Exploring Adversarial Robustness of Deep State Space Models

Response to W1:

Really greatful for the valuable comments from the reviewer. To ensure a more comprehensive and thorough assessment, we introduced a dataset with a larger size and more classes, Tiny Imagenet, for evaluation. The results are shown in the Table 1 of the supplementary pdf. The findings continue to support our discoveries on MNIST and CIFAR10, namely:

1. All SSM structures exhibit a significant drop in CA after AT, highlighting the Robustness-Generalization Trade-Off present in SSM structures.
2. Even the Data-Dependent Mamba model did not show a significant performance improvement compared to Data-Independent SSM structures like S4 and DSS after AT, indicating that pure SSM structures struggle to benefit from adversarial training.
3. Although the incorporation of the attention mechanism has a positive effect on improving the model's CA and RA, our experiments on Tiny Imagenet also revealed potential RO issues it may bring. For instance, the Mega model showed a significant drop in RA (8.56%) after PGD-AT, indicating noticeable RO in AT.
4. More importantly, the addition of AdS still led to improvements in CA and RA for Data-Independent SSMs S4 and DSS on Tiny Imagenet, supporting the effectiveness of our AdS design.

Appreciate the reviewer once again for the valuable suggestions, and we believe this will further enrich the experimental evaluation of our paper and enhance its quality.

Response to W2:

We appreciate the constructive suggestions from the reviewer. The purpose of this work is not to propose an AT strategy but to evaluate the AR of various SSM structures, analyze the component factors affecting SSM's benefit from AT, and guide the construction of corrective strategies. Of course, incorporating more AT frameworks would help to refine the assessment of this work. Following the reviewer's suggestions, we introduced FreeAT[1] and YOPO[2], two more efficient AT frameworks, and conducted experiments on MNIST, CIFAR10, and Tiny ImageNet, with results shown in Table 2 of the supplementary pdf. The conclusions remain similar to our findings with PGD-AT and TRADES:

1. SSM structures under the FreeAT and YOPO AT frameworks also exhibit a decline in CA, reflecting a clear trade-off between robustness and generalization, especially on the CIFAR10 and Tiny Imagenet datasets, where this Trade-Off is more pronounced.
2. Under the FreeAT and YOPO frameworks, pure SSM structures still struggle to benefit in terms of RA. This result is consistent with our previous observations using PGD-AT and TRADES, indicating that these AT frameworks may not be optimized for SSM structures, or SSM structures themselves find it difficult to achieve effective robustness under these frameworks. Moreover, on the MNIST dataset, we noticed that all models had difficulty converging under the YOPO framework, which may suggest that certain characteristics of the YOPO framework are not fully compatible with the sequential image classification tasks of SSM structures. This finding indicates that the design of AT frameworks needs to consider the match between model structure and data characteristics more delicately.
3. Although the Mega model, which introduced an attention mechanism, showed higher CA and RA under the FreeAT and YOPO frameworks, its final RA decline compared to the best RA is also more significant, still revealing the RO issues brought about by the introduction of the Attention mechanism.
4. When applying our AdS strategy under the FreeAT and YOPO frameworks, Data-Dependent SSMs S4 and DSS showed consistent improvements in both CA and RA. This result further confirms the effectiveness and universality of the AdS strategy across different adversarial training frameworks.

Thanks to the reviewer once again for the valuable suggestions, which are of great significance in enhancing the quality of our paper.

[1] Adversarial Training for Free. NeurIPS 2019.

[2] You Only Propagate Once: Accelerating Adversarial Training via Maximal Principle. NeurIPS 2019.

Response to W1:

Really appreciate the valuable feedback from the reviewer. To facilitate a more comprehensive assessment, we conducted evaluations on the tiny imagenet dataset, which has more classes and larger image sizes. The results, as shown in Table 1 of the supplementary pdf, are consistent with the conclusions observed on MNIST and CIFAR-10. Namely:

1. There is a clear Robustness-Generalization Trade-Off in SSMs. After AT, the CA of all SSM structures has significantly decreased. Particularly, the DSS showed a notably sharp decline in CA after PGD-AT, exceeding 10%, which significantly indicates the presence of a Robustness-Generalization Trade-Off.
2. Even the Data-Dependent SSM Mamba did not exhibit better robustness gains after AT compared to Data-Independent SSMs like S4 and DSS. This suggests that pure SSM structures struggle to benefit from AT.
3. While the introduction of the attention mechanism can improve the model's CA and RA, it also introduces the risk of RO issues. For instance, the Mega model showed an 8.56% decrease in final RA after PGD-AT compared to the best RA, which clearly indicates the existence of RO issues.

We appreciate the constructive feedback from the reviewer once again.

Response to W2:

Very greatful for the constructive suggestions from the reviewer. In the revised version, we will report the results w/o AdS from Table 1 again in Table 2. Appreciate the reviewer's suggestions once again.

Response to W3:

Greatly appreciate the insightful comments from the reviewer. According to Theorem 1, when the eigenvalues of the state matrix $A$ are too large or too small, they can both lead to error accumulation during the state space transition: larger eigenvalues can increase the lower bound of the error, while smaller eigenvalues limit the model's expressive ability (for example, if the absolute value of the largest eigenvalue of $A$ is still close to 0, then the state transition will hardly preserve any sequence features). The sigmoid and tanh activations only have a shrinking regulatory effect, that is, when large eigenvalues of $A$ lead to excessive output errors, the use of AdS with Sigmoid or Tanh activation can reduce the error, but they do not have an amplifying function, so they are relatively limited in expressive power. On the other hand, AdS with ReLU activation has both shrinking and amplifying functions, thus it can achieve error reduction and alleviate the limitation of expressive power caused by small eigenvalues of $A$. We believe the above response addresses your concerns.

Response to Q1:

Greatful for the valuable question from the reviewer. Following the reviewer's suggestion, we have tested the performance of AdS on the larger dataset Tiny Imagenet, with the results also reported in Table 1 of the supplementary pdf. Specifically, even on the larger dataset, our AdS continues to provide universal improvements in CA and RA for Data-Dependent SSMs S4 and DSS.

We appreciate the reviewer's suggestions once again, and we believe this will significantly enhancing the quality of our paper.

Response to Q2:

We appreciate the insightful questions from the reviewer. In this work, our aim is to explore the adversarial robustness of SSMs, to analyze the performance of SSMs in AT, to investigate the role of various SSM components in AT, and to provide further improvement measures based on the analysis. Specifically, by conducting a comprehensive comparison of the performance of various SSMs under AT, we:

1. First revealed the Robustness-Generalization Trade-Off in SSMs.
2. Further theoretical and experimental analysis explained why pure SSMs struggle to benefit from AT: the model's inherent state transition form leads to error accumulation, and the introduced attention mechanism plays a role in rescaling, thereby helping to mitigate errors introduced by perturbations.
3. Inspired by the above valuable conclusions and analysis, we considered introducing a low-complexity rescaling mechanism and proposed AdS. Further experiments on multiple datasets also demonstrated the universality and effectiveness of AdS. Therefore, the AdS we propose is not just a simple attempt; it is based on rigorous experiments and analysis. We believe that these findings and designs will provide insights for constructing more robust SSMs. However, the focus of this work is to explore the AR of SSMs and to analyze and provide improvement mechanisms, rather than proposing a new model structure. Of course, we think it could indeed help in designing new SSM architectures, but it requires 1) more refined design, including considering how to implicitly incorporate the idea of AdS into the SSM training framework (e.g. regularizing the state matrix with singular values) 2) extensive evaluation, including whether it can bring improvements to various vision and language tasks.

We would express our gratitude to the reviewer once again for the valuable questions.

Dear Reviewer PGjA,

Thank you for taking the time out of your busy schedule to review our paper and provide valuable feedback. We greatly appreciate the issues you raised and have addressed them in detail. We have also made the following revisions to our manuscript based on your suggestions: Thank you for taking the time to review our paper and provide valuable feedback. We greatly appreciate the issues you raised and have addressed them in detail. Based on your suggestions, we have made the following revisions to our manuscript:

Evaluation on Larger Dataset: Following your suggestion, we evaluated various SSM structures under different AT methods on the Tiny Imagenet dataset, which includes more categories and larger image sizes. The supplementary evaluation results are consistent with the conclusions observed on MNIST and CIFAR-10, further validating our findings.

Detailed Discussion of Theorem 1: Based on Theorem 1, we have discussed the impact of the eigenvalues of the state matrix on error accumulation during state-space transformation. We also analyzed the influence of different activation functions on the model's expressive capacity, and have included this analysis in our paper.

Testing AdS Performance on Larger Dataset: As per your suggestion, we tested the performance of AdS on the larger Tiny Imagenet dataset. The results demonstrate that AdS provides general improvements in CA and RA for data-dependent SSMs.

Table Refinement: We have added the AT results without AdS to Table 2, as previously reported in Table 1.

We believe these revisions contribute to improving the quality of our paper. If you have any further suggestions or questions, we would be happy to continue discussing and refining our work. Once again, thank you for the time and effort you have invested in this review.

Sincerely,

Authors of Paper #18034

Response to W1:

Really appreciate the insightful comments from the reviewer. To ensure a fair evaluation, RO should be assessed under the same attack strategy, so we primarily judge RO based on RA on PGD-10. Our "Best" checkpoint is determined by the RA under PGD attacks. This aligns with the standard settings for exploring RO issues [1][2]. However, AA is a completely different attack strategy from PGD-10, making the "Diff" metric on AA inadequate for effectively measuring RO.

We believe the above response will satisfactorily resolve the reviewer's questions.

Response to W2:

Greatly appreciate the insightful comments from the reviewer. To conduct a more comprehensive evaluation, we have performed ST and AT on various SSMs using the Tiny-Imagenet dataset, which offers more classes and larger image sizes. The results, as shown in Table 1 of the supplementary pdf, are consistent with the conclusions observed on MNIST and CIFAR10. Namely:

1. All SSM structures experienced a decrease in CA on undisturbed data after AT. Notably, the DSS saw a CA drop of over 10% after PGD-AT, revealing a clear trade-off between robustness and generalization capabilities.
2. Even Data-Dependent SSMs like Mamba did not demonstrate a significant robustness improvement after AT compared to Data-Independent SSMs such as S4 and DSS. This indicates that pure SSM structures struggle to benefit from AT.
3. Incorporating attention mechanisms did indeed significantly enhance the model's CA and RA, but it also introduced RO issues. For example, the final RA of the Mega model decreased by 8.56% after PGD-AT compared to its optimal RA.
4. By integrating our AdS strategy, we were still able to universally improve the CA and RA for Data-Independent SSMs like S4 and DSS.

We are grateful once again for the reviewer's insightful suggestions.

Response to W3:

We appreciate the insightful suggestions from the reviewer. The focus of this paper is to investigate the AR of SSMs based on their inherent structure and properties. To align with the research motivation of this paper, we have primarily conducted adversarial attack experiments on SSMs and their variants, and inspired by the experimental conclusions and theoretical analysis, we have designed mechanisms to enhance the robustness of SSMs. Therefore, we did not include baselines for CNNs and Transformers in the manuscript. Additionally, unlike traditional convolutional models such as ResNet that consider 2-D image classification, our setting is for sequential image classification, which precludes 2-D image classification CNNs from our comparison.

Considering the aforementioned factors and the valuable input from the reviewer, we will include a set of experiments using Transformers for sequential image classification as a baseline in the revised version, to help readers better understand the performance of SSMs as sequence models. Thank the reviewer once again for the valuable suggestions.

Response to Q1:

Grateful for the insightful questions from the reviewer. We adopted the standard AT experimental setup, aligning with the configurations in [3][4]. In fact, we have experimented with adjusting the training hyperparameters (including learning rate, weight decay coefficient, etc.) but this did not alter the results. Since PGD-AT uses adversarial samples generated solely by PGD for AT, this could lead to overfitting to the distribution of adversarial samples produced by PGD, resulting in a significant decrease in RA against other attack strategies (such as AA), or even ineffectiveness. Similar experimental phenomena and conclusions are also found in [5]. We believe our response has adequately addressed your concerns.

Response to Q2:

We appreciate the valuable questions from the reviewer. Exploring the robustness of SSM across different scales of width and depth is an excellent question. As the focus of this work is to understand the behavior of SSM in AT from its inherent structure and to conduct an attribution analysis based on the impact of various SSM components, we have not considered the aspects of SSM width and depth. However, based on the theorems and experimental results of the paper, we also have some intuitive speculations: the error accumulation during the forward process of SSM, and due to the error accumulation effect of SSM, an increase in depth might actually constrain the robust generalization capability of SSM. We appreciate the insightful questions from the reviewer once again.

[1] Overfitting in adversarially robust deep learning.

[2] Exploring memorization in adversarial training.

[3] Theoretically Principled Trade-off between Robustness and Accuracy.

[4] Single-step Adversarial training with Dropout Scheduling.

[5] Adversarial Training and Robustness for Multiple Perturbations.