The Role of Input Dimensionality in the Emergence and Targeted Control of Adversarial Examples

2026-06-26 · Source: stat.ML updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, extended

Summary

A systematic study investigates the role of input dimensionality in the emergence and targeted control of adversarial examples, challenging existing theoretical frameworks based on concentration of measure. Researchers analyzed hierarchical image datasets, including VegSeed, Food-30, and ResynthDB, at resolutions from 64x64 to 400x400, using diverse neural architectures like MobileNetV3-Small, EfficientNetV2-Small, ResNet-50, and CLIP+MLP, alongside various defense strategies. The findings consistently show that adversarial examples become easier to construct as input dimensionality increases, with the Mean Squared Error (MSE) required for a 90% attack success rate (MSE90) decreasing by factors ranging from approximately 6x to over 20x. Furthermore, the additional distortion needed for targeted adversarial attacks remains limited and diminishes as input dimensionality grows, aligning with theoretical predictions.

Key takeaway

For machine learning engineers designing robust models, understand that high input dimensionality significantly eases adversarial example construction, requiring smaller perturbations for successful attacks. You should prioritize adversarial training and rigorously evaluate your models' vulnerability across varying input resolutions. This phenomenon applies to both untargeted and targeted attacks, with the latter's additional distortion cost diminishing in higher dimensions, impacting your security posture.

Key insights

High input dimensionality consistently eases adversarial example construction for both untargeted and targeted attacks, despite data localization.

Principles

• Adversarial vulnerability increases with input dimensionality.
• Targeted attack distortion overhead diminishes in high dimensions.
• Data localization challenges concentration-of-measure theories.

Method

The study created hierarchical image datasets by downsampling high-resolution images to control input dimensionality while preserving semantic content, then evaluated attack efficacy across diverse models and defenses.

In practice

• Prioritize adversarial training for robust models.
• Consider input dimensionality when assessing model vulnerability.
• Evaluate targeted attack costs in high-dimensional settings.

Topics

• Adversarial Examples
• Input Dimensionality
• Deep Neural Networks
• Adversarial Robustness
• Targeted Attacks
• Concentration of Measure

Code references

• YaserGholizade/image_augmenter

Best for: Research Scientist, Computer Vision Engineer, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

• Attacking the Spike: On the Transferability and Security of Spiking Neural Networks to Adversarial Examples — Adversarial attacks on SNNs are highly dependent on surrogate gradient estimators, and a new method, MDSE, exploits this for cross-model effectiveness.
• Reading and Writing with Projections — Transformers use projections and feature directions to store and modify data, enabling more features than dimensions.
• Pseudo-Feature Padding: A Lightweight Defense Against False Data Injection in Power Grids — Pseudo-Feature Padding defends DNNs in CPS against FDIA by randomizing input dimensionality, making adversarial attacks computationally infeasible.
• The Impact of Dimensionality on the Stability of Node Embeddings — Node embedding stability varies with dimensionality, but optimal stability does not always align with peak performance.
• GRAPE: Guided Parameter-Space Evolution for Compact Adversarial Robustness — Guided evolution of a neural network's parameter space during adversarial training can yield more compact and robust models.
• Adversarial Defence without Adversarial Defence: Enhancing Language Model Robustness via Instance-level Principal Component Removal — Transforming PLM embedding spaces to approximate Gaussian properties enhances adversarial robustness without costly adversarial training.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by stat.ML updates on arXiv.org.