TL;DR
This paper investigates the nature of adversarial images in deep neural networks, revealing their high variability, the nonconvexity of their generation problem, and differences in robustness between shallow and deep classifiers.
Contribution
It formalizes the adversarial image problem, analyzes their distribution in pixel space, and compares robustness across classifier depths using visualizations and experiments.
Findings
Adversarial images occupy large regions in pixel space.
Shallow classifiers are more robust to adversarial images than deep networks.
Adversarial image generation involves nonconvex optimization even in linear models.
Abstract
Adversarial examples have raised questions regarding the robustness and security of deep neural networks. In this work we formalize the problem of adversarial images given a pretrained classifier, showing that even in the linear case the resulting optimization problem is nonconvex. We generate adversarial images using shallow and deep classifiers on the MNIST and ImageNet datasets. We probe the pixel space of adversarial images using noise of varying intensity and distribution. We bring novel visualizations that showcase the phenomenon and its high variability. We show that adversarial images appear in large regions in the pixel space, but that, for the same task, a shallow classifier seems more robust to adversarial images than a deep convolutional network.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
