A Fourier Perspective of Feature Extraction and Adversarial Robustness
Authors: Liangqi Zhang, Yihao Luo, Haibo Shen, Tianjiang Wang
IJCAI 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We experimentally show that contrary to the low-frequency bias of neural networks, the effective features of the same class are distributed across all frequency bands. We experimentally show that contrary to the low-frequency bias of neural networks, the effective features of the same class are distributed across all frequency bands. Meanwhile, the high-frequency features often dominate when the neural networks make conflicting decisions on different frequency features. Furthermore, the attack experiments show that the low-frequency features are more robust to the attacks on different frequencies, but the interference to the high frequencies makes the network unable to make the right decision. Our experiments are mainly conducted on the Image Net dataset. |
| Researcher Affiliation | Academia | Liangqi Zhang1 , Yihao Luo2 , Haibo Shen1 and Tianjiang Wang1 1Huazhong University of Science and Technology 2Yichang Testing Technique R&D Institute {zhangliangqi, luoyihao, shenhaibo, tjwang}@hust.edu.cn |
| Pseudocode | Yes | Our algorithm is based on the PGD and removes specific frequency components of the on perturbation δt by applying a mask to its frequency spectrum FFT(δt), and reconstruct the gradient by applying the IFFT on the masked spectrum. Specifically, the mask, M {0, 1}d d, is a two-dimensional matrix, and the mask operation is done by element-wise product . In our work, we consider the l -norm and the algorithm that attack f F frequencies performs T-step attack with a small step size α = ϵ/T: δt = xt L(xt, y; θ) (7) δt f = F 1(F(δt) M) (8) xt+1 = clipx,ϵ xt + α sign(δt f) . (9) Note that the non-linear sign and clip operators alias some passed information into other frequencies, and so the perturbations are not strictly contained in the frequency band, as shown in Fig 2. These non-linear operations lead to large effects in many cases, so we relax the l -norm by restricting the mean of perturbation to be equal to α at each update: xt+1 = xt + α card(gt f) gt f 1 gt f (10) |
| Open Source Code | No | The paper does not contain any statements offering access to open-source code for the described methodology, nor does it provide a repository link. |
| Open Datasets | Yes | Our experiments are mainly conducted on the Image Net dataset [Deng et al., 2009], which has a wider frequency range and is closer to the real world observed by human eyes than MNIST and CIFAR10 datasets. |
| Dataset Splits | No | The paper mentions using ImageNet and retraining models, but it does not specify explicit percentages or counts for training, validation, and test dataset splits. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., GPU/CPU models, memory) used for running the experiments. |
| Software Dependencies | No | The paper mentions using Fast Fourier Transform (FFT) and models like Mobile Net V1 1.0, but it does not provide specific version numbers for software dependencies or libraries crucial for replication. |
| Experiment Setup | Yes | In our work, we consider the l -norm and the algorithm that attack f F frequencies performs T-step attack with a small step size α = ϵ/T: ... xt+1 = xt + α card(gt f) gt f 1 gt f (10) ... F-PGD-L attack on samples which have stable low-frequency features, ϵ = 3/255. |