Neural networks have demonstrated state-of-the-art performance in various machine learning fields. However, the introduction of malicious perturbations in input data, known as adversarial examples, has been shown to deceive neural network predictions. This poses potential risks for real-world applications such as autonomous driving and text identification. In order to mitigate these risks, a comprehensive understanding of the mechanisms underlying adversarial examples is essential. In this study, we demonstrate that adversarial perturbations contain human-recognizable information, which is the key conspirator responsible for a neural network's incorrect prediction, in contrast to the widely held belief that human-unidentifiable characteristics play a critical role in fooling a network. This concept of human-recognizable characteristics enables us to explain key features of adversarial perturbations, including their existence, transferability among different neural networks, and increased interpretability for adversarial training. We also uncover two unique properties of adversarial perturbations that deceive neural networks: masking and generation. Additionally, a special class, the complementary class, is identified when neural networks classify input images. The presence of human-recognizable information in adversarial perturbations allows researchers to gain insight into the working principles of neural networks and may lead to the development of techniques for detecting and defending against adversarial attacks.

翻译：神经网络在多个机器学习领域展现了最先进的性能。然而，在输入数据中引入恶意扰动（即对抗样本）已被证明能够欺骗神经网络的预测。这给自动驾驶和文本识别等实际应用带来了潜在风险。为减轻这些风险，深入理解对抗样本的内在机制至关重要。本研究表明，对抗扰动包含人类可识别的信息，而这正是导致神经网络错误预测的关键共谋因素——这与广泛认为的“人类无法识别的特征在欺骗网络中起关键作用”的观点形成对比。人类可识别特征这一概念使我们能够解释对抗扰动的关键特性，包括其存在性、在不同神经网络之间的可迁移性，以及增强对抗训练的可解释性。我们还揭示了对抗扰动欺骗神经网络的两个独特性质：掩蔽与生成。此外，在神经网络对输入图像进行分类时，识别出一类特殊的类别——互补类。对抗扰动中人类可识别信息的存在，使研究者能够洞察神经网络的工作原理，并可能推动检测和防御对抗攻击技术的发展。