Categories
Colloquium Events

Colloquium: Adversarial Reprogramming Revisited

November 16, 2022. Wednesday. 3PM

Room: TG23 (Town Hall Building)

Speaker: Ranko Lazic

Title: Adversarial Reprogramming Revisited

Abstract: TL;DR:  We show that neural networks with random weights are susceptible to adversarial reprogramming, and that in some settings training the network can cause its adversarial reprogramming to fail.

Adversarial reprogramming, introduced by Elsayed, Goodfellow, and Sohl-Dickstein, seeks to repurpose a neural network to perform a different task, by manipulating its input without modifying its weights. We prove that two-layer ReLU neural networks with random weights can be adversarially reprogrammed to achieve arbitrarily high accuracy on Bernoulli data models over hypercube vertices, provided the network width is no greater than its input dimension. We also substantially strengthen a recent result of Phuong and Lampert on directional convergence of gradient flow, and obtain as a corollary that training two-layer ReLU neural networks on orthogonally separable datasets can cause their adversarial reprogramming to fail. We support these theoretical results by experiments that demonstrate that, as long as batch normalisation layers are suitably initialised, even untrained networks with random weights are susceptible to adversarial reprogramming. This is in contrast to observations in several recent works that suggested that adversarial reprogramming is not possible for untrained networks to any degree of reliability.

Joint work with Matthias Englert, to appear in NeurIPS 2022, available at https://arxiv.org/abs/2206.03466.

Bio: Ranko Lazic is a Professor in the Department of Computer Science at the University of Warwick, and the best man at his wedding was Raja.  Ranko is an Associate Editor of Information Processing Letters, and his research interests span theoretical computer science and machine learning.  His Google Scholar page is at https://scholar.google.co.uk/citations?user=yGOk7boAAAAJ.