Wide Two-Layer Networks can Learn from Adversarial Perturbations

TL;DR

This paper provides a theoretical explanation for why wide two-layer neural networks can learn from adversarial perturbations, showing they contain enough class-specific features for effective generalization.

Contribution

It proves that adversarial perturbations include sufficient class-specific features, explaining the success of perturbation learning in wide two-layer networks for any data distribution.

Findings

Adversarial perturbations contain class-specific features.

Classifiers trained on adversarial examples match those trained on clean data.

Results hold for any data distribution.

Abstract

Adversarial examples have raised several open questions, such as why they can deceive classifiers and transfer between different models. A prevailing hypothesis to explain these phenomena suggests that adversarial perturbations appear as random noise but contain class-specific features. This hypothesis is supported by the success of perturbation learning, where classifiers trained solely on adversarial examples and the corresponding incorrect labels generalize well to correctly labeled test data. Although this hypothesis and perturbation learning are effective in explaining intriguing properties of adversarial examples, their solid theoretical foundation is limited. In this study, we theoretically explain the counterintuitive success of perturbation learning. We assume wide two-layer networks and the results hold for any data distribution. We prove that adversarial perturbations contain sufficient class-specific features for networks to generalize from them. Moreover, the predictions of classifiers trained on mislabeled adversarial examples coincide with those of classifiers trained on correctly labeled clean samples. The code is available at https://github.com/s-kumano/perturbation-learning.