Deep neural networks have proven remarkably effective at solving many classification problems, but have been criticized recently for two major weaknesses: the reasons behind their predictions are uninterpretable, and the predictions themselves can often be fooled by small adversarial perturbations. These problems pose major obstacles for the adoption of neural networks in domains that require security or transparency. In this work, we evaluate the effectiveness of defenses that differentiably penalize the degree to which small changes in inputs can alter model predictions. Across multiple attacks, architectures, defenses, and datasets, we find that neural networks trained with this input gradient regularization exhibit robustness to transferred adversarial examples generated to fool all of the other models. We also find that adversarial examples generated to fool gradient-regularized models fool all other models equally well, and actually lead to more "legitimate," interpretable misclassifications as rated by people (which we confirm in a human subject experiment). Finally, we demonstrate that regularizing input gradients makes them more naturally interpretable as rationales for model predictions. We conclude by discussing this relationship between interpretability and robustness in deep neural networks.

本研究评估了不同防御机制对神经网络的有效性，发现使用输入梯度规则化训练的神经网络具有抵御小幅度扰动的鲁棒性，并且可以提高预测的可解释性。同时，对这种神经网络产生的误分类可以解释，并进一步讨论了深度神经网络中解释性和鲁棒性之间的关系。

通过约束输入渐变来提高深度神经网络的对抗鲁棒性和可解释性