Characterizing Adversarial Samples of Convolutional Neural Networks

Abstract

Adversarial samples aim to make deep convolutional neural networks predict incorrectly under small perturbations. This paper investigates non-targeted adversarial samples of convolutional neural networks and makes a primitive attempt to characterize adversarial samples. Two observations are made: first, adversarial perturbations are mainly in the high-frequency domain; second, adversarial categories usually have strong semantic relevance to the original categories. Our two observations provide a solid basis to understand the behavior of convolutional neural networks and thus to improve their robustness against adversarial samples.