Study Finds 'Exact Feature Collisions' in Neural Networks

- The phenomenon is an extension of earlier work on "approximate feature collisions," where researchers observed that neural networks could be surprisingly insensitive to large changes in input data. This insensitivity often arises from the properties of the Rectified Linear Unit (ReLU) activation function, which can map multiple different inputs to the same output. - Feature collisions are exploited in "clean-label poisoning" attacks, where an attacker can poison a training dataset to cause a specific, targeted misclassification later on without altering any data labels. A paper by Shafahi et al. (2018) demonstrated how to perturb examples so their internal features would be close to those of a completely different example. - In large-scale recommendation systems, a similar issue known as "hash collisions" occurs when different user or item IDs are mapped to the same embedding vector. This can degrade personalization by forcing unrelated items, like a rock anthem and a children's song, to share a single representation, thus confusing the model. - To combat this, Meta developed the Multi-Probe Zero Collision Hash (MPZCH), a system that can achieve zero collisions for 150 million user IDs by over-provisioning the hash table size by a factor of 1.33x. Similarly, ByteDance's Monolith recommendation system uses a "collision-less" embedding table with expirable embeddings to manage its memory footprint in real-time training environments. - The concept is not limited to image models; in Natural Language Processing, it's referred to as a "semantic collision." This is effectively the inverse of a typical adversarial example, where an attacker generates a completely unrelated text that the model deems semantically identical to a target query. - From an MLOps perspective, monitoring for "feature drift" is a related production concern, where the statistical properties of features change over time, potentially leading to degraded model performance. - In the context of Large Language Models (LLMs), recent research explores creating "non-collision parameters" to improve continual learning. This approach aims to preserve knowledge from different domains in distinct parameter sub-spaces, mitigating the "catastrophic forgetting" that occurs when an LLM is fine-tuned on a sequence of new tasks. - Researchers Utku Ozbulak and Manvel Gasparyan, among others, proposed a "Null-space search" method to numerically find inputs that produce exact feature collisions for any given task, including classification and segmentation in computer vision.