Abstract: We study adversarial robustness, i.e., resilience of neural networks to small input perturbations, in the context of unfolding and frame theory. In the first part of the talk, we examine unfolding networks, which emerge from reformulating outputs of iterative algorithms as neural networks outputs, to solve inverse problems. As such, unfolding networks are applied in critical domains, e.g., medical imaging, where robustness is crucial to prevent catastrophic failures. We provide the first adversarial generalization error bounds for unfolding networks, perturbed during training and test times, highlighting how the network architecture ripples out to its generalization ability. Our experimental results conform with our derived theory and showcase the beneficial role of overparameterization to the network robustness. In the second part of the talk, we introduce a methodology for creating structured adversarial attacks, that highly hurt robustness, even of adversarially trained networks. Our approach hinges upon tools from frame theory – in particular, overcomplete spatial-frequency transforms, which are popular tools for image processing tasks. By representing the attacks with respect to these transforms, we improve their effectiveness, even across unseen, target models. We assess the quality of our method on standardized datasets and models, with results showcasing that our proposed attack outperforms the examined baselines and exposes vulnerabilities even of defended models, while highly preserving visual structure.
Ìý