Adversarial Examples in Machine Learning

09 Nov 2019 16:02

---

Yet another inadequate place-holder. I will however point to my talk notes on the first paper on the subject...

This phenomenon is, to my mind, the most interesting thing to have come out of the recent revival of multi-layer connectionist models, a.k.a. "deep learning".

Recommended (unprioritized):
• Sébastien Bubeck, Eric Price, Ilya Razenshteyn, "Adversarial examples from computational constraints",arxiv:1805.10204
• Krzysztof Chalupka, Pietro Perona, Frederick Eberhardt, "Visual Causal Feature Learning", arxiv:1412.2309
• Ian J. Goodfellow, Jonathon Shlens, Christian Szegedy, "Explaining and Harnessing Adversarial Examples", arxiv:1412.6572
• Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, Aleksander Madry, "Adversarial Examples Are Not Bugs, They Are Features", arxiv:1905.02175 [I'm not as convinced as they are that they've managed to create networks using only "robust" features that aren't vulnerable to new adversarial attacks. But I am convinced that they're able to identify non-robust features and show they generalize to the original data set. --- Immediately after reading the paper, I discovered an extensive multi-author discussion, with replySeyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, Pascal Frossard, "Universal adversarial perturbations", arxiv:1610.08401
• Anh Nguyen, Jason Yosinski, Jeff Clune, "Deep Neural Networks are Easily Fooled: High Confidence Predictions for Unrecognizable Images", arxiv:1412.1897
• Adi Shamir, Itay Safran, Eyal Ronen and Orr Dunkelman, "A Simple Explanation for the Existence of Adversarial Examples with Small Hamming Distance", arxiv:1901.1086 [As they are careful to point out, they explain the existence of adversarial examples where a small number of pixels (or other basic features) are perturbed, but perhaps by arbitrarily large amounts. Also, their explanation relies on the over-all network being piecewise linear.]
• Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, Rob Fergus, "Intriguing properties of neural networks", arxiv:1312.6199

To read (a rather promiscuous mix of examples and stabs at general explanations):
• Nilesh A. Ahuja, Ibrahima Ndiour, Trushant Kalyanpur, Omesh Tickoo, "Probabilistic Modeling of Deep Features for Out-of-Distribution and Adversarial Detection", arxiv:1909.11786
• Ulrich Aïvodji, Sébastien Gambs, Timon Ther, "GAMIN: An Adversarial Approach to Black-Box Model Inversion", arxiv:1909.11835
• Devansh Arpit, Caiming Xiong, Richard Socher, "Entropy Penalty: Towards Generalization Beyond the IID Assumption", arxiv:1910.00164
• Anish Athalye, Logan Engstrom, Andrew Ilyas, Kevin Kwok, "Synthesizing Robust Adversarial Examples", arxiv:1707.07397
• Aleksandar Bojchevski, Stephan Günnemann, "Adversarial Attacks on Node Embeddings via Graph Poisoning", arxiv:1809.01093
• Avishek Joey Bose, Andre Cianflone, William L. Hamilton, "Generalizable Adversarial Attacks Using Generative Models", arxiv:1905.10864
• Tom B. Brown, Dandelion Mané, Aurko Roy, Martín Abadi, Justin Gilmer, "Adversarial Patch", arxiv:1712.09665
• Nicholas Carlini, Ulfar Erlingsson, Nicolas Papernot, "Distribution Density, Tails, and Outliers in Machine Learning: Metrics and Applications", arxiv:1910.13427
• Heng Chang, Yu Rong, Tingyang Xu, Wenbing Huang, Honglei Zhang, Peng Cui, Wenwu Zhu, Junzhou Huang, "A Restricted Black-box Adversarial Framework Towards Attacking Graph Embedding Models", arxiv:1908.01297
• Gilad Cohen, Guillermo Sapiro, Raja Giryes, "Detecting Adversarial Samples Using Influence Functions and Nearest Neighbors", arxiv:1909.06872
• Dimitrios I. Diochnos, Saeed Mahloujifar, Mohammad Mahmoody, "Lower Bounds for Adversarially Robust PAC Learning", arxiv:1906.05815
• Ann-Kathrin Dombrowski, Maximilian Alber, Christopher J. Anders, Marcel Ackermann, Klaus-Robert Müller, Pan Kessel, "Explanations can be manipulated and geometry is to blame", arxiv:1906.07983
• Gamaleldin F. Elsayed, Ian Goodfellow, Jascha Sohl-Dickstein, "Adversarial Reprogramming of Neural Networks", arxiv:1806.11146
• Gamaleldin F. Elsayed, Shreya Shankar, Brian Cheung, Nicolas Papernot, Alex Kurakin, Ian Goodfellow, Jascha Sohl-Dickstein, "Adversarial Examples that Fool both Computer Vision and Time-Limited Humans", arxiv:1802.08195
• Logan Engstrom, Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Brandon Tran, Aleksander Madry, "Adversarial Robustness as a Prior for Learned Representations", arxiv:1906.00945
• Samuel G. Finlayson, Hyung Won Chung, Isaac S. Kohane, Andrew L. Beam, "Adversarial Attacks Against Medical Deep Learning Systems", arxiv:1804.05296
• Hang Gao, Tim Oates, "Universal Adversarial Perturbation for Text Classification", arxiv:1910.04618
• Justin Gilmer, Ryan P. Adams, Ian Goodfellow, David Andersen, George E. Dahl, "Motivating the Rules of the Game for Adversarial Example Research", arxiv:1807.06732 [Not sure how much this matters to me, since I'm not interested in these as security holes so much as windows on to what the networks are doing]
• Justin Gilmer, Luke Metz, Fartash Faghri, Samuel S. Schoenholz, Maithra Raghu, Martin Wattenberg, Ian Goodfellow, "Adversarial Spheres", arxiv:1801.02774
• Adam Gleave, Michael Dennis, Neel Kant, Cody Wild, Sergey Levine, Stuart Russell, "Adversarial Policies: Attacking Deep Reinforcement Learning", arxiv:1905.10615
• Jan Philip Göpfert, André Artelt, Heiko Wersing, Barbara Hammer, "Adversarial attacks hidden in plain sight", arxiv:1902.09286
• Melody Y. Guan, Gregory Valiant, "A Surprising Density of Illusionable Natural Speech", arxiv:1906.01040
• Chuan Guo, Jacob R. Gardner, Yurong You, Andrew Gordon Wilson, Kilian Q. Weinberger, "Simple Black-box Adversarial Attacks", arxiv:1905.07121
• Jiangfan Han, Xiaoyi Dong, Ruimao Zhang, Dongdong Chen, Weiming Zhang, Nenghai Yu, Ping Luo, Xiaogang Wang, "Once a MAN: Towards Multi-Target Attack via Learning Multi-Target Adversarial Network Once", arxiv:1908.05185
• Xintian Han, Yuxuan Hu, Luca Foschini, Larry Chinitz, Lior Jankelson, Rajesh Ranganath, "Adversarial Examples for Electrocardiograms", arxiv:1905.05163
• Hangfeng He, Weijie J. Su, "The Local Elasticity of Neural Networks", arxiv:1910.06943
• Yu-Lun Hsieh, Minhao Cheng, Da-Cheng Juan, Wei Wei, Wen-Lian Hsu, Cho-Jui Hsieh, "Natural Adversarial Sentence Generation with Gradient-based Perturbation", arxiv:1909.04495
• Linxi Jiang, Xingjun Ma, Shaoxiang Chen, James Bailey, Yu-Gang Jiang, "Black-box Adversarial Attacks on Video Recognition Models", arxiv:1904.05181
• Di Jin, Zhijing Jin, Joey Tianyi Zhou, Peter Szolovits, "Is BERT Really Robust? A Strong Baseline for Natural Language Attack on Text Classification and Entailment", arxiv:1907.11932
• Jason Jo, Yoshua Bengio, "Measuring the tendency of CNNs to Learn Surface Statistical Regularities", arxiv:1711.11561
• Anthony D. Joseph, Blaine Nelson, Benjamin I. P. Rubinstein and J. D. Tygar, Adversarial Machine Learning [My judgment is that no book on ML has a more visually-apt cover than this one]
• Ameya Joshi, Amitangshu Mukherjee, Soumik Sarkar, Chinmay Hegde, "Semantic Adversarial Attacks: Parametric Transformations That Fool Deep Classifiers", arxiv:1904.08489
• Karl M. Koerich, Mohammad Esmailpour, Sajjad Abdoli, Alceu S. Britto Jr., Alessandro L. Koerich, "Cross-Representation Transferability of Adversarial Perturbations: From Spectrograms to Audio Waveforms", arxiv:1910.10106
• Cassidy Laidlaw, Soheil Feizi, "Functional Adversarial Attacks", arxiv:1906.00001
• Alfred Laugros, Alice Caplier, Matthieu Ospici, "Are Adversarial Robustness and Common Perturbation Robustness Independent Attributes?", arxiv:1909.02436
• Bai Li, Changyou Chen, Wenlin Wang, Lawrence Carin, "Certified Adversarial Robustness with Additive Gaussian Noise", arxiv:1809.03113 [I'm skeptical, but I haven't read it]
• Juncheng Li, Frank R. Schmidt, J. Zico Kolter, "Adversarial camera stickers: A physical camera-based attack on deep learning systems", arxiv:1904.00759
• Daniel Liu, Ronald Yu, Hao Su, "Adversarial point perturbations on 3D objects", arxiv:1908.06062
• Wenjian Luo, Chenwang Wu, Nan Zhou, Li Ni, "Random Directional Attack for Fooling Deep Neural Networks", arxiv:1908.02658
• Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, Adrian Vladu, "Towards Deep Learning Models Resistant to Adversarial Attacks", arxiv:1706.06083
• Saeed Mahloujifar, Xiao Zhang, Mohammad Mahmoody, David Evans, "Empirically Measuring Concentration: Fundamental Limits on Intrinsic Robustness", arxiv:1905.12202
• Apostolos Modas, Seyed-Mohsen Moosavi-Dezfooli, Pascal Frossard, "SparseFool: a few pixels make a big difference", arxiv:1811.02248
• Paarth Neekhara, Shehzeen Hussain, Shlomo Dubnov, Farinaz Koushanfar, "Adversarial Reprogramming of Text Classification Neural Networks", arxiv:1809.01829
• Paarth Neekhara, Shehzeen Hussain, Prakhar Pandey, Shlomo Dubnov, Julian McAuley, Farinaz Koushanfar, "Universal Adversarial Perturbations for Speech Recognition Systems", arxiv:1905.03828
• Utku Ozbulak, Arnout Van Messem, Wesley De Neve, "Impact of Adversarial Examples on Deep Learning Models for Biomedical Image Segmentation", arxiv:1907.13124
• Daniel Park, Haidar Khan, Bülent Yener, "Generation & Evaluation of Adversarial Examples for Malware Obfuscation", arxiv:1904.04802
• Mikhail Pautov, Grigorii Melnikov, Edgar Kaziakhmedov, Klim Kireev, Aleksandr Petiushko, "On adversarial patches: real-world attack on ArcFace-100 face recognition system", arxiv:1910.07067
• Dan Peng, Zizhan Zheng, Linhao Luo, Xiaofeng Zhang, "Structure Matters: Towards Generating Transferable Adversarial Images", arxiv:1910.09821
• Aram-Alexandre Pooladian, Chris Finlay, Tim Hoheisel, Adam Oberman, "A principled approach for generating adversarial images under non-smooth dissimilarity metrics", arxiv:190801667
• Shahbaz Rezaei, Xin Liu, "A Target-Agnostic Attack on Deep Models: Exploiting Security Vulnerabilities of Transfer Learning", arxiv:1904.04334
• Yaniv Romano, Aviad Aberdam, Jeremias Sulam, Michael Elad, "Adversarial Noise Attacks of Deep Learning Architectures -- Stability Analysis via Sparse Modeled Signals", arxiv:1805.11596
• Andras Rozsa, Terrance E. Boult, "Improved Adversarial Robustness by Reducing Open Space Risk via Tent Activations", arxiv:1908.02435
• Lea Schönherr, Steffen Zeiler, Thorsten Holz, Dorothea Kolossa, "Robust Over-the-Air Adversarial Examples Against Automatic Speech Recognition Systems", arxiv:1908.01551
• Ali Shahin Shamsabadi, Changjae Oh, Andrea Cavallaro, "EdgeFool: An Adversarial Image Enhancement Filter", arxiv:1910.12227
• Shawn Shan, Emily Wenger, Bolun Wang, Bo Li, Haitao Zheng, Ben Y. Zhao, "Using Honeypots to Catch Adversarial Attacks on Neural Networks", arxiv:1904.08554
• Chaomin Shen, Yaxin Peng, Guixu Zhang, Jinsong Fan, "Defending Against Adversarial Attacks by Suppressing the Largest Eigenvalue of Fisher Information Matrix", arxiv:1909.06137
• Xupeng Shi, A. Adam Ding, "Understanding and Quantifying Adversarial Examples Existence in Linear Classification", arxiv:1910.12163
• Vinod Subramanian, Emmanouil Benetos, Ning Xu, SKoT McDonald, Mark Sandler, "Adversarial Attacks in Sound Event Classification", arxiv:1907.02477
• Rohan Taori, Amog Kamsetty, Brenton Chu, Nikita Vemuri, "Targeted Adversarial Examples for Black Box Audio Systems", arxiv:1805.07820
• Eric Wallace, Shi Feng, Nikhil Kandpal, Matt Gardner, Sameer Singh, "Universal Adversarial Triggers for Attacking and Analyzing NLP", arxiv:1908.07125
• Walt Woods, Jack Chen, Christof Teuscher, "Adversarial Explanations for Understanding Image Classification Decisions and Improved Neural Network Robustness", arxiv:1906.02896
• Chang Xiao, Peilin Zhong, Changxi Zheng, "Resisting Adversarial Attacks by k-Winners-Take-All", arxiv:1905.10510
• Qi Xuan, Jun Zheng, Lihong Chen, Shanqing Yu, Jinyin Chen, Dan Zhang, Qingpeng Zhang Member, "Unsupervised Euclidean Distance Attack on Network Embedding", arxiv:1905.11015
• Jirong Yi, Hui Xie, Leixin Zhou, Xiaodong Wu, Weiyu Xu, Raghuraman Mudumbai, "Trust but Verify: An Information-Theoretic Explanation for the Adversarial Fragility of Machine Learning Systems, and a General Defense against Adversarial Attacks", arxiv:1905.11381
• Xuwang Yin, Soheil Kolouri, Gustavo K. Rohde, "Divide-and-Conquer Adversarial Detection", arxiv:1905.11475
• Tao Yu, Shengyuan Hu, Chuan Guo, Wei-Lun Chao, Kilian Q. Weinberger, "A New Defense Against Adversarial Images: Turning a Weakness into a Strength", arxiv:1910.07629
• Yuan Zang, Chenghao Yang, Fanchao Qi, Zhiyuan Liu, Meng Zhang, Qun Liu, Maosong Sun, "Open the Boxes of Words: Incorporating Sememes into Textual Adversarial Attack", arxiv:1910.12196
• Runtian Zhai, Tianle Cai, Di He, Chen Dan, Kun He, John Hopcroft, Liwei Wang, "Adversarially Robust Generalization Just Requires More Unlabeled Data", arxiv:1906.00555
• Jiliang Zhang, Chen Li, "Adversarial Examples: Opportunities and Challenges", arxiv:1809.04790 [Review paper]
• Pu Zhao, Sijia Liu, Pin-Yu Chen, Nghia Hoang, Kaidi Xu, Bhavya Kailkhura, Xue Lin, "On the Design of Black-box Adversarial Examples by Leveraging Gradient-free Optimization and Operator Splitting Method", arxiv:1907.11684