A General Framework for Adversarial Examples with Objectives

TL;DR

This paper introduces adversarial generative nets (AGNs), a versatile framework for creating adversarial examples that meet various objectives, improving robustness and inconspicuousness in real-world and digital attack scenarios.

Contribution

The paper proposes AGNs, a novel method for training generators to produce adversarial examples satisfying diverse and complex objectives, extending beyond traditional similarity constraints.

Findings

Successful generation of physical adversarial eyeglasses for face recognition

Effective attacks on handwritten-digit classifiers

Demonstrated robustness and inconspicuousness of generated adversarial examples

Abstract

Images perturbed subtly to be misclassified by neural networks, called adversarial examples, have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this paper, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples---eyeglass frames designed to fool face recognition---with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.