TY - JOUR
T1 - Understanding adversarial robustness via critical attacking route
AU - Li, Tianlin
AU - Liu, Aishan
AU - Liu, Xianglong
AU - Xu, Yitao
AU - Zhang, Chongzhi
AU - Xie, Xiaofei
N1 - Funding Information:
This work was supported by The National Key Research and Development Plan of China (2019AAA0103502), National Natural Science Foundation of China (61872021), Beijing Nova Program of Science and Technology (Z191100001119050), State Key Lab of Software Development Environment (SKLSDE-2020ZX-06) and Fundamental Research Funds for Central Universities (YWF-20-BJ-J-646).
Publisher Copyright:
© 2020 The Author(s)
PY - 2021/2/8
Y1 - 2021/2/8
N2 - Deep neural networks (DNNs) are vulnerable to adversarial examples which are generated by inputs with imperceptible perturbations. Understanding adversarial robustness of DNNs has become an important issue, which would for certain result in better practical deep learning applications. To address this issue, we try to explain adversarial robustness for deep models from a new perspective of critical attacking route, which is computed by a gradient-based influence propagation strategy. Similar to rumor spreading in social networks, we believe that adversarial noises are amplified and propagated through the critical attacking route. By exploiting neurons’ influences layer by layer, we compose the critical attacking route with neurons that make the highest contributions towards model decision. In this paper, we first draw the close connection between adversarial robustness and critical attacking route, as the route makes the most non-trivial contributions to model predictions in the adversarial setting. By constraining the propagation process and node behaviors on this route, we could weaken the noise propagation and improve model robustness. Also, we find that critical attacking neurons are useful to evaluate sample adversarial hardness that images with higher stimulus are easier to be perturbed into adversarial examples.
AB - Deep neural networks (DNNs) are vulnerable to adversarial examples which are generated by inputs with imperceptible perturbations. Understanding adversarial robustness of DNNs has become an important issue, which would for certain result in better practical deep learning applications. To address this issue, we try to explain adversarial robustness for deep models from a new perspective of critical attacking route, which is computed by a gradient-based influence propagation strategy. Similar to rumor spreading in social networks, we believe that adversarial noises are amplified and propagated through the critical attacking route. By exploiting neurons’ influences layer by layer, we compose the critical attacking route with neurons that make the highest contributions towards model decision. In this paper, we first draw the close connection between adversarial robustness and critical attacking route, as the route makes the most non-trivial contributions to model predictions in the adversarial setting. By constraining the propagation process and node behaviors on this route, we could weaken the noise propagation and improve model robustness. Also, we find that critical attacking neurons are useful to evaluate sample adversarial hardness that images with higher stimulus are easier to be perturbed into adversarial examples.
UR - http://www.scopus.com/inward/record.url?scp=85090237742&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85090237742&partnerID=8YFLogxK
U2 - 10.1016/j.ins.2020.08.043
DO - 10.1016/j.ins.2020.08.043
M3 - Article
AN - SCOPUS:85090237742
SN - 0020-0255
VL - 547
SP - 568
EP - 578
JO - Information sciences
JF - Information sciences
ER -