Adversarial examples in the physical world

Kurakin, Alexey; Goodfellow, Ian; Bengio, Samy

doi:10.48550/arxiv.1607.02533

Cited by 789 publications

(1,288 citation statements)

References 2 publications

Supporting

Mentioning

1,280

Contrasting

Unclassified

Order By: Relevance

“…Adversarial robustness Traditional approaches [36,22,46,16] to adversarial learning consider worstcase perturbations to the data during training, i.e., the data is perturbed after it has been generated. While such a perturbation model is meaningful in the image classification setting for which adversarial robust training methods were originally developed, it does not immediately translate to the dynamic setting that we consider, where the adversary may be used to capture model uncertainty or process noise.…”

Section: Related Workmentioning

confidence: 99%

Adversarially Robust Stability Certificates can be Sample-Efficient

Zhang¹,

Tu²,

Boffi³

et al. 2021

Preprint

View full text Add to dashboard Cite

Motivated by bridging the simulation to reality gap in the context of safety-critical systems, we consider learning adversarially robust stability certificates for unknown nonlinear dynamical systems. In line with approaches from robust control, we consider additive and Lipschitz bounded adversaries that perturb the system dynamics. We show that under suitable assumptions of incremental stability on the underlying system, the statistical cost of learning an adversarial stability certificate is equivalent, up to constant factors, to that of learning a nominal stability certificate. Our results hinge on novel bounds for the Rademacher complexity of the resulting adversarial loss class, which may be of independent interest. To the best of our knowledge, this is the first characterization of sample-complexity bounds when performing adversarial learning over data generated by a dynamical system. We further provide a practical algorithm for approximating the adversarial training algorithm, and validate our findings on a damped pendulum example.

show abstract

Section: Related Workmentioning

confidence: 99%

Adversarially Robust Stability Certificates can be Sample-Efficient

Zhang¹,

Tu²,

Boffi³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…adversarial perturbations to the images it is possible to change the prediction of the classifier. Since then, plenty of research [4,25,28,29,39] has been performed on finding different types of adversarial perturbations and study the robustification against them [4,10,15,15,25]. In this work, we utilize a strong yet undefended attack basic iterative method [25] for generating adversarial perturbations.…”

Section: Related Workmentioning

confidence: 99%

“…Since then, plenty of research [4,25,28,29,39] has been performed on finding different types of adversarial perturbations and study the robustification against them [4,10,15,15,25]. In this work, we utilize a strong yet undefended attack basic iterative method [25] for generating adversarial perturbations. [32] focused on robustification against adversarial as well as natural perturbations by using properly tuned Gaussian and Speckle noise.…”

Section: Related Workmentioning

confidence: 99%

Wiggling Weights to Improve the Robustness of Classifiers

Gulshad¹,

Sosnovik²,

Smeulders³

2021

Preprint

View full text Add to dashboard Cite

Robustness against unwanted perturbations is an important aspect of deploying neural network classifiers in the real world. Common natural perturbations include noise, saturation, occlusion, viewpoint changes, and blur deformations. All of them can be modelled by the newly proposed transform-augmented convolutional networks. While many approaches for robustness train the network by providing augmented data to the network, we aim to integrate perturbations in the network architecture to achieve improved and more general robustness. To demonstrate that wiggling the weights consistently improves classification, we choose a standard network and modify it to a transform-augmented network. On perturbed CIFAR-10 images, the modified network delivers a better performance than the original network. For the much smaller STL-10 dataset, in addition to delivering better general robustness, wiggling even improves the classification of unperturbed, clean images substantially. We conclude that wiggled transform-augmented networks acquire good robustness even for perturbations not seen during training.

show abstract

“…Such kinds of attacks can also exist for audio space [9] and text classification [10] in natural language processing. Those attacks exist not only in the digital world, but can also happen in the physical world, such as the cellphone camera attack [11] or road sign attack [12]. Besides the inference time attacks, the backdoor attacks [13], [14] that weaken model accuracy during the training time have also been investigated.…”

Section: Introductionmentioning

confidence: 99%

LTD: Low Temperature Distillation for Robust Adversarial Training

Chen¹,

Lee²

2021

Preprint

View full text Add to dashboard Cite

Adversarial training has been widely used to enhance the robustness of the neural network models against adversarial attacks. However, there still a notable gap between the nature accuracy and the robust accuracy. We found one of the reasons is the commonly used labels, one-hot vectors, hinder the learning process for image recognition. In this paper, we proposed a method, called Low Temperature Distillation (LTD), which is based on the knowledge distillation framework to generate the desired soft labels. Unlike the previous work, LTD uses relatively low temperature in the teacher model, and employs different, but fixed, temperatures for the teacher model and the student model. Moreover, we have investigated the methods to synergize the use of nature data and adversarial ones in LTD.Experimental results show that without extra unlabeled data, the proposed method combined with the previous work can achieve 57.72% and 30.36% robust accuracy on CIFAR-10 and CIFAR-100 dataset respectively, which is about 1.21% improvement of the state-of-the-art methods in average.

show abstract

Adversarial examples in the physical world

Cited by 789 publications

References 2 publications

Adversarially Robust Stability Certificates can be Sample-Efficient

Adversarially Robust Stability Certificates can be Sample-Efficient

Wiggling Weights to Improve the Robustness of Classifiers

LTD: Low Temperature Distillation for Robust Adversarial Training

Contact Info

Product

Resources

About