Adversarial examples in random neural networks with general activations

Abstract

A substantial body of empirical work documents the lack of robustness in deep learning models to adversarial examples. Recent theoretical work proved that adversarial examples are ubiquitous in two-layers networks with sub-exponential width and ReLU or smooth activations, and multi-layer ReLU networks with sub-exponential width. We present a result of the same type, with no restriction on width and for general locally Lipschitz continuous activations. More precisely, given a neural network f. I / with random weights, and feature vec-tor x, we show that an adversarial example x0 can be found with high probability along the direction of the gradient rx f.xI /. Our proof is based on a Gaussian conditioning technique. Instead of proving that f is approximately linear in a neighborhood of x, we characterize the joint distribution of f.xI / and f.x0 I / for x0 D x s.x/rx f.xI /, where s.x/ D sign.f.xI // sd for some positive step size sd.