A New Type of Adversarial Examples

TL;DR

This paper introduces a novel class of adversarial examples that are significantly different from original data but still produce the same model output, highlighting new security challenges.

Contribution

It proposes new algorithms for generating adversarial examples that are opposite to traditional ones, expanding the understanding of adversarial space.

Findings

Adversarial examples can be far from original data points.

The new methods effectively produce such examples.

These examples can be used to attack machine learning systems.

Abstract

Most machine learning models are vulnerable to adversarial examples, which poses security concerns on these models. Adversarial examples are crafted by applying subtle but intentionally worst-case modifications to examples from the dataset, leading the model to output a different answer from the original example. In this paper, adversarial examples are formed in an exactly opposite manner, which are significantly different from the original examples but result in the same answer. We propose a novel set of algorithms to produce such adversarial examples, including the negative iterative fast gradient sign method (NI-FGSM) and the negative iterative fast gradient method (NI-FGM), along with their momentum variants: the negative momentum iterative fast gradient sign method (NMI-FGSM) and the negative momentum iterative fast gradient method (NMI-FGM). Adversarial examples constructed by these methods could be used to perform an attack on machine learning systems in certain occasions. Moreover, our results show that the adversarial examples are not merely distributed in the neighbourhood of the examples from the dataset; instead, they are distributed extensively in the sample space.