[深度学习论文笔记][Adversarial Examples] Explaining and Harnessing Adversarial Examples

Goodfellow, I. J. “阐述并利用对抗性示例.” arXiv预印本期刊文章编号为arXiv:1412.6572（发布于2014年）。（参考文献数量：129）

10.3.1 Fast Gradient Sign Method
Suppose we aim to perturb X minimally by adding a small vector \epsilon, resulting in X + \epsilon. These infinitesimal adjustments, when aggregated, produce a substantial transformation in the output.

Goal

Linearize the cost function

See Fig.

2 Analysis
CNNs perform effectively on naturally occurring data, but become artificial constructs when one explores regions of space where the probability density of the data distribution is low.

Adversarial examples can be understood as properties arising from high-dimensional inner products. Rather than being excessively linear, their nature stems from models being predominantly linear. Regularization techniques like dropout and pretraining have shown limited effectiveness in reducing adversarial vulnerabilities compared to other methods; however, transitioning to nonlinear architectures such as radial basis function networks demonstrates improved resilience against such attacks.

The generalization of adversarial examples across distinct models is often linked to adversarial perturbations that exhibit a strong correspondence with the weight vectors of individual models. Furthermore, it is observed that different neural networks tend to learn comparable functional representations when trained for the same purpose.

When a neural network is trained using both adversarial and clean examples, it was capable of regularization to some extent.

Especially, this is not a problem concerning Deep Learning models, and it is not particularly related to Convolutional Neural Networks specifically. We can expect the same challenges when considering Neural Networks across different modalities.