{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,11]],"date-time":"2025-12-11T09:14:44Z","timestamp":1765444484926,"version":"build-2065373602"},"reference-count":27,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2024,1,24]],"date-time":"2024-01-24T00:00:00Z","timestamp":1706054400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"<jats:p>Despite their remarkable performance, deep learning models still lack robustness guarantees, particularly in the presence of adversarial examples. This significant vulnerability raises concerns about their trustworthiness and hinders their deployment in critical domains that require certified levels of robustness. In this paper, we introduce an information geometric framework to establish precise robustness criteria for l2 white-box attacks in a multi-class classification setting. We endow the output space with the Fisher information metric and derive criteria on the input\u2013output Jacobian to ensure robustness. We show that model robustness can be achieved by constraining the model to be partially isometric around the training points. We evaluate our approach using MNIST and CIFAR-10 datasets against adversarial attacks, revealing its substantial improvements over defensive distillation and Jacobian regularization for medium-sized perturbations and its superior robustness performance to adversarial training for large perturbations, all while maintaining the desired accuracy.<\/jats:p>","DOI":"10.3390\/e26020103","type":"journal-article","created":{"date-parts":[[2024,1,24]],"date-time":"2024-01-24T07:42:16Z","timestamp":1706082136000},"page":"103","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["Adversarial Robustness with Partial Isometry"],"prefix":"10.3390","volume":"26","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-4947-0574","authenticated-orcid":false,"given":"Lo\u00efc","family":"Shi-Garrier","sequence":"first","affiliation":[{"name":"ENAC, Universit\u00e9 de Toulouse, 31400 Toulouse, France"}]},{"given":"Nidhal Carla","family":"Bouaynaya","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, Rowan University, Glassboro, NJ 08028, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4965-6815","authenticated-orcid":false,"given":"Daniel","family":"Delahaye","sequence":"additional","affiliation":[{"name":"ENAC, Universit\u00e9 de Toulouse, 31400 Toulouse, France"}]}],"member":"1968","published-online":{"date-parts":[[2024,1,24]]},"reference":[{"key":"ref_1","unstructured":"Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I.J., and Fergus, R. (2014, January 14\u201316). Intriguing properties of neural networks. Proceedings of the International Conference on Learning Representations, Banff, AB, Canada."},{"key":"ref_2","unstructured":"Goodfellow, I.J., Shlens, J., and Szegedy, C. (2015, January 7\u20139). Explaining and Harnessing Adversarial Examples. Proceedings of the International Conference on Learning Representations, San Diego, CA, USA."},{"key":"ref_3","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. (May, January 30). Towards Deep Learning Models Resistant to Adversarial Attacks. Proceedings of the International Conference on Learning Representations, Vancouver, BC, Canada."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Carlini, N., and Wagner, D. (2017, January 22\u201324). Towards Evaluating the Robustness of Neural Networks. Proceedings of the IEEE Symposium on Security and Privacy, San Jose, CA, USA.","DOI":"10.1109\/SP.2017.49"},{"key":"ref_5","unstructured":"Gilmer, J., Metz, L., Faghri, F., Schoenholz, S.S., Raghu, M., Wattenberg, M., and Goodfellow, I.J. (May, January 30). Adversarial Spheres. Proceedings of the International Conference on Learning Representations, Vancouver, BC, Canada."},{"key":"ref_6","first-page":"1","article-title":"Trustworthy AI: From Principles to Practices","volume":"55","author":"Li","year":"2022","journal-title":"ACM Comput. Surv."},{"key":"ref_7","unstructured":"Croce, F., and Hein, M. (2020, January 13\u201318). Reliable Evaluation of Adversarial Robustness with an Ensemble of Diverse Parameter-Free Attacks. Proceedings of the International Conference on Machine Learning, Virtual."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P.D., Wu, X., Jha, S., and Swami, A. (2016, January 22\u201326). Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks. Proceedings of the IEEE Symposium on Security and Privacy, San Jose, CA, USA.","DOI":"10.1109\/SP.2016.41"},{"key":"ref_9","unstructured":"Hoffman, J., Roberts, D.A., and Yaida, S. (2018). Robust Learning with Jacobian Regularization. arXiv."},{"key":"ref_10","unstructured":"Shen, C., Peng, Y., Zhang, G., and Fan, J. (2019). Defending Against Adversarial Attacks by Suppressing the Largest Eigenvalue of Fisher Information Matrix. arXiv."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Amari, S.i. (1985). Differential-Geometrical Methods in Statistics, Springer. Lecture Notes in Statistics.","DOI":"10.1007\/978-1-4612-5056-2"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Calin, O., and Udri\u015fte, C. (2014). Geometric Modeling in Probability and Statistics, Springer International Publishing.","DOI":"10.1007\/978-3-319-07779-6"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1080\/02331887808801428","article-title":"Algebraic foundation of mathematical statistics","volume":"9","year":"1978","journal-title":"Ser. Stat."},{"key":"ref_14","unstructured":"Amari, S.I., and Nagaoka, H. (2000). Methods of Information Geometry, American Mathematical Society."},{"key":"ref_15","unstructured":"Shafahi, A., Najibi, M., Ghiasi, M.A., Xu, Z., Dickerson, J., Studer, C., Davis, L.S., Taylor, G., and Goldstein, T. (2019, January 8\u201314). Adversarial training for free!. Proceedings of the Advances in Neural Information Processing Systems, Vancouver, BC, Canada."},{"key":"ref_16","unstructured":"Wong, E., Rice, L., and Kolter, J.Z. (2020, January 26\u201330). Fast is better than free: Revisiting adversarial training. Proceedings of the International Conference on Learning Representations, Addis Ababa, Ethiopia."},{"key":"ref_17","unstructured":"Zhao, C., Fletcher, P.T., Yu, M., Peng, Y., Zhang, G., and Shen, C. (February, January 27). The Adversarial Attack and Detection under the Fisher Information Metric. Proceedings of the AAAI Conference on Artificial Intelligence, Honolulu, HI, USA."},{"key":"ref_18","unstructured":"M\u00fcller, R., Kornblith, S., and Hinton, G.E. (2019, January 8\u201314). When does label smoothing help?. Proceedings of the Advances in Neural Information Processing Systems, Vancouver, BC, Canada."},{"key":"ref_19","unstructured":"Ciss\u00e9, M., Bojanowski, P., Grave, E., Dauphin, Y.N., and Usunier, N. (2017, January 6\u201311). Parseval Networks: Improving Robustness to Adversarial Examples. Proceedings of the International Conference on Machine Learning, Sydney, Australia."},{"key":"ref_20","unstructured":"B\u00e9thune, L., Boissin, T., Serrurier, M., Mamalet, F., Friedrich, C., and Gonz\u00e1lez-Sanz, A. (December, January 28). Pay Attention to Your Loss: Understanding Misconceptions about 1-Lipschitz Neural Networks. Proceedings of the Advances in Neural Information Processing Systems, New Orleans, LA, USA."},{"key":"ref_21","unstructured":"Xiao, C., Zhu, J.Y., Li, B., He, W., Liu, M., and Song, D. (May, January 30). Spatially Transformed Adversarial Examples. Proceedings of the International Conference on Learning Representations, Vancouver, BC, Canada."},{"key":"ref_22","first-page":"211","article-title":"A Riemannian Geometry of the Multivariate Normal Model","volume":"11","author":"Skovgaard","year":"1984","journal-title":"Scand. J. Stat."},{"key":"ref_23","unstructured":"Cohen, J., Rosenfeld, E., and Kolter, Z. (2019, January 9\u201315). Certified Adversarial Robustness via Randomized Smoothing. Proceedings of the International Conference on Machine Learning, Long Beach, CA, USA."},{"key":"ref_24","unstructured":"Zhang, H., Yu, Y., Jiao, J., Xing, E., Ghaoui, L.E., and Jordan, M. (2019, January 9\u201315). Theoretically Principled Trade-off between Robustness and Accuracy. Proceedings of the International Conference on Machine Learning, Long Beach, CA, USA."},{"key":"ref_25","unstructured":"Tsipras, D., Santurkar, S., Engstrom, L., Turner, A., and Madry, A. (2019, January 6\u20139). Robustness May Be at Odds with Accuracy. Proceedings of the International Conference on Learning Representations, New Orleans, LA, USA."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"2698","DOI":"10.1109\/TPAMI.2022.3174724","article-title":"Adversarial Robustness via Fisher-Rao Regularization","volume":"45","author":"Picot","year":"2022","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_27","unstructured":"Leino, K., Wang, Z., and Fredrikson, M. (2021, January 18\u201324). Globally-Robust Neural Networks. Proceedings of the International Conference on Machine Learning, Virtual."}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/26\/2\/103\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T13:48:33Z","timestamp":1760104113000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/26\/2\/103"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,1,24]]},"references-count":27,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2024,2]]}},"alternative-id":["e26020103"],"URL":"https:\/\/doi.org\/10.3390\/e26020103","relation":{},"ISSN":["1099-4300"],"issn-type":[{"type":"electronic","value":"1099-4300"}],"subject":[],"published":{"date-parts":[[2024,1,24]]}}}