So kind of actually, I seem to be a regular in Erlingan for giving virtual talks in maybe

a couple of years ago, two years ago, I gave one in the Martin Berger's group.

So it's great to be again in Erlingan, even if virtually, I hope to be at some point in

person there.

So yeah, so today I'm going to talk about a connection between two things.

One thing that perhaps is more common to apply mathematicians has to do with regularization.

And the other thing has to do with adversarial training, which is something that maybe computer

scientists and machine learning people would feel more familiar with.

And let me just start with like a little picture just to kind of like illustrate what adversarial

attacks are.

So typically we imagine that we're trying to do some classification task.

And let's say that our data consists of images and we may have a clean image of a stop sign,

which we can think of its true label as being a stop sign.

So it's labeled correctly.

But then we can imagine a situation where just by putting a bunch of small patches conveniently

located on the image, we can expect that this picture should still be a stop sign.

So the true label should still be a stop sign.

And yet some classification rules fail to detect that.

And in fact, can maybe classify this corrupted stop sign as something else.

And you can imagine, especially for self-driving cars and things like this, this could be a

problem.

So now the way that I'm going to talk about adversarial training in this talk is perhaps

completely different from what most people would talk about this.

And in fact, I'm going to take a much more geometric perspective on it.

And so we're going to see evolution equations.

We're going to see perimeter minimization problems.

And we're going to see if time permits a little bit of connections to optimal transport.

And so here I just I'm quoting a few thoughts that people have kind of heuristics or something

intuitive thoughts about what adversarial training is doing.

And there is kind of like this loose statement that regularization, the concept of regularization

is somehow connected to adversarial training and also maybe more concrete to classification

problems that the idea of introducing an adversary somehow manages to make decision boundaries

of the classification rules smoother and shorter.

So in a sense, like what we're going to try to do is make these connections more concrete.

So just to get started mathematically, an adversarial training problem is going to look

like this.

It's a min max problem.

The min part is what the imagine the classifier is trying to do.

The max part is what the adversary is trying to do.

What is the adversary trying to do?

It's trying to corrupt the data.

So just imagine and the notation that I'll use throughout the talk will be mu is my data

distribution, the actual data distribution that I have and mu tilde is a corrupted data

distribution.

So the adversary can modify the original distribution mu and it can do so as long as it doesn't

corrupt more than a certain distance epsilon.

This epsilon will represent the power of the adversary and this d is some modeling choice

for how the adversary can attack.

Inside we have the regular risk associated to some loss function.

So how is my classifier theta performing when facing the data distribution with tilde according