A general framework for adversarial examples with objectives

Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, Michael K. Reiter

Research output: Contribution to journalArticlepeer-review

102 Scopus citations

Abstract

Images perturbed subtly to be misclassified by neural networks, called adversarial examples, have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this article, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples—eyeglass frames designed to fool face recognition—with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.

Original languageEnglish (US)
Article number16
JournalACM Transactions on Privacy and Security
Volume22
Issue number3
DOIs
StatePublished - Jun 10 2019

Funding

This work was supported in part by the Multidisciplinary University Research Initiative (MURI) Cyber Deception grant; by NSF grants 1801391 and 1801494; by the National Security Agency under Award No. H9823018D0008; by gifts from Google and Nvidia, and from Lockheed Martin and NATO through Carnegie Mellon CyLab; and by a CyLab Presidential Fellowship and a Symantec Research Labs Fellowship. Authors’ addresses: M. Sharif, S. Bhagavatula, and L. Bauer, Carnegie Mellon University, Collaborative Innovation Center, 4720 Forbes Ave., Pittsburgh, PA, 15213, USA; emails: {mahmoods, srutib, lbauer}@cmu.edu; M. K. Reiter, University of North Carolina at Chapel Hill, Chapel Hill, Sitterson Hall, 201 S. Columbia St., Chapel Hill, North Carolina, 27599, USA; email: [email protected]. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s). © 2019 Copyright held by the owner/author(s). 2471-2566/2019/06-ART16 https://doi.org/10.1145/ 3317611

Keywords

  • Adversarial examples
  • Face recognition
  • Machine learning
  • Neural networks

ASJC Scopus subject areas

  • General Computer Science
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'A general framework for adversarial examples with objectives'. Together they form a unique fingerprint.

Cite this