Angular Gradient Sign Method: Uncovering Vulnerabilities in Hyperbolic Networks

This paper introduces the Angular Gradient Sign Method, a novel adversarial attack for hyperbolic networks that leverages the geometric decomposition of gradients to apply perturbations solely along angular (semantic) directions, thereby achieving higher fooling rates and revealing unique vulnerabilities in hierarchical embeddings compared to conventional Euclidean-based methods.

The Gist

Imagine you are trying to navigate a massive, ancient library.

In the world of standard computer vision (Euclidean geometry), this library is like a giant, flat warehouse. Everything is laid out on a grid. If you want to trick a robot into misidentifying a picture of a tiger, you just nudge the pixels slightly in a straight line until the robot gets confused. It's like pushing a book off a shelf; it falls straight down.

But in the world of Hyperbolic Networks (the subject of this paper), the library is shaped like a funnel or a tree.

• The top of the funnel is wide and represents general concepts (like "Animal").
• As you go deeper down the funnel, it gets narrower, representing specific concepts (like "Mammal," then "Cat," then "Tiger").
• In this shape, moving "down" the funnel changes what kind of thing you are (hierarchy). Moving "around" the funnel wall changes the specific details without changing the category (semantics).

The Problem: The "Blind" Attacker

The paper argues that old hacking methods (like FGSM and PGD) are like blindfolded people trying to push a book in this funnel-shaped library.

• They push the book in a straight line, not realizing the shelves are curved.
• Sometimes they push the book "down" the funnel (changing the category from Tiger to Lion), which doesn't actually fool the robot as well as they think.
• Sometimes they push it "sideways," but they do it inefficiently, wasting energy.

The result? The attack is weak because it fights against the natural shape of the library.

The Solution: The "Angular" Hacker (AGSM)

The authors propose a new method called AGSM (Angular Gradient Sign Method). Think of this as a hacker who puts on glasses that let them see the curve of the library.

They realized something crucial:

1. Radial Movement (Depth): Pushing a book deeper into the funnel changes its "level" (e.g., from "Tiger" to "Cat"). The paper found that doing this doesn't confuse the robot much; the robot still knows it's an animal.
2. Angular Movement (Direction): Pushing a book around the curve of the funnel keeps it at the same "level" but changes its specific identity (e.g., from "Tiger" to "Leopard"). This is where the real confusion happens.

The AGSM Strategy:
Instead of pushing the image in a random straight line, AGSM calculates exactly how to push it sideways along the curve.

• It ignores the "depth" (radial) part of the push.
• It focuses 100% of its energy on the "sideways" (angular) part.

The Analogy: The Merry-Go-Round

Imagine a child on a merry-go-round (the hyperbolic space).

• Old Attack (FGSM): The attacker tries to push the child off the ride. They push in a straight line. Sometimes the child falls off (the model fails), but often the child just wobbles and stays on.
• New Attack (AGSM): The attacker realizes the child is spinning. Instead of pushing them off, they push them tangentially (in the direction of the spin). This makes the child spin wildly out of control, changing their position completely without ever leaving the ride. The child (the AI model) gets so dizzy it can't tell who they are anymore.

What Did They Find?

The researchers tested this on two types of AI:

1. Image Classifiers: AI that looks at pictures and says "That's a tiger."
2. Cross-Modal Retrieval: AI that matches a picture of a tiger to the text "A big orange cat."

The Results:

• Higher Success Rate: The "Angular" attack (AGSM) fooled the AI much more often than the old "Blind" attacks.
• Deeper Confusion: When the AI was fooled, it didn't just guess randomly; it guessed something that made semantic sense but was wrong (e.g., thinking a Tiger was a Leopard). This is a much more dangerous type of error.
• Confidence Drop: The AI became much less sure of its answers when attacked with AGSM.

The Catch (Limitations)

The paper also tried to "vaccinate" the AI by training it on these tricky angular attacks.

• The Good: The AI got better at resisting these specific angular attacks.
• The Bad: The AI got slightly worse at doing its normal job on clean, un-hacked images. It's a trade-off: making the AI harder to trick in one specific way made it a bit less sharp overall.

The Big Takeaway

This paper is a wake-up call for AI security. You can't just use the same hacking tools for all types of AI. If the AI is built on a curved, hierarchical structure (like a tree or a funnel), you have to hack it by moving along the curve, not straight through it.

In short: To break a curved system, you don't push it straight; you spin it.

Technical Summary

Here is a detailed technical summary of the paper "Angular Gradient Sign Method: Uncovering Vulnerabilities in Hyperbolic Networks."

1. Problem Statement

While adversarial attacks (e.g., FGSM, PGD) are well-studied in Euclidean deep learning, their application to hyperbolic networks remains under-explored and suboptimal.

• Geometric Mismatch: Conventional attacks assume a flat (Euclidean) representation space. They compute gradients in zero-curvature space, ignoring the intrinsic curvature and hierarchical structure of hyperbolic manifolds.
• Inefficiency: Directly applying Euclidean perturbations to hyperbolic embeddings often results in "geometrically inconsistent" attacks. These perturbations may alter the hierarchical depth (radial shift) without effectively changing the semantic meaning, or fail to exploit the specific directions where the model is most vulnerable.
• Gap: There is a lack of attack strategies that respect the unique decomposition of hyperbolic space into radial (depth/hierarchy) and angular (semantic/level) components.

2. Methodology: Angular Gradient Sign Method (AGSM)

The authors propose AGSM, a novel adversarial attack designed specifically for hyperbolic geometry. The core insight is that in hyperbolic space, the loss gradient can be decomposed into two distinct components within the tangent space:

1. Radial Component: Changes the hierarchical depth (e.g., moving from a general class to a specific subclass).
2. Angular Component: Modulates the representation within the same hierarchical level, capturing fine-grained semantic variations.

Key Observations:

• Radial shifts have negligible impact on final predictions (confidence drops but labels often remain correct).
• Angular shifts are the primary driver of misclassification and semantic misalignment.

Algorithmic Steps:

1. Tangent Space Projection: The model's output embeddings (in Poincaré ball or Lorentz models) are mapped to the tangent space using logarithmic maps.
2. Gradient Decomposition:
   • Compute a standard perturbation (e.g., via FGSM) to get a feature shift $\Delta h$.
   • Project $\Delta h$ onto the unit radial vector $u_h$ to isolate the radial component ($v_{rad}$).
   • Subtract the radial component to isolate the angular component ($v_{ang} = \Delta h - v_{rad}$).
3. Backpropagation: Instead of using the full gradient, the method backpropagates the angular shift vector ($v_{ang}$) to the input space.
4. Perturbation Generation: The input is perturbed based on the sign of the gradient of the inner product between the feature and the angular shift:
   $$x_{adv} = x + \epsilon \cdot \text{sign}(\nabla_x \langle h, v_{ang} \rangle)$$
5. Extension (PAGD): The method is extended to a multi-step iterative attack (Projected Angular Gradient Descent) to further maximize angular deviation while respecting perturbation budgets ($\ell_\infty$ or $\ell_2$).

3. Key Contributions

• Theoretical Insight: Demonstrated that adversarial vulnerability in hyperbolic networks is primarily driven by angular deviations rather than radial shifts. Radial shifts preserve semantic labels, while angular shifts cause semantic misalignment.
• Novel Attack (AGSM): Introduced a geometry-aware attack that explicitly isolates and maximizes the angular component of the gradient, bypassing the inefficiencies of standard Euclidean-based attacks.
• Empirical Validation: Proved that AGSM outperforms standard FGSM and PGD across diverse tasks and architectures, achieving higher fooling rates and deeper confidence drops.
• Defense Analysis: Showed that training with AGSM-perturbed data offers only modest robustness gains and incurs a trade-off in clean accuracy, highlighting the need for new defense mechanisms tailored to curved spaces.

4. Experimental Results

The method was evaluated on Poincaré ResNet (image classification) and HyCoCLIP (cross-modal retrieval) using datasets like CIFAR-10/100, Tiny ImageNet, MS COCO, and Flickr30K.

• Image Classification (Poincaré ResNet):

  • AGSM consistently reduced robust accuracy by an additional 9–13% compared to standard FGSM.
  • PAGD (multi-step) further degraded accuracy by 9–10% compared to standard PGD.
  • Example: On CIFAR-100 with ResNet-32 at $\epsilon=8.0/255$, AGSM achieved a fooling rate resulting in 13.93% accuracy, significantly lower than FGSM's 19.67%.

• Cross-Modal Retrieval (HyCoCLIP):

  • AGSM caused a 2–5% additional drop in Recall@5/10 compared to FGSM.
  • Qualitative analysis (Figure 2) showed that while radial shifts preserved correct captions and FGSM produced semantically incorrect ones, AGSM produced the most semantically misaligned outputs (e.g., changing "horse carriage" to "people riding elephants").

• Geometric Analysis:

  • Distance: AGSM pushed perturbed features significantly farther along hyperbolic geodesics than FGSM (Table 5).
  • Confidence: AGSM induced larger drops in Maximum Softmax Probability (MSP), indicating a more severe collapse of model certainty (Table 6).

5. Significance and Conclusion

• Geometry-Aware Security: The paper establishes that security strategies for hyperbolic networks cannot simply copy Euclidean methods. The curvature of the space dictates that semantic vulnerability lies in the angular direction.
• Hierarchical Vulnerability: The findings reveal that hierarchical embeddings are particularly fragile to perturbations that shift semantic meaning within a hierarchy level without changing the level itself.
• Future Directions: The study highlights a critical gap in defense; standard adversarial training with AGSM examples does not fully robustify models and may harm clean performance. This suggests a need for new defense strategies that explicitly account for the curved, hierarchical structure of hyperbolic representations.

In summary, AGSM provides a principled framework for attacking hyperbolic networks by exploiting their geometric properties, revealing that the "angular" dimension is the primary vector for successful adversarial manipulation in hierarchical representation spaces.