A general framework for adversarial examples with objectives

Mahmood Sharif; Sruti Bhagavatula; Lujo Bauer; Michael K. Reiter

doi:10.1145/3317611

A general framework for adversarial examples with objectives

Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, Michael K. Reiter

Research output: Contribution to journal › Article › peer-review

75 Scopus citations

Abstract

Images perturbed subtly to be misclassified by neural networks, called adversarial examples, have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this article, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples—eyeglass frames designed to fool face recognition—with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.

Original language	English (US)
Article number	16
Journal	ACM Transactions on Privacy and Security
Volume	22
Issue number	3
DOIs	https://doi.org/10.1145/3317611
State	Published - Jun 10 2019
Externally published	Yes

Keywords

Adversarial examples
Face recognition
Machine learning
Neural networks

ASJC Scopus subject areas

Computer Science(all)
Safety, Risk, Reliability and Quality

Access to Document

10.1145/3317611

Cite this

@article{1ebdb79fdb8d4660880b439dd8fe787b,

title = "A general framework for adversarial examples with objectives",

abstract = "Images perturbed subtly to be misclassified by neural networks, called adversarial examples, have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this article, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples—eyeglass frames designed to fool face recognition—with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.",

keywords = "Adversarial examples, Face recognition, Machine learning, Neural networks",

author = "Mahmood Sharif and Sruti Bhagavatula and Lujo Bauer and Reiter, {Michael K.}",

note = "Funding Information: This work was supported in part by the Multidisciplinary University Research Initiative (MURI) Cyber Deception grant; by NSF grants 1801391 and 1801494; by the National Security Agency under Award No. H9823018D0008; by gifts from Google and Nvidia, and from Lockheed Martin and NATO through Carnegie Mellon CyLab; and by a CyLab Presidential Fellowship and a Symantec Research Labs Fellowship. Authors{\textquoteright} addresses: M. Sharif, S. Bhagavatula, and L. Bauer, Carnegie Mellon University, Collaborative Innovation Center, 4720 Forbes Ave., Pittsburgh, PA, 15213, USA; emails: {mahmoods, srutib, lbauer}@cmu.edu; M. K. Reiter, University of North Carolina at Chapel Hill, Chapel Hill, Sitterson Hall, 201 S. Columbia St., Chapel Hill, North Carolina, 27599, USA; email: reiter@cs.unc.edu. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s). {\textcopyright} 2019 Copyright held by the owner/author(s). 2471-2566/2019/06-ART16 https://doi.org/10.1145/ 3317611 Publisher Copyright: {\textcopyright} 2019 Copyright held by the owner/author(s).",

year = "2019",

month = jun,

day = "10",

doi = "10.1145/3317611",

language = "English (US)",

volume = "22",

journal = "ACM Transactions on Privacy and Security",

issn = "2471-2566",

publisher = "Association for Computing Machinery (ACM)",

number = "3",

}

TY - JOUR

T1 - A general framework for adversarial examples with objectives

AU - Sharif, Mahmood

AU - Bhagavatula, Sruti

AU - Bauer, Lujo

AU - Reiter, Michael K.

N1 - Funding Information: This work was supported in part by the Multidisciplinary University Research Initiative (MURI) Cyber Deception grant; by NSF grants 1801391 and 1801494; by the National Security Agency under Award No. H9823018D0008; by gifts from Google and Nvidia, and from Lockheed Martin and NATO through Carnegie Mellon CyLab; and by a CyLab Presidential Fellowship and a Symantec Research Labs Fellowship. Authors’ addresses: M. Sharif, S. Bhagavatula, and L. Bauer, Carnegie Mellon University, Collaborative Innovation Center, 4720 Forbes Ave., Pittsburgh, PA, 15213, USA; emails: {mahmoods, srutib, lbauer}@cmu.edu; M. K. Reiter, University of North Carolina at Chapel Hill, Chapel Hill, Sitterson Hall, 201 S. Columbia St., Chapel Hill, North Carolina, 27599, USA; email: reiter@cs.unc.edu. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s). © 2019 Copyright held by the owner/author(s). 2471-2566/2019/06-ART16 https://doi.org/10.1145/ 3317611 Publisher Copyright: © 2019 Copyright held by the owner/author(s).

PY - 2019/6/10

Y1 - 2019/6/10

N2 - Images perturbed subtly to be misclassified by neural networks, called adversarial examples, have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this article, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples—eyeglass frames designed to fool face recognition—with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.

AB - Images perturbed subtly to be misclassified by neural networks, called adversarial examples, have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this article, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples—eyeglass frames designed to fool face recognition—with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.

KW - Adversarial examples

KW - Face recognition

KW - Machine learning

KW - Neural networks

UR - http://www.scopus.com/inward/record.url?scp=85069523656&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85069523656&partnerID=8YFLogxK

U2 - 10.1145/3317611

DO - 10.1145/3317611

M3 - Article

AN - SCOPUS:85069523656

SN - 2471-2566

VL - 22

JO - ACM Transactions on Privacy and Security

JF - ACM Transactions on Privacy and Security

IS - 3

M1 - 16

ER -

A general framework for adversarial examples with objectives

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this