AT-GAN: An Adversarial Generator Model for Non-constrained Adversarial Examples

TL;DR

This paper introduces AT-GAN, a novel generative adversarial network framework that creates non-constrained, realistic adversarial examples directly from noise, improving attack success rates and diversity over traditional perturbation-based methods.

Contribution

The paper presents the first adversarial generator model that produces diverse, realistic adversarial examples directly from noise, expanding beyond traditional constrained perturbation attacks.

Findings

AT-GAN generates highly realistic adversarial examples.

It achieves higher success rates against adversarially trained models.

The model demonstrates moderate transferability to black-box models.

Abstract

Despite the rapid development of adversarial machine learning, most adversarial attack and defense researches mainly focus on the perturbation-based adversarial examples, which is constrained by the input images. In comparison with existing works, we propose non-constrained adversarial examples, which are generated entirely from scratch without any constraint on the input. Unlike perturbation-based attacks, or the so-called unrestricted adversarial attack which is still constrained by the input noise, we aim to learn the distribution of adversarial examples to generate non-constrained but semantically meaningful adversarial examples. Following this spirit, we propose a novel attack framework called AT-GAN (Adversarial Transfer on Generative Adversarial Net). Specifically, we first develop a normal GAN model to learn the distribution of benign data, and then transfer the pre-trained GAN model to estimate the distribution of adversarial examples for the target model. In this way, AT-GAN can learn the distribution of adversarial examples that is very close to the distribution of real data. To our knowledge, this is the first work of building an adversarial generator model that could produce adversarial examples directly from any input noise. Extensive experiments and visualizations show that the proposed AT-GAN can very efficiently generate diverse adversarial examples that are more realistic to human perception. In addition, AT-GAN yields higher attack success rates against adversarially trained models under white-box attack setting and exhibits moderate transferability against black-box models.