Article

Generating adversarial examples with adversarial networks

Authors:

Dawn SongAuthors Info & Claims

IJCAI'18: Proceedings of the 27th International Joint Conference on Artificial Intelligence

Pages 3905 - 3911

Published: 13 July 2018 Publication History

Abstract

Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial examples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv-GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

References

[1]

Shumeet Baluja and Ian Fischer. Adversarial transformation networks: Learning to generate adversarial examples. arXiv preprint arXiv:1703.09387, 2017.

[2]

Nicholas Carlini and David Wagner. Adversarial examples are not easily detected: Bypassing ten detection methods. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pages 3-14. ACM, 2017.

Digital Library

[3]

Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks. In Security and Privacy (SP), 2017 IEEE Symposium on, pages 39-57. IEEE, 2017.

[4]

Jia Deng, Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Li Fei-Fei. Imagenet: A large-scale hierarchical image database. In CVPR, pages 248-255. IEEE, 2009.

[5]

Ivan Evtimov, Kevin Eykholt, Earlence Fernandes, Tadayoshi Kohno, Bo Li, Atul Prakash, Amir Rahmati, and Dawn Song. Robust physical-world attacks on machine learning models. arXiv preprint arXiv:1707.08945, 2017.

[6]

Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. Generative adversarial nets. In NIPS, pages 2672-2680, 2014.

Digital Library

[7]

Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. In International Conference on Learning Representations, 2015.

[8]

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition. In CVPR, pages 770-778, 2016.

[9]

Warren He, James Wei, Xinyun Chen, Nicholas Carlini, and Dawn Song. Adversarial example defenses: Ensembles of weak defenses are not strong. arXiv preprint arXiv:1706.04701, 2017.

[10]

Geoffrey Hinton, Oriol Vinyals, and Jeff Dean. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531, 2015.

[11]

Phillip Isola, Jun-Yan Zhu, Tinghui Zhou, and Alexei A Efros. Image-to-image translation with conditional adversarial networks. CVPR, 2017.

[12]

D Kinga and J Ba Adam. A method for stochastic optimization. In International Conference on Learning Representations (ICLR), 2015.

[13]

Alex Krizhevsky and Geoffrey Hinton. Learning multiple layers of features from tiny images. 2009.

[14]

Alexey Kurakin, Ian Goodfellow, Samy Bengio, Yinpeng Dong, Fangzhou Liao, Ming Liang, Tianyu Pang, Jun Zhu, Xiaolin Hu, Cihang Xie, et al. Adversarial attacks and defences competition. arXiv preprint arXiv:1804.00097, 2018.

[15]

Yann LeCun and Corrina Cortes. The MNIST database of handwritten digits. 1998.

[16]

Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. Delving into transferable adversarial examples and black-box attacks. In ICLR, 2017.

[17]

Xudong Mao, Qing Li, Haoran Xie, Raymond YK Lau, Zhen Wang, and Stephen Paul Smolley. Least squares generative adversarial networks. In 2017 IEEE International Conference on Computer Vision (ICCV), pages 2813-2821. IEEE, 2017.

[18]

Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083 [cs, stat], June 2017.

[19]

Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. Practical black-box attacks against deep learning systems using adversarial examples. arXiv preprint, 2016.

[20]

Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. In ICLR, 2014.

[21]

Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Dan Boneh, and Patrick McDaniel. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204, 2017.

[22]

Chaowei Xiao, Jun-Yan Zhu, Bo Li, Warren He, Mingyan Liu, and Dawn Song. Spatially transformed adversarial examples. arXiv preprint arXiv:1801.02612, 2018.

[23]

Sergey Zagoruyko and Nikos Komodakis. Wide residual networks. arXiv preprint arXiv:1605.07146, 2016.

[24]

Jun-Yan Zhu, Philipp Krähenbühl, Eli Shechtman, and Alexei A Efros. Generative visual manipulation on the natural image manifold. In ECCV, pages 597-613. Springer, 2016.

[25]

Jun-Yan Zhu, Taesung Park, Phillip Isola, and Alexei A Efros. Unpaired image-to-image translation using cycle-consistent adversarial networks. ICCV, pages 2242-2251, 2017.

Cited By

Zhang CZhou WZhang KZhang JZhang WYu N(2024)Detecting Adversarial Examples via Reconstruction-based Semantic InconsistencyProceedings of the ACM Turing Award Celebration Conference - China 202410.1145/3674399.3674448(126-131)Online publication date: 5-Jul-2024
https://dl.acm.org/doi/10.1145/3674399.3674448
Franceschelli GMusolesi M(2024)Creativity and Machine Learning: A SurveyACM Computing Surveys10.1145/366459556:11(1-41)Online publication date: 28-Jun-2024
https://dl.acm.org/doi/10.1145/3664595
Chen JZhang LYang N(2024)Improving Adversarial Robustness for Recommendation Model via Cross-Domain Distributional Adversarial TrainingProceedings of the 18th ACM Conference on Recommender Systems10.1145/3640457.3688116(278-286)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3640457.3688116
Show More Cited By

Generating adversarial examples with adversarial networks
1. Computing methodologies
  1. Machine learning
    1. Machine learning approaches

Recommendations

Generating Transferable Adversarial Examples for Speech Classification
Highlights
- Speech classification systems are vulnerable to adversarial attacks.
- ...
Abstract
Despite the success of deep neural networks, the existence of adversarial attacks has revealed the vulnerability of neural networks in terms of security. Adversarial attacks add subtle noise to the original example, resulting in a ...
Adversarial examples: A survey of attacks and defenses in deep learning-enabled cybersecurity systems
Abstract
Over the last few years, the adoption of machine learning in a wide range of domains has been remarkable. Deep learning, in particular, has been extensively used to drive applications and services in specializations such as computer vision, ...
Highlights
- A taxonomy of cybersecurity applications is established.
- Adversarial machine learning is systematically overviewed.
- An extensive, curated list of cybersecurity-related datasets is provided.
- Methods for generating adversarial ...
Generating unrestricted adversarial examples via three parameteres
Abstract
Deep neural networks have been shown to be vulnerable to adversarial examples deliberately constructed to misclassify victim models. As most adversarial examples have restricted their perturbations to the L_p-norm, existing defense methods have ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

IJCAI'18: Proceedings of the 27th International Joint Conference on Artificial Intelligence

July 2018

5885 pages

ISBN:9780999241127

Editor:
Jérôme Lang

Sponsors

Adobe
IBMR: IBM Research
ERICSSON
Microsoft: Microsoft
AI Journal: AI Journal

Publisher

AAAI Press

Publication History

Published: 13 July 2018

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

47
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang CZhou WZhang KZhang JZhang WYu N(2024)Detecting Adversarial Examples via Reconstruction-based Semantic InconsistencyProceedings of the ACM Turing Award Celebration Conference - China 202410.1145/3674399.3674448(126-131)Online publication date: 5-Jul-2024
https://dl.acm.org/doi/10.1145/3674399.3674448
Franceschelli GMusolesi M(2024)Creativity and Machine Learning: A SurveyACM Computing Surveys10.1145/366459556:11(1-41)Online publication date: 28-Jun-2024
https://dl.acm.org/doi/10.1145/3664595
Chen JZhang LYang N(2024)Improving Adversarial Robustness for Recommendation Model via Cross-Domain Distributional Adversarial TrainingProceedings of the 18th ACM Conference on Recommender Systems10.1145/3640457.3688116(278-286)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3640457.3688116
Li CXu MDu YLiu LShi CWang YLiu HChen YGanesan DShi W(2024)Practical Adversarial Attack on WiFi Sensing Through Unnoticeable Communication Packet PerturbationProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3649367(373-387)Online publication date: 29-May-2024
https://dl.acm.org/doi/10.1145/3636534.3649367
Wang XTong KHe KOh ANaumann TGloberson ASaenko KHardt MLevine S(2023)Rethinking the backward propagation for adversarial transferabilityProceedings of the 37th International Conference on Neural Information Processing Systems10.5555/3666122.3666214(1905-1922)Online publication date: 10-Dec-2023
https://dl.acm.org/doi/10.5555/3666122.3666214
Sun JWang JNie WYu ZMao ZXiao CKrause ABrunskill ECho KEngelhardt BSabato SScarlett J(2023)A critical revisit of adversarial robustness in 3D point cloud recognition with diffusion-driven purificationProceedings of the 40th International Conference on Machine Learning10.5555/3618408.3619782(33100-33114)Online publication date: 23-Jul-2023
https://dl.acm.org/doi/10.5555/3618408.3619782
Li PXia ELiu HKrause ABrunskill ECho KEngelhardt BSabato SScarlett J(2023)Learning antidote data to individual unfairnessProceedings of the 40th International Conference on Machine Learning10.5555/3618408.3619238(20168-20181)Online publication date: 23-Jul-2023
https://dl.acm.org/doi/10.5555/3618408.3619238
Lu ZLi ZChiang CYin MElkind E(2023)Strategic adversarial attacks in AI-assisted decision making to reduce human trust and relianceProceedings of the Thirty-Second International Joint Conference on Artificial Intelligence10.24963/ijcai.2023/337(3020-3028)Online publication date: 19-Aug-2023
https://dl.acm.org/doi/10.24963/ijcai.2023/337
Li YXie BGuo SYang YXiao B(2023)A Survey of Robustness and Safety of 2D and 3D Deep Learning Models against Adversarial AttacksACM Computing Surveys10.1145/363655156:6(1-37)Online publication date: 7-Dec-2023
https://dl.acm.org/doi/10.1145/3636551
Pham DNguyen CTruong PNguyen N(2023)Automated generation of adaptive perturbed images based on GAN for motivated adversaries on deep learning models: Automated generation of adaptive perturbed images based on GANProceedings of the 12th International Symposium on Information and Communication Technology10.1145/3628797.3628923(808-815)Online publication date: 7-Dec-2023
https://dl.acm.org/doi/10.1145/3628797.3628923
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents