Adversarial examples have raised several open questions, such as why they can deceive classifiers and transfer between different models. A prevailing hypothesis to explain these phenomena suggests that adversarial perturbations appear as random noise but contain class-specific features. This hypothesis is supported by the success of perturbation learning, where classifiers trained solely on adversarial examples and the corresponding incorrect labels generalize well to correctly labeled test data. Although this hypothesis and perturbation learning are effective in explaining intriguing properties of adversarial examples, their solid theoretical foundation is limited. In this study, we theoretically explain the counterintuitive success of perturbation learning. We assume wide two-layer networks and the results hold for any data distribution. We prove that adversarial perturbations contain sufficient class-specific features for networks to generalize from them. Moreover, the predictions of classifiers trained on mislabeled adversarial examples coincide with those of classifiers trained on correctly labeled clean samples. The code is available at https://github.com/s-kumano/perturbation-learning.

本研究解决了对抗样本为何能够欺骗分类器以及跨模型转移的问题，提出了一种理论解释，认为对抗扰动蕴含了足够的类别特征，使得宽双层网络可以有效泛化。此外，研究发现，基于错误标签的对抗样本训练的分类器，其预测结果与基于正确标签的干净样本训练的分类器一致。这一发现为对抗学习提供了更坚实的理论基础。

宽双层网络可以从对抗扰动中学习