Investigating the causes of the vulnerability of CNNs to adversarial perturbations: learning objective, model components, and learned representations

Abstract

This work focuses on understanding how adversarial perturbations can disrupt the behavior of Convolutional Neural Networks (CNNs). Here, it is hypothesized that some components may be more vulnerable than others, unlike other research that considers a model vulnerable as a whole. Identifying model-specific vulnerabilities can help develop ad hoc defense mechanisms to effectively patch trained models without having to retrain them. For this purpose, analytical frameworks have been developed to serve two purposes: 1) to diagnose trained models and reveal model-specific vulnerabilities; and 2) to understand how the learned hidden representations of a CNN are affected by adversarial perturbations. Empirical results verified that the shallow layers play a major role in the vulnerability of the entire model. Furthermore, it was found that a few channels in the shallow layers are significantly more vulnerable than others in the same layers, highlighting them as the main causes of a model’s weakness to adversarial perturbations.