gongzhitaao
commented
6 years ago The MNIST example is only for illustration. For real RGB images, you could make it an adversarial one by changing the color of one pixel. Surely it depends on the data and the model.
RnMss
For a typical example
Human may read it as "4" only because we know it's handwriting. And handwriting is done with a pen, and written by strokes.
If I tell you this is not written by hand, but printed by a printer. You probably tell me it's definitely a "9" not a "4". (And you might use your common sense, that a printer might lack ink.)
If I just tell myself, they are not handwritings, they are prints, ink sprayed on water or paper made of rubber, many examples doesn't look strange anymore.
So the difference is probably in the training data.