• Corpus ID: 21929206

# A Rotation and a Translation Suffice: Fooling CNNs with Simple Transformations

@article{Engstrom2017ARA,
title={A Rotation and a Translation Suffice: Fooling CNNs with Simple Transformations},
author={Logan Engstrom and Dimitris Tsipras and Ludwig Schmidt and Aleksander Madry},
journal={ArXiv},
year={2017},
volume={abs/1712.02779}
}
Recent work has shown that neural network-based vision classifiers exhibit a significant vulnerability to misclassifications caused by imperceptible but adversarial perturbations of their inputs. These perturbations, however, are purely pixel-wise and built out of loss function gradients of either the attacked model or its surrogate. As a result, they tend to look pretty artificial and contrived. This might suggest that vulnerability to misclassification of slight input perturbations can only…
267 Citations

## Figures, Tables, and Topics from this paper

Quantifying Perceptual Distortion of Adversarial Examples
• Computer Science, Mathematics
ArXiv
• 2019
This work presents and employs a unifying framework fusing different attack styles to demonstrate the value of quantifying the perceptual distortion of adversarial examples, and performs adversarial training using attacks generated by the framework to demonstrate that networks are only robust to classes of adversarian perturbations they have been trained against.
Semantic Adversarial Attacks: Parametric Transformations That Fool Deep Classifiers
• Computer Science
2019 IEEE/CVF International Conference on Computer Vision (ICCV)
• 2019
This paper proposes a novel approach to generate semantic adversarial examples by optimizing a particular adversarial loss over the range-space of a parametric conditional generative model, and demonstrates implementations of this approach on binary classifiers trained on face images.
Adversarial Attacks Beyond the Image Space
• Xiaohui Zeng, +5 authors A. Yuille
• Computer Science
2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
• 2019
Though image-space adversaries can be interpreted as per-pixel albedo change, it is verified that they cannot be well explained along these physically meaningful dimensions, which often have a non-local effect.
Achieving Robustness in the Wild via Adversarial Mixing With Disentangled Representations
• Sven Gowal, +4 authors P. Kohli
• Computer Science, Mathematics
2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
• 2020
This paper uses the disentangled latent representations computed by a StyleGAN model to generate perturbations of an image that are similar to real-world variations and trains models to be invariant to these perturbation.
Deceiving Image-to-Image Translation Networks for Autonomous Driving With Adversarial Perturbations
• Computer Science, Engineering
IEEE Robotics and Automation Letters
• 2020
This letter proposes both quasi-physical and digital adversarial perturbations that can make Im2Im models yield unexpected results, and empirically analyzes these perturgations to show that they generalize well under both paired for image synthesis and unpaired settings for style transfer.
Robustness and Generalization via Generative Adversarial Training
This paper presents Generative Adversarial Training, an approach to simultaneously improve the model’s generalization to the test set and out-of-domain samples as well as its robustness to unseen adversarial attacks, and demonstrates effectiveness of the method by demonstrating results on various tasks such as classification, segmentation and object detection.
Semantic Adversarial Perturbations using Learnt Representations
• Computer Science
ArXiv
• 2020
This work introduces a novel method for the construction of a rich new class of semantic adversarial examples that perturbs the pose, location, size, shape, colour and texture of the objects in an image without manual encoding of these concepts.
Imperceptible Adversarial Examples by Spatial Chroma-Shift
• Computer Science
• 2021
A spatial transformation based perturbation method to create adversarial examples by only modifying the color components of an input image is proposed and human visual perception studies validate that the examples are more natural looking and often indistinguishable from their original counterparts.
• 2020
Adversarial examples have shown that albeit highly accurate, models learned by machines, differently from humans, have many weaknesses. However, humans’ perception is also fundamentally different
A General Framework for Adversarial Examples with Objectives
• Computer Science
ACM Trans. Priv. Secur.
• 2019
This article proposes adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives, and demonstrates the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains.

## References

SHOWING 1-10 OF 38 REFERENCES
• Computer Science, Mathematics
ArXiv
• 2017
This paper investigates model confidence on adversarial samples by looking at Bayesian uncertainty estimates, available in dropout neural networks, and by performing density estimation in the subspace of deep features learned by the model, and results show a method for implicit adversarial detection that is oblivious to the attack algorithm.
• Computer Science, Mathematics
ICLR
• 2015
It is argued that the primary cause of neural networks' vulnerability to adversarial perturbation is their linear nature, supported by new quantitative results while giving the first explanation of the most intriguing fact about them: their generalization across architectures and training sets.
• Computer Science, Mathematics
ICLR
• 2018
Perturbations generated through spatial transformation could result in large $\mathcal{L}_p$ distance measures, but the extensive experiments show that such spatially transformed adversarial examples are perceptually realistic and more difficult to defend against with existing defense systems.
• Computer Science, Mathematics
ICLR
• 2018
This work proposes a method based on a semidefinite relaxation that outputs a certificate that for a given network and test input, no attack can force the error to exceed a certain value, providing an adaptive regularizer that encourages robustness against all attacks.
• Computer Science
ICML
• 2018
The existence of robust 3D adversarial objects is demonstrated, and the first algorithm for synthesizing examples that are adversarial over a chosen distribution of transformations is presented, which synthesizes two-dimensional adversarial images that are robust to noise, distortion, and affine transformation.
• Computer Science, Mathematics
ICML
• 2018
A method to learn deep ReLU-based classifiers that are provably robust against norm-bounded adversarial perturbations, and it is shown that the dual problem to this linear program can be represented itself as a deep network similar to the backpropagation network, leading to very efficient optimization approaches that produce guaranteed bounds on the robust loss.
On the (Statistical) Detection of Adversarial Examples
• Computer Science, Mathematics
ArXiv
• 2017
It is shown that statistical properties of adversarial examples are essential to their detection, and they are not drawn from the same distribution than the original data, and can thus be detected using statistical tests.
DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks
• Computer Science
2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR)
• 2016
The DeepFool algorithm is proposed to efficiently compute perturbations that fool deep networks, and thus reliably quantify the robustness of these classifiers, and outperforms recent methods in the task of computing adversarial perturbation and making classifiers more robust.