Adversarial examples in the physical world

@article{Kurakin2017AdversarialEI,
  title={Adversarial examples in the physical world},
  author={Alexey Kurakin and Ian J. Goodfellow and Samy Bengio},
  journal={ArXiv},
  year={2017},
  volume={abs/1607.02533}
}
Most existing machine learning classifiers are highly vulnerable to adversarial examples. [...] Key Result We find that a large fraction of adversarial examples are classified incorrectly even when perceived through the camera.Expand
Reproducibility Report : Synthesizing Robust Adversarial Examples ∗
Neural network-based classifiers parallel or exceed human-level accuracy on many common tasks and are used in practical systems. Yet, neural networks are susceptible to adversarial examples,
Mitigation of Adversarial Attacks through Embedded Feature Selection
TLDR
A design methodology is proposed to evaluate the security of machine learning classifiers with embedded feature selection against adversarial examples crafted using different attack strategies, showing that the relative distortion that the attacker has to introduce to succeed in the attack is greater when the target is using a reduced set of features.
Robust Physical-World Attacks on Machine Learning Models
TLDR
This paper proposes a new attack algorithm--Robust Physical Perturbations (RP2)-- that generates perturbations by taking images under different conditions into account and can create spatially-constrained perturbation that mimic vandalism or art to reduce the likelihood of detection by a casual observer.
On the Effectiveness of Adversarial Training in Defending against Adversarial Example Attacks for Image Classification
TLDR
It is shown that it is very difficult to make a robust network using adversarial training, even for black-box settings where the attacker has restricted information on the target network.
Machine Learning as an Adversarial Service: Learning Black-Box Adversarial Examples
TLDR
A direct attack against black-box neural networks, that uses another attacker neural network to learn to craft adversarial examples that can transfer to different machine learning models such as Random Forest, SVM, and K-Nearest Neighbor is introduced.
ROOM: Adversarial Machine Learning Attacks Under Real-Time Constraints
TLDR
ROOM is proposed, a novel Real-time Online-Offline attack construction Model where an offline component serves to warm up the online algorithm, making it possible to generate highly successful attacks under time constraints, and can achieve high attack success rates under real-time constraints.
Detecting Adversarial Examples Using Data Manifolds
TLDR
The goal of finding limitations of the learning model presents a more tractable approach to protecting against adversarial attacks, based on identifying a low dimensional manifold in which the training samples lie and using the distance of a new observation from this manifold to identify whether this data point is adversarial or not.
On The Generation of Unrestricted Adversarial Examples
  • Mehrgan Khoshpasand, A. Ghorbani
  • Computer Science
    2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)
  • 2020
TLDR
It is demonstrated that even the state-of-the-art MNIST classifiers are vulnerable to the adversarial examples generated with this technique, and it is hoped that new proposed defences use this attack to evaluate the robustness of their models against unrestricted attacks.
Adversarial Attacks on Neural Network Policies
TLDR
This work shows existing adversarial example crafting techniques can be used to significantly degrade test-time performance of trained policies, even with small adversarial perturbations that do not interfere with human perception.
Adversarial Machine Learning at Scale
TLDR
This research applies adversarial training to ImageNet and finds that single-step attacks are the best for mounting black-box attacks, and resolution of a "label leaking" effect that causes adversarially trained models to perform better on adversarial examples than on clean examples.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 21 REFERENCES
Practical Black-Box Attacks against Deep Learning Systems using Adversarial Examples
TLDR
This work introduces the first practical demonstration that cross-model transfer phenomenon enables attackers to control a remotely hosted DNN with no access to the model, its parameters, or its training data, and introduces the attack strategy of fitting a substitute model to the input-output pairs in this manner, then crafting adversarial examples based on this auxiliary model.
Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples
TLDR
New transferability attacks between previously unexplored (substitute, victim) pairs of machine learning model classes, most notably SVMs and decision trees are introduced.
Explaining and Harnessing Adversarial Examples
TLDR
It is argued that the primary cause of neural networks' vulnerability to adversarial perturbation is their linear nature, supported by new quantitative results while giving the first explanation of the most intriguing fact about them: their generalization across architectures and training sets.
Evasion Attacks against Machine Learning at Test Time
TLDR
This work presents a simple but effective gradient-based approach that can be exploited to systematically assess the security of several, widely-used classification algorithms against evasion attacks.
Adversarial classification
TLDR
This paper views classification as a game between the classifier and the adversary, and produces a classifier that is optimal given the adversary's optimal strategy, and experiments show that this approach can greatly outperform a classifiers learned in the standard way.
Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition
TLDR
A novel class of attacks is defined: attacks that are physically realizable and inconspicuous, and allow an attacker to evade recognition or impersonate another individual, and a systematic method to automatically generate such attacks is developed through printing a pair of eyeglass frames.
Intriguing properties of neural networks
TLDR
It is found that there is no distinction between individual highlevel units and random linear combinations of high level units, according to various methods of unit analysis, and it is suggested that it is the space, rather than the individual units, that contains of the semantic information in the high layers of neural networks.
Hidden Voice Commands
TLDR
This paper explores in this paper how voice interfaces can be attacked with hidden voice commands that are unintelligible to human listeners but which are interpreted as commands by devices.
Face Recognition on Consumer Devices: Reflections on Replay Attacks
TLDR
Experiments indicate that the face reflection sequences can be classified under ideal conditions with a high degree of confidence, and may pave the way for further studies in the use of video analysis for defeating biometric replay attacks on consumer devices.
Rethinking the Inception Architecture for Computer Vision
TLDR
This work is exploring ways to scale up networks in ways that aim at utilizing the added computation as efficiently as possible by suitably factorized convolutions and aggressive regularization.
...
1
2
3
...