A common observation regarding adversarial attacks is that they mostly give rise to false activation at the penultimate layer to fool the classifier. Assuming that these activation values correspond to certain features of the input, the objective becomes choosing the features that are most useful for classification. Hence, we propose a novel approach to identify the important features by employing counter-adversarial attacks, which highlights the consistency at the penultimate layer with respect to perturbations on input samples. First, we empirically show that there exist a subset of features, classification based in which bridge the gap between the clean and robust accuracy. Second, we propose a simple yet efficient mechanism to identify those features by searching the neighborhood of input sample. We then select features by observing the consistency of the activation values at the penultimate layer.
翻译:关于对抗性攻击的一个共同看法是,它们大多在倒数第二层引起虚假的激活,以愚弄分类者。假设这些激活值与输入的某些特征相符,那么目标就将开始选择对分类最有用的特征。因此,我们提出一种新的办法,通过使用对抗性攻击来识别重要特征,这突出倒数第二层在输入样品扰动方面的一致性。首先,我们从经验上表明,存在一组特征,即缩小清洁和稳健准确性之间差距的分类。第二,我们提出一个简单而有效的机制,通过搜索输入样本的周边来识别这些特征。然后,我们通过观察倒数第二层的激活值的一致性来选择特征。