Synthesizing Robust Adversarial Examples

TL;DR

This paper introduces a novel algorithm for creating physically robust adversarial examples, including 3D objects, that remain effective under various real-world transformations and conditions.

Contribution

It presents the first method for synthesizing 3D adversarial objects that are robust across a distribution of transformations, bridging the gap between digital and physical adversarial attacks.

Findings

Existence of robust 3D adversarial objects in the physical world

Successful synthesis of 2D adversarial images resilient to noise and transformations

Manufacture of physical 3D adversarial objects using 3D printing

Abstract

Standard methods for generating adversarial examples for neural networks do not consistently fool neural network classifiers in the physical world due to a combination of viewpoint shifts, camera noise, and other natural transformations, limiting their relevance to real-world systems. We demonstrate the existence of robust 3D adversarial objects, and we present the first algorithm for synthesizing examples that are adversarial over a chosen distribution of transformations. We synthesize two-dimensional adversarial images that are robust to noise, distortion, and affine transformation. We apply our algorithm to complex three-dimensional objects, using 3D-printing to manufacture the first physical adversarial objects. Our results demonstrate the existence of 3D adversarial objects in the physical world.