Generating Adversarial Examples with Adversarial Networks

TL;DR

This paper introduces AdvGAN, a generative adversarial network-based method for efficiently creating high-quality adversarial examples to test and improve the robustness of deep neural networks.

Contribution

AdvGAN is a novel approach that uses GANs to generate adversarial examples efficiently, applicable in semi-whitebox and black-box attack scenarios, with high success rates against defenses.

Findings

Achieved 92.76% success rate on MNIST black-box attack challenge.

Generated adversarial examples with high perceptual quality.

Outperformed existing attack methods in success rate.

Abstract

Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial examples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate adversarial perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply AdvGAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.