On Distinctive Properties of Universal Perturbations
share
We identify properties of universal adversarial perturbations (UAPs) that distinguish them from standard adversarial perturbations. Specifically, we show that targeted UAPs generated by projected gradient descent exhibit two human-aligned properties: semantic locality and spatial invariance, which standard targeted adversarial perturbations lack. We also demonstrate that UAPs contain significantly less signal for generalization than standard adversarial perturbations – that is, UAPs leverage non-robust features to a smaller extent than standard adversarial perturbations.
READ FULL TEXT
