Highlights

The authors find two properties of neural networks.

There is no distinction between individual high-level units and random linear combinations of high-level units.
Existence and transferability of adversarial examples.

On the units

Let $x \in \mathbb{R}^m$ be an input image and $\phi(x)$ the activation values of some layer. One can look at what inputs maximize the features of $\phi(x)$ , that is:

The authors find that many images that satisfy

are semantically related to each other, where $v$ is a random vector.

This puts into question the notion that neural networks disentangle variation factors across coordinates.

Adversarial examples

Let $f:\mathbb{R}^m \to \{1,...,k \}$ be a classifier with an associated loss function. For a given input $x \in \mathbb{R}^m$ and target label $l \in \{1,...,k \}$ , the aim is to solve

The minimizer is denoted $D(x,l)$ . This task is non-trivial only if $f(x) \not= l$ . The authors find an approximation of $D(x,l)$ by line-search to find the minimum $c>0$ for which the minimum $r$ of the following problems atisfies $f(x+r)=l$ .

In the convex case this yields the exact solution.

Experiments

Existence of adversarial examples

Adversarial examples transfer to other architectures trained from scratch with different hyperparameters:

Adversarial examples transfer to other architectures trained on a disjoint training set:

Adding random noise to the input images is not as effective to misclassify samples when compared to adversarial examples generation:

Theoretical analysis

Conclusion

The semantic meaning of activations of neurons is not meaningful since random directions in feature space present similar properties.
Adversarial examples can be found for any neural network, they transfer across architectures trained with different hyperparameters and even different data sets.