• Corpus ID: 21929206

A Rotation and a Translation Suffice: Fooling CNNs with Simple Transformations

@article{Engstrom2017ARA,
  title={A Rotation and a Translation Suffice: Fooling CNNs with Simple Transformations},
  author={Logan Engstrom and Dimitris Tsipras and Ludwig Schmidt and Aleksander Madry},
  journal={ArXiv},
  year={2017},
  volume={abs/1712.02779}
}
Recent work has shown that neural network-based vision classifiers exhibit a significant vulnerability to misclassifications caused by imperceptible but adversarial perturbations of their inputs. These perturbations, however, are purely pixel-wise and built out of loss function gradients of either the attacked model or its surrogate. As a result, they tend to look pretty artificial and contrived. This might suggest that vulnerability to misclassification of slight input perturbations can only… 
Quantifying Perceptual Distortion of Adversarial Examples
TLDR
This work presents and employs a unifying framework fusing different attack styles to demonstrate the value of quantifying the perceptual distortion of adversarial examples, and performs adversarial training using attacks generated by the framework to demonstrate that networks are only robust to classes of adversarian perturbations they have been trained against.
Semantic Adversarial Attacks: Parametric Transformations That Fool Deep Classifiers
TLDR
This paper proposes a novel approach to generate semantic adversarial examples by optimizing a particular adversarial loss over the range-space of a parametric conditional generative model, and demonstrates implementations of this approach on binary classifiers trained on face images.
Adversarial Attacks Beyond the Image Space
TLDR
Though image-space adversaries can be interpreted as per-pixel albedo change, it is verified that they cannot be well explained along these physically meaningful dimensions, which often have a non-local effect.
Achieving Robustness in the Wild via Adversarial Mixing With Disentangled Representations
  • Sven Gowal, Chongli Qin, +4 authors P. Kohli
  • Computer Science, Mathematics
    2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
  • 2020
TLDR
This paper uses the disentangled latent representations computed by a StyleGAN model to generate perturbations of an image that are similar to real-world variations and trains models to be invariant to these perturbation.
Deceiving Image-to-Image Translation Networks for Autonomous Driving With Adversarial Perturbations
TLDR
This letter proposes both quasi-physical and digital adversarial perturbations that can make Im2Im models yield unexpected results, and empirically analyzes these perturgations to show that they generalize well under both paired for image synthesis and unpaired settings for style transfer.
Robustness and Generalization via Generative Adversarial Training
TLDR
This paper presents Generative Adversarial Training, an approach to simultaneously improve the model’s generalization to the test set and out-of-domain samples as well as its robustness to unseen adversarial attacks, and demonstrates effectiveness of the method by demonstrating results on various tasks such as classification, segmentation and object detection.
Semantic Adversarial Perturbations using Learnt Representations
TLDR
This work introduces a novel method for the construction of a rich new class of semantic adversarial examples that perturbs the pose, location, size, shape, colour and texture of the objects in an image without manual encoding of these concepts.
Imperceptible Adversarial Examples by Spatial Chroma-Shift
TLDR
A spatial transformation based perturbation method to create adversarial examples by only modifying the color components of an input image is proposed and human visual perception studies validate that the examples are more natural looking and often indistinguishable from their original counterparts.
PERCEPTUAL DEEP NEURAL NETWORKS: ADVER-
  • 2020
Adversarial examples have shown that albeit highly accurate, models learned by machines, differently from humans, have many weaknesses. However, humans’ perception is also fundamentally different
A General Framework for Adversarial Examples with Objectives
TLDR
This article proposes adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives, and demonstrates the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 38 REFERENCES
Detecting Adversarial Samples from Artifacts
TLDR
This paper investigates model confidence on adversarial samples by looking at Bayesian uncertainty estimates, available in dropout neural networks, and by performing density estimation in the subspace of deep features learned by the model, and results show a method for implicit adversarial detection that is oblivious to the attack algorithm.
Explaining and Harnessing Adversarial Examples
TLDR
It is argued that the primary cause of neural networks' vulnerability to adversarial perturbation is their linear nature, supported by new quantitative results while giving the first explanation of the most intriguing fact about them: their generalization across architectures and training sets.
Spatially Transformed Adversarial Examples
TLDR
Perturbations generated through spatial transformation could result in large $\mathcal{L}_p$ distance measures, but the extensive experiments show that such spatially transformed adversarial examples are perceptually realistic and more difficult to defend against with existing defense systems.
Certified Defenses against Adversarial Examples
TLDR
This work proposes a method based on a semidefinite relaxation that outputs a certificate that for a given network and test input, no attack can force the error to exceed a certain value, providing an adaptive regularizer that encourages robustness against all attacks.
Synthesizing Robust Adversarial Examples
TLDR
The existence of robust 3D adversarial objects is demonstrated, and the first algorithm for synthesizing examples that are adversarial over a chosen distribution of transformations is presented, which synthesizes two-dimensional adversarial images that are robust to noise, distortion, and affine transformation.
Provable defenses against adversarial examples via the convex outer adversarial polytope
TLDR
A method to learn deep ReLU-based classifiers that are provably robust against norm-bounded adversarial perturbations, and it is shown that the dual problem to this linear program can be represented itself as a deep network similar to the backpropagation network, leading to very efficient optimization approaches that produce guaranteed bounds on the robust loss.
On the (Statistical) Detection of Adversarial Examples
TLDR
It is shown that statistical properties of adversarial examples are essential to their detection, and they are not drawn from the same distribution than the original data, and can thus be detected using statistical tests.
DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks
TLDR
The DeepFool algorithm is proposed to efficiently compute perturbations that fool deep networks, and thus reliably quantify the robustness of these classifiers, and outperforms recent methods in the task of computing adversarial perturbation and making classifiers more robust.
Ground-Truth Adversarial Examples
TLDR
Ground truths are constructed: adversarial examples with a provably-minimal distance from a given input point that can serve to assess the effectiveness of attack techniques and also of defense techniques, by computing the distance to the ground truths before and after the defense is applied, and measuring the improvement.
Towards Deep Learning Models Resistant to Adversarial Attacks
TLDR
This work studies the adversarial robustness of neural networks through the lens of robust optimization, and suggests the notion of security against a first-order adversary as a natural and broad security guarantee.
...
1
2
3
4
...