Intriguing Frequency Interpretation of Adversarial Robustness for CNNs and ViTs

TL;DR

This paper explores the frequency characteristics of adversarial examples in CNNs and ViTs, revealing how different frequency components influence model robustness and proposing insights for improving AI security.

Contribution

It provides a novel frequency-based analysis of adversarial examples for CNNs and ViTs, highlighting architecture-specific frequency vulnerabilities and robustness patterns.

Findings

High-frequency components increase the performance gap between adversarial and natural examples.

Model robustness peaks at certain filtered adversarial frequencies before declining.

CNNs are more affected by mid- and high-frequency adversarial components; ViTs by low- and mid-frequency components.

Abstract

Adversarial examples have attracted significant attention over the years, yet understanding their frequency-based characteristics remains insufficient. In this paper, we investigate the intriguing properties of adversarial examples in the frequency domain for the image classification task, with the following key findings. (1) As the high-frequency components increase, the performance gap between adversarial and natural examples becomes increasingly pronounced. (2) The model performance against filtered adversarial examples initially increases to a peak and declines to its inherent robustness. (3) In Convolutional Neural Networks, mid- and high-frequency components of adversarial examples exhibit their attack capabilities, while in Transformers, low- and mid-frequency components of adversarial examples are particularly effective. These results suggest that different network architectures have different frequency preferences and that differences in frequency components between adversarial and natural examples may directly influence model robustness. Based on our findings, we further conclude with three useful proposals that serve as a valuable reference to the AI model security community.