Distilling Robust and Non-Robust Features in Adversarial Examples by Information Bottleneck
This addresses the vulnerability of machine learning models to adversarial attacks, which is a critical security issue, but the approach is incremental as it builds on existing theories about robust and non-robust features.
The paper tackled the problem of adversarial examples by proposing a method to explicitly distill robust and non-robust features using Information Bottleneck, demonstrating that these features correlate with adversarial predictions and have semantic information, and introducing an attack mechanism that breaks model robustness.
Adversarial examples, generated by carefully crafted perturbation, have attracted considerable attention in research fields. Recent works have argued that the existence of the robust and non-robust features is a primary cause of the adversarial examples, and investigated their internal interactions in the feature space. In this paper, we propose a way of explicitly distilling feature representation into the robust and non-robust features, using Information Bottleneck. Specifically, we inject noise variation to each feature unit and evaluate the information flow in the feature representation to dichotomize feature units either robust or non-robust, based on the noise variation magnitude. Through comprehensive experiments, we demonstrate that the distilled features are highly correlated with adversarial prediction, and they have human-perceptible semantic information by themselves. Furthermore, we present an attack mechanism intensifying the gradient of non-robust features that is directly related to the model prediction, and validate its effectiveness of breaking model robustness.