Identifying Layers Susceptible to Adversarial Attacks

TL;DR

This study explores how different layers of neural networks contribute to vulnerability against adversarial attacks, revealing that early layers are more susceptible and crucial for robustness.

Contribution

It demonstrates that robustness is primarily linked to low-level feature extraction layers, challenging the focus on high-level layers for defense strategies.

Findings

Susceptibility to adversarial samples is linked to early layers.

Retraining high-level layers alone is insufficient for robustness.

Adversarial samples produce statistically different features in early layers.

Abstract

In this paper, we investigate the use of pretraining with adversarial networks, with the objective of discovering the relationship between network depth and robustness. For this purpose, we selectively retrain different portions of VGG and ResNet architectures on CIFAR-10, Imagenette, and ImageNet using non-adversarial and adversarial data. Experimental results show that susceptibility to adversarial samples is associated with low-level feature extraction layers. Therefore, retraining of high-level layers is insufficient for achieving robustness. Furthermore, adversarial attacks yield outputs from early layers that differ statistically from features for non-adversarial samples and do not permit consistent classification by subsequent layers. This supports common hypotheses regarding the association of robustness with the feature extractor, insufficiency of deeper layers in providing robustness, and large differences in adversarial and non-adversarial feature vectors.