As part of the model-based approaches to safe and trusted AI, this project aims to shed light on the phenomenon of robust generalisation as a trade-off in geometric deep networks.
Unfortunately, classical learning theory is incapable of explaining the behaviour observed in modern deep architectures. We propose to approach this problem both theoretically and empirically. Theoretically, we would like to (i) formulate how bounds on generalisation and compressibility are related to robustness. We aim to do this by exploiting the under-explored ties to complexity theory; (ii) we like to extend the results to geometric deep networks by leveraging the recent advances in PAC-Bayes theorems for equivariant networks and graph neural networks. Empirically, we would like to observe robustness-accuracy trade-offs in compressible networks which are small in intrinsic dimension. Potentially, we should also be able to validate our theoretical arguments through extensive experimentation. Let us provide further details into these:
1. In the first stage, we plan to investigate the links between the recently developed generalisation bounds powered by topological-data-analysis and the complexity classes. The link is to be established by the use of intrinsic dimension in the weight space and should provide insight into neural networks’ complexity and compressibility of the weights.
2. Next, we propose to extend and apply the findings in (1) to geometric machine learning, in particular to graph and set neural networks. Geometric networks tend to capture the inductive bias about the symmetry of the learning task by building those symmetries into the model. This notion links naturally to generalisation, as shown in previous works. We will extend these results using our topological generalisation bound.
3. Finally, we will bridge the gap between those and robustness. We see adversarial inputs are the optical illusions of artificial learning machines. As such, they are the key for hacking into and fully grasping the mysteries of modern deep learning. Adversarial robustness is defined as the resilience of machine learning systems to malicious attacks i.e., adversarial examples. This intrinsic property, just like generalisation, cannot be explained by the common wisdom of classical learning theory. To uncover the rationale for the behaviour of neural networks under adversarial perturbations, we shall further expand connections between generalisation, compressibility and intrinsic dimension. We will seek a response to the question: how and when could geometric machine learning excel in generalisation while enjoying improved adversarial robustness?
The proposed STAI CDT project is particularly related to neural network verification problem which aims to formally guarantee properties of neural networks such as robustness, safety, and correctness. As part of the CDT, we hope to develop new approaches to provide formal characteristics / bounds to the notions of generalization, adversarial robustness and compressibility. Our prior work heavily leverages methods from topological data analysis and poses intrinsic dimension as a bound on the generalization error of a deep neural network. Our aim is to expand the reach of this measure to quantify robustness in safety critical applications.