Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Frequency maps reveal the correlation between Adversarial Attacks and Implicit Bias

Lorenzo Basile, Nikos Karantzas, Alberto d'Onofrio, Luca Manzoni, Luca Bortolussi, Alex Rodriguez, Fabio Anselmi

TL;DR

The paper investigates the link between neural networks' implicit bias and adversarial vulnerability in Fourier space by learning modulatory frequency maps that isolate essential frequencies for correct classification and for successful misclassification. It demonstrates a strong nonlinear correlation between essential and adversarial frequency maps using high-dimensional metrics like $I_d$Cor$, outperforming linear baselines such as SVCCA. It also shows that class-level variants of these maps can partially revert adversarial attacks, pointing to practical defense directions, albeit with a trade-off in clean accuracy. The findings highlight frequency-domain representations as a promising avenue for understanding robustness and guiding defenses in neural networks.

Abstract

Despite their impressive performance in classification tasks, neural networks are known to be vulnerable to adversarial attacks, subtle perturbations of the input data designed to deceive the model. In this work, we investigate the correlation between these perturbations and the implicit bias of neural networks trained with gradient-based algorithms. To this end, we analyse a representation of the network's implicit bias through the lens of the Fourier transform. Specifically, we identify unique fingerprints of implicit bias and adversarial attacks by calculating the minimal, essential frequencies needed for accurate classification of each image, as well as the frequencies that drive misclassification in its adversarially perturbed counterpart. This approach enables us to uncover and analyse the correlation between these essential frequencies, providing a precise map of how the network's biases align or contrast with the frequency components exploited by adversarial attacks. To this end, among other methods, we use a newly introduced technique capable of detecting nonlinear correlations between high-dimensional datasets. Our results provide empirical evidence that the network bias in Fourier space and the target frequencies of adversarial attacks are highly correlated and suggest new potential strategies for adversarial defence.

Frequency maps reveal the correlation between Adversarial Attacks and Implicit Bias

TL;DR

The paper investigates the link between neural networks' implicit bias and adversarial vulnerability in Fourier space by learning modulatory frequency maps that isolate essential frequencies for correct classification and for successful misclassification. It demonstrates a strong nonlinear correlation between essential and adversarial frequency maps using high-dimensional metrics like Cor$, outperforming linear baselines such as SVCCA. It also shows that class-level variants of these maps can partially revert adversarial attacks, pointing to practical defense directions, albeit with a trade-off in clean accuracy. The findings highlight frequency-domain representations as a promising avenue for understanding robustness and guiding defenses in neural networks.

Abstract

Despite their impressive performance in classification tasks, neural networks are known to be vulnerable to adversarial attacks, subtle perturbations of the input data designed to deceive the model. In this work, we investigate the correlation between these perturbations and the implicit bias of neural networks trained with gradient-based algorithms. To this end, we analyse a representation of the network's implicit bias through the lens of the Fourier transform. Specifically, we identify unique fingerprints of implicit bias and adversarial attacks by calculating the minimal, essential frequencies needed for accurate classification of each image, as well as the frequencies that drive misclassification in its adversarially perturbed counterpart. This approach enables us to uncover and analyse the correlation between these essential frequencies, providing a precise map of how the network's biases align or contrast with the frequency components exploited by adversarial attacks. To this end, among other methods, we use a newly introduced technique capable of detecting nonlinear correlations between high-dimensional datasets. Our results provide empirical evidence that the network bias in Fourier space and the target frequencies of adversarial attacks are highly correlated and suggest new potential strategies for adversarial defence.
Paper Structure (20 sections, 1 equation, 3 figures, 4 tables)

This paper contains 20 sections, 1 equation, 3 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related work and background
  3. Implicit Bias, Implicit Fourier Bias and Robustness
  4. Adversarial Attacks
  5. Methods
  6. Modulatory Maps
  7. High-dimensional correlation
  8. Experimental results
  9. Data
  10. Models
  11. Attacks
  12. Map training
  13. Correlation between adversarial and essential frequency maps
  14. CIFAR-10
  15. Imagenette
  16. ...and 5 more sections

Figures (3)

  • Figure 1: Examples of CIFAR-10 krizhevsky2009learning images before and after being filtered by the Fourier maps: (A): original input images (B): adversarial images generated with $\ell_\infty$ Fast Minimum Norm pintor2021fast attack on ResNet-20 he2016deep (C): images filtered by essential frequency maps (D): adversarial images filtered by adversarial frequency maps.
  • Figure 2: Schematic representation of the method employed to obtain essential frequency maps and adversarial frequency maps. Only one channel is displayed for visualization purposes. Full details are provided in Sec. \ref{['map_training']}.
  • Figure 3: Examples of essential and adversarial frequency maps, represented as RGB images. The labels refer to the classification of the clean image. The maps were obtained using CIFAR-10 and the Fast Minimum Norm attack on ResNet-20.