Deep Learning: Difference between revisions
| Line 798: | Line 798: | ||
;Theorem (Levine, Singla, F2019, Salman et al 2019) | ;Theorem (Levine, Singla, F2019, Salman et al 2019) | ||
<math>\Phi^{-1}(\bar{f}(x)) is Lipschitz with constant <math>1/\sigma</math> | <math>\Phi^{-1}(\bar{f}(x))</math> is Lipschitz with constant <math>1/\sigma</math> | ||
The worst g is a stepwise function. Then <math>\Phi^{-1}(\bar{g})</math> is a linear function. | The worst g is a stepwise function. Then <math>\Phi^{-1}(\bar{g})</math> is a linear function. | ||
| Line 810: | Line 810: | ||
If we use Gaussian smoothing against Lp attacks, we get: | If we use Gaussian smoothing against Lp attacks, we get: | ||
<math>r_p = \frac{\sigma}{2d^{1/2 - 1/p}}\left( \Sigma^{-1}(p_1(x)) - \Sigma^{-1}(p_2(x)) \right)</math> | <math>r_p = \frac{\sigma}{2d^{1/2 - 1/p}}\left( \Sigma^{-1}(p_1(x)) - \Sigma^{-1}(p_2(x)) \right)</math> | ||
This shows that Gaussian smoothing is optimal (up to a constant) within i.i.d. smoothing distributions against Lp attacks. | This shows that Gaussian smoothing is optimal (up to a constant) within i.i.d. smoothing distributions against Lp attacks. | ||
===Sparse Threat=== | ===Sparse Threat=== | ||