Assessing Threat of Adversarial Examples on Deep Neural Networks

TL;DR

This paper investigates the security threat posed by adversarial examples to deep neural networks, demonstrating that common real-world image acquisition and preprocessing techniques significantly mitigate this threat, especially in text classification.

Contribution

It is the first study to show that typical image transformations and preprocessing steps neutralize adversarial examples, reducing their threat in practical applications.

Findings

Image acquisition transformations negate adversarial perturbations

Preprocessing like cropping and binarization neutralizes most adversarial examples

Adversarial examples are mainly an academic concern in text classification

Abstract

Deep neural networks are facing a potential security threat from adversarial examples, inputs that look normal but cause an incorrect classification by the deep neural network. For example, the proposed threat could result in hand-written digits on a scanned check being incorrectly classified but looking normal when humans see them. This research assesses the extent to which adversarial examples pose a security threat, when one considers the normal image acquisition process. This process is mimicked by simulating the transformations that normally occur in acquiring the image in a real world application, such as using a scanner to acquire digits for a check amount or using a camera in an autonomous car. These small transformations negate the effect of the carefully crafted perturbations of adversarial examples, resulting in a correct classification by the deep neural network. Thus just acquiring the image decreases the potential impact of the proposed security threat. We also show that the already widely used process of averaging over multiple crops neutralizes most adversarial examples. Normal preprocessing, such as text binarization, almost completely neutralizes adversarial examples. This is the first paper to show that for text driven classification, adversarial examples are an academic curiosity, not a security threat.