ye neural networks ke high-dimensional space ko partition karne ke tareeke ki ek fundamental property hai. Isko hum adversarial example kehte hain, jaha input x mein ek chhota perturbation δ add karke prediction galat kara dete hain, aur δ ka size ek limit ε ke andar rakhte hain (jaise L-infinity norm se har pixel bas thoda sa badalta hai).

Ab attack banate kaise hain? Sabse simple method hai FGSM (Fast Gradient Sign Method). Idea simple hai — loss function ka gradient nikalo input ke respect mein, aur us gradient ki sign direction mein har pixel ko ε jitna push kar do. Kyun sign? Kyunki L-infinity constraint ke andar loss ko maximize karne ke liye tumhe har dimension mein gradient ke same direction mein full ε step lena padta hai. Bas ek hi gradient computation, aur attack ready — isliye ye "fast" hai. Aur agar tumhe model se koi specific galat class predict karwani ho, toh minus sign use karte ho taaki us target class ka loss minimize ho jaye. Isse aage PGD aata hai jo iteratively chhote-chhote steps leke aur bhi strong attack banata hai.

Ye cheez safety ke liye kyun important hai, samajhna zaroori hai. Socho agar ye adversarial trick kisi medical diagnosis system, self-driving car ke object detector, ya content moderation filter ko fool kar de — toh nateeja privacy leak se lekar physical nuksaan tak kuch bhi ho sakta hai. Isliye adversarial robustness ka pura field isliye bana hai taaki hum models ko in attacks ke against strong banaayein. Regional students ke liye takeaway ye hai — model ka high accuracy dikhna kaafi nahi hai; real-world deployment se pehle uski robustness bhi test karni padti hai, warna chhoti si noise pura system tod sakti hai.

Go deeper — visual, from zero

Test yourself — AI Safety & Alignment

Connections