Foveation-based Mechanisms Alleviate Adversarial Examples

We show that adversarial examples, i.e. the visually imperceptible perturbations that result in Convolutional Neural Networks (CNNs) fail, can be alleviated with a mechanism based on foveations -applying the CNN in a different image region. To see this, first, we report results in ImageNet that lead to a revision of the hypothesis that adversarial perturbations are a consequence of CNNs acting as a linear classifier: CNNs act locally linearly to changes in the image regions with objects recognized by the CNN, and in other regions the CNN may act non-linearly. Then, we corroborate that when the neural responses are linear, applying the foveation mechanism to the adversarial example tends to significantly reduce the effect of the perturbation. This is because, hypothetically, the CNNs for ImageNet are robust to changes produced by the foveation (scale and translation of the recognized objects), but this property does not generalize to transformations of the perturbation. Our results show that the accuracy after the foveation is almost the same as the accuracy of the CNN without the adversarial perturbation.