"Deep Neural Networks Are Easily Fooled" is a paper that highlights the vulnerability of deep neural networks (DNNs) to adversarial examples. The authors explain that adversarial examples are input samples that are intentionally designed to cause the network to misclassify them. These examples are created by adding small perturbations to the input data, which are usually imperceptible to humans but can have a significant impact on the network's output. The authors conducted several experiments to demonstrate the vulnerability of DNNs to adversarial examples. In one experiment, they showed that adding small perturbations to an image of a panda can cause the network to misclassify it as a gibbon with high confidence. Another experiment involved creating a digital image that the network classified as a school bus with high confidence, but which to humans appeared to be a random pattern of pixels. The authors also explored the nature of adversarial examples and their impact on DNNs. They discovered that adversarial examples are not random noise, but rather, they contain structured patterns that exploit the vulnerabilities of the network. The authors also showed that adversarial examples are not specific to any particular architecture or training algorithm, but are a fundamental property of DNNs. The paper's findings have important implications for the security and reliability of DNNs, especially in applications such as autonomous driving, facial recognition, and fraud detection. The authors suggest that future research should focus on developing more robust and resilient models that are less susceptible to adversarial examples. Additionally, the authors propose that understanding the fundamental properties of DNNs that make them vulnerable to these attacks is crucial for designing better models and enhancing their security. Overall, "Deep Neural Networks Are Easily Fooled" is a significant paper that has contributed to the advancement of the field of machine learning. It has inspired research into developing more robust and secure models, and it has highlighted the need to explore the fundamental properties of DNNs to better understand their vulnerabilities.

1. Deep Neural Networks Are Easily Fooled:
High Confidence Predictions for Unrecognizable Images
Nguyen et al., CVPR15
Reporter：Yanhua Si

2. Human vs. Computer Object Recognition
Given the near-human ability
of DNNs to classify objects,
what differences remain
between human and computer
vision?

3. Experimental setup
1. LeNet model trained on MNIST dataset– “MNIST DNN”
2. AlexNet DNN trained on ImageNet dataset- ”ImageNet
DNN” (larger dataset, bigger network)

4. Evolution Algorithms (EA)

5. Direct Encoding
Grayscale values for MNIST, HSV values for ImageNet.
Each pixel value is initialized with uniform random
noise within the [0, 255] range. Those numbers are
independently mutated.

6. Direct Encoding
Random
Grayscale
Images
Mutate/Cro
ssover
pixels
directly

7. Indirect encoding -CPNN (Compositional
Pattern-Producing Network) Encoding

This encoding is more likely to produce “Regular” images – e.g.
contains symmetry and repetition

Similar to ANNs, but with different nonlinear functions.

8. CPNN (Compositional Pattern-Producing
Network) Encoding
CPNN with
no hidden
layers
Changing
CPNN
parameters

9. Images produced by a CPPN-encoded EA

10. Fooling images via Gradient Ascent
Following the direction of gradient of the posterior probability
for a specific class

11. Results – MNIST
In less than 50 generations, each run of
evolution produces unrecognizable
images classified by MNIST DNNs with ≥
99.99% confidence.
MNIST DNNs labelled unrecognizable images as
digits with 99.99% confidence after only a few
generations.

12. Results – ImageNet Dataset
Even after 20,000 generations,
evolution failed to produce high-
confidence images for many
categories, but produced images
with ≥ 99% confidence for 45
categories. 21.59% Median
Confidence
Directly encoded EA
Many images with DNN
confidence scores ≥99.99%, but
that are unrecognizable. After
5000 generations, Median
Confidence score is 88.11%,
similar to that for natural images
CPNN Encoding

13. CPNN Encoding on ImageNet
Evolution produces images which has most discriminative features of a class.

14. CPNN Encoding on ImageNet
 Many images are related to each other phylogenetically,
which leads evolution to produce similar images for closely
related categories.
 Different runs of evolution produce different image types.

15. Repetition Ablation Study
To test whether repetition
improves the confidence
scores, some of the repeated
elements were ablated.
In many images, ablation leaded to a small performance
drop

16. Do different DNNs learn the same
discriminative features?
•

17. Adding “Fooling Images” class
It is easier to learn to tell CPPN images apart from natural images than it is to tell CPPN
images from MNIST digits.