On Distinctive Properties of Universal Perturbations
This work provides insights into adversarial robustness for machine learning security applications, though it appears incremental in nature.
The paper investigates distinctive properties of universal adversarial perturbations (UAPs), showing they exhibit semantic locality and spatial invariance unlike standard adversarial perturbations, and contain significantly less signal for generalization.
We identify properties of universal adversarial perturbations (UAPs) that distinguish them from standard adversarial perturbations. Specifically, we show that targeted UAPs generated by projected gradient descent exhibit two human-aligned properties: semantic locality and spatial invariance, which standard targeted adversarial perturbations lack. We also demonstrate that UAPs contain significantly less signal for generalization than standard adversarial perturbations -- that is, UAPs leverage non-robust features to a smaller extent than standard adversarial perturbations.