Robustness Analysis of Neural Network Designs with Sparsity Investigation

The so-called neural network (NN) robustness problem refers to the vulnerability of neural networks to adversarial examples or some imperceptible perturbations, which can cause the model to produce incorrect or unexpected outputs. Based on our previous work which provides an estimate of how the robustness can be changed with respect to the two design factors (ReLU based activation functions and batch normalization technique) by using the formula of Lipschitz constant, this work further analyzes the impact of the other two different design factors, max pooling and model size, on the robustness of neural networks. Our analysis results are obtained from three extended lemmas with sparsity investigation and discussed with real experimental data as well. Basically, we find that max pooling can bring benefits to robustness while adopting global average pooling to replace one of fully connected layers after convolutional layers to keep the sampling size of feature maps. As to the relation between model size and robustness, the bigger model size is, the larger sparsity could be, and thus the better robustness can be held for some complex structure NN designs like VGG or ResNet-based NN for Cifar-10. However, for simple structure NN designs, e.g. LeNet-based NN for MNIST data set, we also find that using sparsity as the only one indicator for robustness evaluation is not feasible enough. From the experimental results and the calculated Lipschitz constant values, we conclude that besides sparsity, the structural complexity of the NNs and the degree of variance in model size are also needed to be taken into account for robustness estimation.