Impact of Spatial Frequency Based Constraints on Adversarial Robustness

TL;DR

This paper explores how constraining models to different spatial frequency components during training affects their robustness to adversarial attacks, revealing data-dependent variability and underlying factors influencing robustness.

Contribution

It demonstrates that the impact of frequency-based constraints on adversarial robustness varies with data characteristics and identifies key factors affecting this relationship.

Findings

Robustness varies significantly depending on the data set and frequency constraints.

Sensitivity to high frequencies influences adversarial robustness.

Transferability of adversarial perturbations is affected by frequency filtering.

Abstract

Adversarial examples mainly exploit changes to input pixels to which humans are not sensitive to, and arise from the fact that models make decisions based on uninterpretable features. Interestingly, cognitive science reports that the process of interpretability for human classification decision relies predominantly on low spatial frequency components. In this paper, we investigate the robustness to adversarial perturbations of models enforced during training to leverage information corresponding to different spatial frequency ranges. We show that it is tightly linked to the spatial frequency characteristics of the data at stake. Indeed, depending on the data set, the same constraint may results in very different level of robustness (up to 0.41 adversarial accuracy difference). To explain this phenomenon, we conduct several experiments to enlighten influential factors such as the level of sensitivity to high frequencies, and the transferability of adversarial perturbations between original and low-pass filtered inputs.