This paper presents an explanation and method for generating adversarial examples, which are inputs that cause machine learning models to make incorrect predictions. The authors argue that the vulnerability of neural networks to adversarial examples is primarily due to their linear nature, rather than their nonlinearity. They show that even simple linear models can be susceptible to adversarial examples when the input has sufficient dimensionality. This explanation is supported by new quantitative results and provides a first explanation of the generalization of adversarial examples across different architectures and training sets. The authors propose a fast method for generating adversarial examples, called the fast gradient sign method, which involves adding a small perturbation to the input in the direction of the gradient of the cost function. This method is effective in generating adversarial examples that misclassify inputs for a wide variety of models, including neural networks. They demonstrate that adversarial training, which involves training the model on adversarial examples, can provide additional regularization benefits beyond those provided by dropout. The paper also discusses the limitations of adversarial training and the effectiveness of different regularization techniques. It shows that adversarial training can significantly reduce the test error of a maxout network on the MNIST dataset. The authors also compare the performance of different models, including linear models, RBF networks, and deep networks, in terms of their vulnerability to adversarial examples. The paper concludes that the vulnerability of neural networks to adversarial examples is a result of their linear nature and the high-dimensional nature of the input space. It suggests that future research should focus on developing more powerful optimization methods that can successfully train more nonlinear models. The authors also highlight the importance of understanding the limitations of current models and the need for further research into the properties of adversarial examples.This paper presents an explanation and method for generating adversarial examples, which are inputs that cause machine learning models to make incorrect predictions. The authors argue that the vulnerability of neural networks to adversarial examples is primarily due to their linear nature, rather than their nonlinearity. They show that even simple linear models can be susceptible to adversarial examples when the input has sufficient dimensionality. This explanation is supported by new quantitative results and provides a first explanation of the generalization of adversarial examples across different architectures and training sets. The authors propose a fast method for generating adversarial examples, called the fast gradient sign method, which involves adding a small perturbation to the input in the direction of the gradient of the cost function. This method is effective in generating adversarial examples that misclassify inputs for a wide variety of models, including neural networks. They demonstrate that adversarial training, which involves training the model on adversarial examples, can provide additional regularization benefits beyond those provided by dropout. The paper also discusses the limitations of adversarial training and the effectiveness of different regularization techniques. It shows that adversarial training can significantly reduce the test error of a maxout network on the MNIST dataset. The authors also compare the performance of different models, including linear models, RBF networks, and deep networks, in terms of their vulnerability to adversarial examples. The paper concludes that the vulnerability of neural networks to adversarial examples is a result of their linear nature and the high-dimensional nature of the input space. It suggests that future research should focus on developing more powerful optimization methods that can successfully train more nonlinear models. The authors also highlight the importance of understanding the limitations of current models and the need for further research into the properties of adversarial examples.