So welcome to this lecture on adversarial attacks and robustness of neural networks.

So in the last couple of lectures we've already learned a lot about neural networks.

In particular in the last lecture we've spoken about conversions of the stochastic gradient

descent algorithm to train neural networks.

Of course there are a couple of unanswered questions by now and what we will speak about

today is the question whether and how neural networks can be made stable or whether they

are stable or unstable in the first place.

So this is going to be the topic of today's lecture and of course there are much more

questions which one could address.

However, in fact this is the last lecture in this course which deals with neural networks

and in the next lecture we will switch to graph-based methods for learning.

Okay, so let us speak a little bit about what are typical problems with neural networks

and then I will sort of tell you how to mitigate some of them.

So the first problem of neural networks is that if you train them naively or design them

naively they are quite prone to overfitting.

So to understand what overfitting is let's first look at a nice example of a neural network

which does not overfit.

Let's say in this example here we have a couple of data points, the red points lying here

and then the blue points here which form two spirals and then if you train a network on

this set of data points let's say what you would like to get out of this is a classifier

which classifies the whole space into blue region and the red region and let's say you

have done this successfully then the classifier would look something like this.

So all of your data points are mapped correctly plus the network is quite smooth in the sense

that it has some natural structures here which you would also expect from the solution by

looking at it with the eye let's say.

And here on the right hand side I show you a visualization of the loss landscape of this

problem here with this training data and of course the loss landscape is not two dimensional

because our neural network might have millions of parameters so in principle it's impossible

to plot a two dimensional loss landscape.

However there's some method developed by Tom Goldstein and co-authors which basically look

at the principal components or the most important directions of the loss and then you can plot

it as a 2D surface.

If you're interested in that you can look at this website down here but what you can

see from this picture is basically that the loss function behaves quite nicely around

this local minimum which corresponds to this nicely trained classifier here and you might

already imagine that it's quite easy to use an algorithm like for instance stochastic

gradient descent or even standard gradient descent to converge to this minimum here basically

because this function here is not convex but it looks at least quasi-convex which is the

generalized notion of convexity.

However what happens in practice quite a lot is the following situation of a network which

terribly overfits.

So if you look at the classifier here what you will see is that every data point is mapped

correctly so each of the red data points indeed lies in a red part of the classifying region

here and all the blue data points also lie in blue parts of the space.

Here you see that basically the classification into blue and red is basically swapped.

So what you would like to have is that the left-hand side is red and the right-hand side

is blue.

However here it's mostly the other way around and also the spirals are kind of swapped because

the blue data points lie in a red spiral and the red data points lie in a blue spiral.

However the training loss of this configuration here is zero in the sense that every training