Interpreting Adversarially Trained Convolutional Neural Networks

TL;DR

This paper investigates how adversarial training influences CNNs' object recognition, revealing that it shifts models from texture bias towards shape bias, which enhances robustness and interpretability.

Contribution

It introduces systematic methods to interpret AT-CNNs, showing they learn more shape-biased representations compared to standard CNNs.

Findings

Adversarial training reduces texture bias in CNNs.

AT-CNNs are more sensitive to shape features than standard CNNs.

Shape-biased models are more robust to transformations and dataset manipulations.

Abstract

We attempt to interpret how adversarially trained convolutional neural networks (AT-CNNs) recognize objects. We design systematic approaches to interpret AT-CNNs in both qualitative and quantitative ways and compare them with normally trained models. Surprisingly, we find that adversarial training alleviates the texture bias of standard CNNs when trained on object recognition tasks, and helps CNNs learn a more shape-biased representation. We validate our hypothesis from two aspects. First, we compare the salience maps of AT-CNNs and standard CNNs on clean images and images under different transformations. The comparison could visually show that the prediction of the two types of CNNs is sensitive to dramatically different types of features. Second, to achieve quantitative verification, we construct additional test datasets that destroy either textures or shapes, such as style-transferred version of clean data, saturated images and patch-shuffled ones, and then evaluate the classification accuracy of AT-CNNs and normal CNNs on these datasets. Our findings shed some light on why AT-CNNs are more robust than those normally trained ones and contribute to a better understanding of adversarial training over CNNs from an interpretation perspective.