High Intrinsic Dimensionality Facilitates Adversarial Attack: Theoretical Evidence

Machine learning systems are vulnerable to adversarial attack. By applying the input object a small, carefully-designed perturbation, classifier can be tricked into making an incorrect prediction. This phenomenon has drawn wide interest, with many attempts made explain it. However, complete understanding is yet emerge. In this paper we adopt slightly different perspective, still relevant classification. We consider retrieval, where output set of objects most similar user-supplied query object, corresponding k-nearest neighbors. investigate effect perturbation on ranking respect query. Through theoretical analysis, supported by experiments, demonstrate that as intrinsic dimensionality data domain rises, amount required subvert neighborhood rankings diminishes, and vulnerability attack rises. examine two modes query: either `closer' target point, or `farther' from also perspectives: `query-centric', examining query's own ranking, `target-centric', considering point in target's set. All four cases correspond practical scenarios involving classification retrieval.