# Adversarial Example Decomposition

**Authors:** Horace He, Aaron Lou, Qingxuan Jiang, Isay Katsman, Serge Belongie,, Ser-Nam Lim

arXiv: 1812.01198 · 2019-06-24

## TL;DR

This paper introduces a method to decompose adversarial examples into architecture, data, and noise components, revealing their transferability properties and enabling improved adversarial transferability.

## Contribution

It proposes a novel decomposition of adversarial examples into three bias sources, enhancing understanding and transferability of adversarial attacks.

## Key findings

- Noise-dependent components transfer poorly across models.
- Architecture-dependent components transfer better among same-architecture models.
- Recombining components improves transferability without losing original efficacy.

## Abstract

Research has shown that widely used deep neural networks are vulnerable to carefully crafted adversarial perturbations. Moreover, these adversarial perturbations often transfer across models. We hypothesize that adversarial weakness is composed of three sources of bias: architecture, dataset, and random initialization. We show that one can decompose adversarial examples into an architecture-dependent component, data-dependent component, and noise-dependent component and that these components behave intuitively. For example, noise-dependent components transfer poorly to all other models, while architecture-dependent components transfer better to retrained models with the same architecture. In addition, we demonstrate that these components can be recombined to improve transferability without sacrificing efficacy on the original model.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1812.01198/full.md

## Figures

5 figures with captions in the complete paper: https://tomesphere.com/paper/1812.01198/full.md

## References

12 references — full list in the complete paper: https://tomesphere.com/paper/1812.01198/full.md

---
Source: https://tomesphere.com/paper/1812.01198