HEATING UP DECISION BOUNDARIES: ISOCAPACITORY SATURATION, ADVERSARIAL SCENARIOS AND

Abstract

In the present work we study classifiers' decision boundaries via Brownian motion processes in ambient data space and associated probabilistic techniques. Intuitively, our ideas correspond to placing a heat source at the decision boundary and observing how effectively the sample points warm up. We are largely motivated by the search for a soft measure that sheds further light on the decision boundary's geometry. En route, we bridge aspects of potential theory and geometric analysis (Maz'ya (2011); Grigor'Yan & Saloff-Coste ( 2002)) with active fields of ML research such as adversarial examples and generalization bounds. First, we focus on the geometric behavior of decision boundaries in the light of adversarial attack/defense mechanisms. Experimentally, we observe a certain capacitory trend over different adversarial defense strategies: decision boundaries locally become flatter as measured by isoperimetric inequalities (Ford et al. ( 2019)); however, our more sensitive heat-diffusion metrics extend this analysis and further reveal that some non-trivial geometry invisible to plain distance-based methods is still preserved. Intuitively, we provide evidence that the decision boundaries nevertheless retain many persistent "wiggly and fuzzy" regions on a finer scale. Second, we show how Brownian hitting probabilities translate to soft generalization bounds which are in turn connected to compression and noise stability (Arora et al. ( 2018)), and these bounds are significantly stronger if the decision boundary has controlled geometric features.

1. INTRODUCTION AND BACKGROUND

The endeavor to understand certain geometric aspects of decision problems has lead to intense research in statistical learning. These range from the study of data manifolds, through landscapes of loss functions to the delicate analysis of a classifier's decision boundary. In the present work we focus on the latter. So far, a wealth of studies has analyzed the geometry of decision boundaries of deep neural networks (DNN), reaching profound implications in the fields of adversarial machine learning (adversarial examples), robustness, margin analysis and generalization. Inspired by recent isoperimetric results and curvature estimates (Ford et al. (2019); Moosavi-Dezfooli et al. (2019); Fawzi et al. (2016) ), we attempt to provide some new aspects of decision boundary analysis by introducing and studying a corresponding diffusion-inspired approach. In this note the guiding idea is to place a heat source at the classifier's decision boundary and estimate its size/shape in terms of the amount of heat the boundary is able to emit within a given time (Fig. 1 ). The goal is to extract geometric information from the behavior of heat transmission. This technique of heat content seems well-known within capacity/potential theory and has led to a variety of results in spectral analysis relating heat diffusion and geometry, Jorgenson & Lang (2001); Grigor 'Yan & Saloff-Coste (2002) ; Maz'ya (2011) . However, working with such heat diffusion directly in terms of the corresponding differential equations is impractical. To this end, we note that, due to Feynman-Kac duality, the heat estimates are convertible to Brownian motion hitting probabilities. Thus we circumvent the need for solving intractable differential equations and instead are able to employ a straightforward Monte-Carlo sampling scheme in the ambient data space (Section 3). Background on defense training We apply the above analysis in the context of adversarial machine learning (Section 4) where one studies the interaction between an adversary and a ML system. One of the goals of the subject is to design attack/defense training strategies improving the robustness of a given ML model -in the present work we are interested in how adversarial/noise defense training are reflected geometrically. Many different metrics to estimate robustness have been proposed: on one hand, there is adversarial robustness (the probability that error samples lie very near a given data point x); on the other hand, there is corruption robustness (the probability of getting an error sample after perturbing a given data point x with some specified noise). In our context, heat diffusion naturally suggests a capacitory robustness metric: this metric is built upon the probability that Brownian motion started at a given data point x will hit error samples within a given time window. One can perceive this metric as a combination of adversarial and noise robustness (Brownian motion has continuous paths and specified stopping time determined by boundary impact). In this perspective, our work is aligned with studies of other robustness metrics and curvature results (cf. Fawzi et al. (2016) for a "semi-random" projection robustness and relations to curvature). We study the capacitory metric on the well-known CIFAR10 and MNIST datasets and observe that defense training techniques may either yield a certain (although not substantial) decrease (noise training) or fail to have a significant effect on continuous Brownian attacks overall. Surprisingly, in both cases the studied capacitory metric does not converge to the corresponding value as in the case of a flat decision boundary. Due to our comparison statements and curvature considerations, this means that locally around clean data points the geometry is in general flattened out but may still retain complexity and substantial areas of (small) non-vanishing curvature. In other words, from the point of view of our heat diffusion metrics, decision boundaries locally exhibit non-flat behaviour. Background on generalization estimates Finally, we observe that the collected heat/hittingprobability metrics can further be used to obtain generalization bounds where, in a nutshell, one evaluates the performance of a model on unseen data in terms of the performance over a given sampled data, the model's expressiveness, dimension, etc. In this regard, we view decision boundary heat diffusion traits as an indicator of how noise-stable a given model is -this relates Brownian hitting bounds with recent compression-based generalization techniques in the spirit of Arora et al. (2018); Suzuki et al. (2018; 2020) . More precisely, we proceed in two steps: first, we construct a "smaller" compressed model that is almost equivalent to the initial one in an appropriate heat-theoretic way; second, we obtain generalization estimates for the smaller model in terms of the decision boundary hitting probabilities (computed on the empirical dataset). Furthermore, the bounds are significantly improved under additional geometric assumptions on the decision boundary of the initial model.

Additional related work

The interplay between heat diffusion and geometry lies at the heart of many topics in geometric analysis and spectral theory (cf. Jorgenson & Lang (2001) ; Grigor'Yan (2001) for a far reaching overview). Some direct applications of heat diffusion techniques to zero sets of eigenfunctions are seen, for example, in Steinerberger ( 2014 



Figure 1: Heating up a planar decision boundary of a 5-layer MLP over time. The amounts of radiated heat reflect the geometry of the decision boundary: size, density, curvature.

); Georgiev & Mukherjee (2018a;b). The literature on adversarial ML is vast: to name a few central works in the field, we refer to Dalvi et al. (2004); Biggio & Roli (2018); Szegedy et al. (2014). Much effort has been invested in designing

