Analysis of Dominant Classes in Universal Adversarial Perturbations
This work provides a theoretical explanation for an observed phenomenon in universal adversarial perturbations, which is significant for researchers and practitioners working on the robustness of deep learning models.
This paper investigates why universal adversarial perturbations (UAPs) cause deep neural networks to misclassify most inputs into a single 'dominant' class, a phenomenon previously observed but unexplained. The authors propose and test hypotheses using a speech command classification task, offering geometric and data-feature based explanations for this behavior.
The reasons why Deep Neural Networks are susceptible to being fooled by adversarial examples remains an open discussion. Indeed, many different strategies can be employed to efficiently generate adversarial attacks, some of them relying on different theoretical justifications. Among these strategies, universal (input-agnostic) perturbations are of particular interest, due to their capability to fool a network independently of the input in which the perturbation is applied. In this work, we investigate an intriguing phenomenon of universal perturbations, which has been reported previously in the literature, yet without a proven justification: universal perturbations change the predicted classes for most inputs into one particular (dominant) class, even if this behavior is not specified during the creation of the perturbation. In order to justify the cause of this phenomenon, we propose a number of hypotheses and experimentally test them using a speech command classification problem in the audio domain as a testbed. Our analyses reveal interesting properties of universal perturbations, suggest new methods to generate such attacks and provide an explanation of dominant classes, under both a geometric and a data-feature perspective.