# Analysis of universal adversarial perturbations

@article{MoosaviDezfooli2017AnalysisOU, title={Analysis of universal adversarial perturbations}, author={Seyed-Mohsen Moosavi-Dezfooli and Alhussein Fawzi and Omar Fawzi and Pascal Frossard and Stefano Soatto}, journal={ArXiv}, year={2017}, volume={abs/1705.09554} }

Deep networks have recently been shown to be vulnerable to universal perturbations: there exist very small image-agnostic perturbations that cause most natural images to be misclassified by such classifiers. In this paper, we propose the first quantitative analysis of the robustness of classifiers to universal perturbations, and draw a formal link between the robustness to universal perturbations, and the geometry of the decision boundary. Specifically, we establish theoretical bounds on the… Expand

#### Figures and Topics from this paper

#### 98 Citations

The Robustness of Deep Networks: A Geometrical Perspective

- Computer Science
- IEEE Signal Processing Magazine
- 2017

The goal of this article is to discuss the robustness of deep networks to a diverse set of perturbation that may affect the samples in practice, including adversarial perturbations, random noise, and geometric transformations. Expand

A geometric perspective on
the robustness of deep networks

- 2017

Deep neural networks have recently shown impressive classification performance on a diverse set of visual tasks. When deployed in real-world (noise-prone) environments, it is equally important that… Expand

Fast Universal Adversarial Perturbation

- Computer Science
- 2019 2nd International Conference on Information Systems and Computer Aided Education (ICISCAE)
- 2019

A fast UAP method is proposed, which significantly improves the former's efficiency and generates a universal perturbation in a mini-batch way with respect to a certain deep classifier, based on multiDeepFool, a newly proposed method that computes an adversarial example for a batch of inputs. Expand

Universal Adversarial Training

- Computer Science
- AAAI
- 2020

This work proposes universal adversarial training, which models the problem of robust classifier generation as a two-player min-max game, and produces robust models with only 2X the cost of natural training. Expand

A Method for Computing Class-wise Universal Adversarial Perturbations

- Computer Science, Mathematics
- ArXiv
- 2019

An algorithm for computing class-specific universal adversarial perturbations for deep neural networks that employs a perturbation that is a linear function of weights of the neural network and hence can be computed much faster. Expand

Defense Against Universal Adversarial Perturbations

- Computer Science
- 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition
- 2018

A rigorous evaluation shows that the first dedicated framework to effectively defend the network classifiers against unseen adversarial perturbations in the real-world scenarios with up to 97.5% success rate. Expand

Principal Component Adversarial Example

- Computer Science, Medicine
- IEEE Transactions on Image Processing
- 2020

This paper proposes a new concept, called the adversarial region, which explains the existence of adversarial examples as perturbations perpendicular to the tangent plane of the data manifold, and proposes a novel target-free method to generate adversarialExamples via principal component analysis. Expand

A Geometric Perspective on the Transferability of Adversarial Directions

- Computer Science, Mathematics
- AISTATS
- 2019

It is shown that in the context of linear classifiers and two-layer ReLU networks, there provably exist directions that give rise to adversarial perturbations for many classifier and data points simultaneously, and these "transferable adversarial directions" are guaranteed to exist for linear separators of a given set. Expand

Universal Adversarial Perturbation for Text Classification

- Computer Science, Mathematics
- ArXiv
- 2019

This work proposes an algorithm to compute universal adversarial perturbations, and shows that the state-of-the-art deep neural networks are highly vulnerable to them, even though they keep the neighborhood of tokens mostly preserved. Expand

Understanding Adversarial Examples From the Mutual Influence of Images and Perturbations

- Computer Science
- 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
- 2020

This work uses the DNN logits as a vector for feature representation, and utilizes this vector representation to understand adversarial examples by disentangling the clean images and adversarial perturbations, and analyze their influence on each other. Expand

#### References

SHOWING 1-10 OF 18 REFERENCES

Universal Adversarial Perturbations

- Computer Science, Mathematics
- 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR)
- 2017

The surprising existence of universal perturbations reveals important geometric correlations among the high-dimensional decision boundary of classifiers and outlines potential security breaches with the existence of single directions in the input space that adversaries can possibly exploit to break a classifier on most natural images. Expand

Analysis of classifiers’ robustness to adversarial perturbations

- Computer Science, Mathematics
- Machine Learning
- 2017

A general upper bound on the robustness of classifiers to adversarial perturbations is established, and the phenomenon of adversarial instability is suggested to be due to the low flexibility ofclassifiers, compared to the difficulty of the classification task (captured mathematically by the distinguishability measure). Expand

Robustness of classifiers: from adversarial to random noise

- Computer Science, Mathematics
- NIPS
- 2016

This paper proposes the first quantitative analysis of the robustness of nonlinear classifiers in this general noise regime, and establishes precise theoretical bounds on the robustity of classifier's decision boundary, which depend on the curvature of the classifiers' decision boundary. Expand

Exploring the space of adversarial images

- Computer Science
- 2016 International Joint Conference on Neural Networks (IJCNN)
- 2016

This work formalizes the problem of adversarial images given a pretrained classifier, showing that even in the linear case the resulting optimization problem is nonconvex and that a shallow classifier seems more robust to adversarial pictures than a deep convolutional network. Expand

A Boundary Tilting Persepective on the Phenomenon of Adversarial Examples

- Computer Science, Mathematics
- ArXiv
- 2016

It is shown that the adversarial strength observed in practice is directly dependent on the level of regularisation used and the strongest adversarial examples, symptomatic of overfitting, can be avoided by using a proper level ofRegularisation. Expand

Explaining and Harnessing Adversarial Examples

- Computer Science, Mathematics
- ICLR
- 2015

It is argued that the primary cause of neural networks' vulnerability to adversarial perturbation is their linear nature, supported by new quantitative results while giving the first explanation of the most intriguing fact about them: their generalization across architectures and training sets. Expand

Intriguing properties of neural networks

- Computer Science
- ICLR
- 2014

It is found that there is no distinction between individual highlevel units and random linear combinations of high level units, according to various methods of unit analysis, and it is suggested that it is the space, rather than the individual units, that contains of the semantic information in the high layers of neural networks. Expand

Exponential expressivity in deep neural networks through transient chaos

- Mathematics, Computer Science
- NIPS
- 2016

The theoretical analysis of the expressive power of deep networks broadly applies to arbitrary nonlinearities, and provides a quantitative underpinning for previously abstract notions about the geometry of deep functions. Expand

Network In Network

- Computer Science
- ICLR
- 2014

With enhanced local modeling via the micro network, the proposed deep network structure NIN is able to utilize global average pooling over feature maps in the classification layer, which is easier to interpret and less prone to overfitting than traditional fully connected layers. Expand

On the Number of Linear Regions of Deep Neural Networks

- Computer Science, Mathematics
- NIPS
- 2014

We study the complexity of functions computable by deep feedforward neural networks with piecewise linear activations in terms of the symmetries and the number of linear regions that they have. Deep… Expand