Adversarial attacks (AAs) pose a significant threat to the reliability and robustness of deep neural networks. While the impact of these attacks on model predictions has been extensively studied, their effect on the learned representations and concepts within these models remains largely unexplored. In this work, we perform an in-depth analysis of the influence of AAs on the concepts learned by convolutional neural networks (CNNs) using eXplainable artificial intelligence (XAI) techniques. Through an extensive set of experiments across various network architectures and targeted AA techniques, we unveil several key findings. First, AAs induce substantial alterations in the concept composition within the feature space, introducing new concepts or modifying existing ones. Second, the adversarial perturbation itself can be linearly decomposed into a set of latent vector components, with a subset of these being responsible for the attack's success. Notably, we discover that these components are target-specific, i.e., are similar for a given target class throughout different AA techniques and starting classes. Our findings provide valuable insights into the nature of AAs and their impact on learned representations, paving the way for the development of more robust and interpretable deep learning models, as well as effective defenses against adversarial threats.

翻译：对抗性攻击（AAs）对深度神经网络的可靠性和鲁棒性构成重大威胁。虽然这些攻击对模型预测的影响已被广泛研究，但它们对模型内部学习表征和概念的影响仍未得到充分探索。本研究利用可解释人工智能（XAI）技术，深入分析了对抗性攻击对卷积神经网络（CNNs）所学概念的影响。通过在多种网络架构和针对性对抗攻击技术下的广泛实验，我们揭示了几项关键发现。首先，对抗性攻击会在特征空间内引发概念构成的实质性改变，引入新概念或修改现有概念。其次，对抗扰动本身可被线性分解为一组潜在向量分量，其中部分分量负责攻击的成功实现。值得注意的是，我们发现这些分量具有目标特异性——即对于同一目标类别，无论采用何种对抗攻击技术或起始类别，这些分量均表现出相似性。我们的发现为了解对抗性攻击的本质及其对学习表征的影响提供了宝贵见解，为开发更鲁棒、更可解释的深度学习模型，以及针对对抗威胁的有效防御策略铺平了道路。