Adversarial Examples threaten to fool deep learning models to output erroneous predictions with high confidence. Optimization-based methods for constructing such samples have been extensively studied. While being effective in terms of aggression, they typically lack clear interpretation and constraint about their underlying generation process, which thus hinders us from leveraging the produced adversarial samples for model protection in the reverse direction. Hence, we expect them to repair bugs in the pre-trained models by produced additional training data equipped with strong attack ability rather than time-consuming full re-training from scratch. To address these issues, we first study the black-box behaviors and the intrinsic deficiency of neighborhood information in previous optimization-based adversarial attacks and defenses, respectively. Then we introduce a new method dubbed FeaCP , which uses correct predicted samples in disjoint classes to guide the generation of more explainable adversarial samples in the ambiguous region around the decision boundary instead of uncontrolled “blind spots”, via convex combination in a feature component-wise manner which takes the individual importance of feature ingredients into account. Our method incorporates the prior fact that for well-separated samples, the path connecting them would go through model’s decision-boundary that lies in a low-density region, however, wherein adversarial examples are spread with high probability, thus having an impact on the ultimate trained model. In our work, the path is constructed by proposed inhomogeneous feature-wise convex interpolation rather than operating on sample-wise level, limiting the search space of FeaCP to obtain an adaptive neighborhood. Finally, we provide detailed insights and extend our method to adversarial fine-tuning using vicinity distribution to optimize the approximated decision boundary, and validate the significance of our FeaCP to model performance. The experimental results show that our method provides competitive performance on various datasets and networks.

中文翻译：

---

具有特征重要性感知凸插值的对抗自适应邻域

对抗性示例威胁要愚弄深度学习模型，以高置信度输出错误的预测。基于优化的构建此类样本的方法已得到广泛研究。尽管它们在侵略性方面很有效，但它们通常对它们的基本生成过程缺乏清晰的解释和约束，因此阻碍了我们利用产生的对抗性样本进行反方向的模型保护。因此，我们期望他们通过产生具有强大攻击能力的额外训练数据来修复预训练模型中的错误，而不是从头开始进行耗时的完全重新训练。为了解决这些问题，我们首先分别研究了以前基于优化的对抗攻击和防御中的黑盒行为和邻域信息的固有缺陷。FeaCP ，它使用不相交的类别中的正确预测样本来指导在决策边界周围的模棱两可的区域中生成更多可解释的对抗性样本，而不是不受控制的“盲点”，这是通过以特征分量为导向的凸组合实现的，从而具有将特色成分考虑在内。我们的方法结合了先验的事实，即对于分离得很好的样本，连接它们的路径将通过模型的决策边界，该边界位于低密度区域，但是，其中的对抗性示例以很高的概率传播，因此对最终训练的模型。在我们的工作中，该路径是通过提出的非均匀特征方向凸插值构造的，而不是在样本水平上操作，从而限制了搜索空间FeaCP获得一个自适应邻域。最后，我们提供了详细的见解，并将我们的方法扩展到使用附近分布进行对抗性微调，以优化近似决策边界，并验证我们的意义。FeaCP对性能进行建模。实验结果表明，我们的方法在各种数据集和网络上均具有竞争优势。