TOWARDS ROBUST NEURAL NETWORKS VIA CLOSE-LOOP CONTROL

Abstract

Despite their success in massive engineering applications, deep neural networks are vulnerable to various perturbations due to their black-box nature. Recent study has shown that a deep neural network can misclassify the data even if the input data is perturbed by an imperceptible amount. In this paper, we address the robustness issue of neural networks by a novel close-loop control method from the perspective of dynamic systems. Instead of modifying the parameters in a fixed neural network architecture, a close-loop control process is added to generate control signals adaptively for the perturbed or corrupted data. We connect the robustness of neural networks with optimal control using the geometrical information of underlying data to design the control objective. The detailed analysis shows how the embedding manifolds of state trajectory affect error estimation of the proposed method. Our approach can simultaneously maintain the performance on clean data and improve the robustness against many types of data perturbations. It can also further improve the performance of robustly trained neural networks against different perturbations. To the best of our knowledge, this is the first work that improves the robustness of neural networks with close-loop control 1 .

1. INTRODUCTION

Due to the increasing data and computing power, deep neural networks have achieved state-of-theart performance in many applications such as computer vision, natural language processing and recommendation systems. However, many deep neural networks are vulnerable to various malicious perturbations due to their black-box nature: a small (even imperceptible) perturbation of input data may lead to completely wrong predictions (Szegedy et al., 2013; Nguyen et al., 2015) . This has been a major concern in some safety-critical applications such as autonomous driving (Grigorescu et al., 2020) and medical image analysis (Lundervold & Lundervold, 2019) . Various perturbations have been reported, including the p norm based attack (Madry et al., 2017; Moosavi-Dezfooli et al., 2016; Carlini & Wagner, 2017) , semantic perturbation (Engstrom et al., 2017) etc. On the other side, some algorithms to improve the robustness against those perturbations have shown great success (Madry et al., 2017) . However, most robustly trained models are tailored for certain types of perturbations, and they do not work well for other types of perturbations. Khoury & Hadfield-Menell (2018) showed the non-existence of optimal decision boundary for any p -norm perturbation. Recent works (E, 2017; Haber & Ruthotto, 2017) have shown the connection between dynamical systems and neural networks. This dynamic system perspective provides some interesting theoretical insights about the robustness issue. Given a set of data x 0 ∈ R d and its labels y ∈ R l with a joint distribution D, training a neural network can be considered as following min θ E (x0,y)∼D [Φ(x T , y)], s.t. x t+1 = f (x t , θ t ), § Equal contributing authors. 1 A Pytorch implementation can be found in:https://github.com/zhuotongchen/ Towards-Robust-Neural-Networks-via-Close-loop-Control.git  x 0 E 0 (x 0 ) Cont 0 u 0 Layer 0 x 1 E 1 (x 1 ) Cont 1 u 1 Layer 1 • • • Layer T Figure 1: The structures of feed-forward neural network (black) and the proposed method (blue). where θ are the unknown parameters to train, and f , Φ represent the forward propagation rule and loss function (e.g. cross-entropy) respectively. The dynamical system perspective interprets the vulnerability of neural networks as a system instability issue, which addresses the state trajectory variation under small perturbations applied on initial conditions. The optimal control theory focuses on developing a control model to adjust the system state trajectory in an optimal manner. The first work that links and extends the classical back-propagation algorithm using optimal control theory was presented in Li et al. ( 2017 embedding functions E t , which induce running losses in all layers that measure the discrepancies between true features and observed features under input perturbation, then control processes generate control variables u t to minimize the total running loss under various data perturbations. The original neural network can be designed by either standard training or robust training. In the latter case, our CLC-NN framework can achieve extra robustness against different perturbations. The forward propagation rule is thus modified with an extra control parameter u t ∈ R d x t+1 = f (x t , θ t , u t ). Fig. 1 should not be misunderstood as an open-loop control. From the perspective of dynamic systems, x 0 is an initial condition, and the excitation input signal is u t (which is 0 in a standard feed-forward network). Therefore, the forward signal path is from u t to the internal states x t and then to the output label y. The path from x t to the embedding function E t (x t ) and then to the excitation signal u t forms a feedback and closes the whole loop. The technical contributions of this paper are summarized below: • The proposed method relies on the well accepted assumption that the data and hidden state manifolds are low dimensional compared to the ambient dimension (Fefferman et al., 2016) . We study the geometrical information of the data and hidden layers to define the objective function for control. Given a trained T -layer neural network, a set of embedding functions E t are trained off-line by minimizing the reconstruction loss E(x t ) -x t over some clean data from D only. The embedding functions support defining a running loss required in our control method. • We define the control problem by dynamic programming and implement the online iterative solver based on the Pontryagin's Maximum Principle to avoid the curse of dimensionality. The proposed close-loop control formulation does not require prior information of the perturbation. • We provide a theoretical error bound of the controlled system for the simplified case with linear activation functions and linear embedding. This error bound reveals how the close-loop control improves neural network robustness in the simplest setting.



), where the direct relationship between the Pontryagin's Maximum Principle(Kirk, 1970)  and the gradient based network training was established. Ye et al. (2019) used control theory to adjust the hyperparameters in the adversarial training algorithm. Han et al. (2018) established the mathematical basis of the optimal control viewpoint of deep learning. These existing works on algorithm development are open-loop control methods since they commonly treat the network weights θ as control parameters and keep them fixed once the training is done. The fixed control parameters θ operate optimally for data sampled from the data distribution D. However, various perturbation methods cause data distributions to deviate from the true distribution D (Song et al., 2017) and cause poor performance with the fixed open-loop control parameters. 1.1 PAPER CONTRIBUTIONS To address the limitation of using open-loop control methods, we propose the Close-Loop Control Neural Network (CLC-NN), the first close-loop control method to improve the robustness of neural networks. As shown in Fig. 1, our method adds additional blocks to a given T -layer neural network:

