Advertisement

Adversarial Attacks and Defences Competition

  • Alexey Kurakin
  • Ian Goodfellow
  • Samy Bengio
  • Yinpeng Dong
  • Fangzhou Liao
  • Ming Liang
  • Tianyu Pang
  • Jun Zhu
  • Xiaolin Hu
  • Cihang Xie
  • Jianyu Wang
  • Zhishuai Zhang
  • Zhou Ren
  • Alan Yuille
  • Sangxia Huang
  • Yao Zhao
  • Yuzhe Zhao
  • Zhonglin Han
  • Junjiajia Long
  • Yerkebulan Berdibekov
  • Takuya Akiba
  • Seiya Tokui
  • Motoki Abe
Conference paper
Part of the The Springer Series on Challenges in Machine Learning book series (SSCML)

Abstract

To accelerate research on adversarial examples and robustness of machine learning classifiers, Google Brain organized a NIPS 2017 competition that encouraged researchers to develop new methods to generate adversarial examples as well as to develop new ways to defend against them. In this chapter, we describe the structure and organization of the competition and the solutions developed by several of the top-placing teams.

References

  1. S. Baluja and I. Fischer. Adversarial transformation networks: Learning to generate adversarial examples. 2017.Google Scholar
  2. B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Šrndić, P. Laskov, G. Giacinto, and F. Roli. Evasion attacks against machine learning at test time. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases, pages 387–402. Springer, 2013.Google Scholar
  3. W. Brendel, J. Rauber, and M. Bethge. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. 2017.Google Scholar
  4. J. Buckman, A. Roy, C. Raffel, and I. Goodfellow. Thermometer encoding: One hot way to resist adversarial examples. Submissions to International Conference on Learning Representations, 2018.Google Scholar
  5. N. Carlini and D. Wagner. Adversarial examples are not easily detected: Bypassing ten detection methods. In USENIX Workshop on Offensive Technologies, 2017a.Google Scholar
  6. N. Carlini and D. Wagner. Towards evaluating the robustness of neural networks. IEEE Symposium on Security and Privacy, 2017b.Google Scholar
  7. P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi, and C.-J. Hsieh. Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. 2017.Google Scholar
  8. F. Chollet. Xception: Deep learning with depthwise separable convolutions, 2016.Google Scholar
  9. N. Das, M. Shanbhogue, S.-T. Chen, F. Hohman, L. Chen, M. E. Kounavis, and D. H. Chau. Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression. arXiv preprint arXiv:1705.02900, 2017.Google Scholar
  10. J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei. Imagenet: A large-scale hierarchical image database. In Computer Vision and Pattern Recognition, 2009. CVPR 2009. IEEE Conference on, pages 248–255. IEEE, 2009.Google Scholar
  11. Y. Dong, F. Liao, T. Pang, H. Su, X. Hu, J. Li, and J. Zhu. Boosting adversarial attacks with momentum. arXiv preprint arXiv:1710.06081, 2017.Google Scholar
  12. W. Duch and J. Korczak. Optimization and global minimization methods suitable for neural networks. Neural computing surveys, 2:163–212, 1998.Google Scholar
  13. N. F. Geoffrey E Hinton, Sara Sabour. Matrix capsules with em routing. In International Conference on Learning Representations, 2018.Google Scholar
  14. J. Gilmer, L. Metz, F. Faghri, S. S. Schoenholz, M. Raghu, M. Wattenberg, and I. Goodfellow. Adversarial spheres. Submissions to International Conference on Learning Representations, 2018.Google Scholar
  15. I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. CoRR, abs/1412.6572, 2014.Google Scholar
  16. I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. CoRR, abs/1412.6572, 2014.Google Scholar
  17. K. He, X. Zhang, S. Ren, and J. Sun. Deep residual learning for image recognition, 2015.Google Scholar
  18. K. He, X. Zhang, S. Ren, and J. Sun. Identity mappings in deep residual networks. In ECCV, 2016.Google Scholar
  19. W. He, J. Wei, X. Chen, N. Carlini, and D. Song. Adversarial example defense: Ensembles of weak defenses are not strong. In 11th USENIX Workshop on Offensive Technologies (WOOT 17), Vancouver, BC, 2017. USENIX Association.Google Scholar
  20. R. Huang, B. Xu, D. Schuurmans, and C. Szepesvári. Learning with a strong adversary. CoRR, abs/1511.03034, 2015.Google Scholar
  21. D. Kingma and J. Ba. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980, 2014.Google Scholar
  22. A. Kurakin, I. Goodfellow, and S. Bengio. Adversarial examples in the physical world. In ICLR’2017 Workshop, 2016.Google Scholar
  23. A. Kurakin, I. Goodfellow, and S. Bengio. Adversarial examples in the physical world. In ICLR’2017 Workshop, 2016.Google Scholar
  24. A. Kurakin, I. J. Goodfellow, and S. Bengio. Adversarial machine learning at scale. In ICLR’2017, 2016.Google Scholar
  25. F. Liao, M. Liang, Y. Dong, T. Pang, J. Zhu, and X. Hu. Defense against adversarial attacks using high-level representation guided denoiser. arXiv preprint arXiv:1712.02976, 2017.Google Scholar
  26. Y. Liu, X. Chen, C. Liu, and D. Song. Delving into transferable adversarial examples and black-box attacks. In Proceedings of 5th International Conference on Learning Representations, 2017.Google Scholar
  27. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu. Towards deep learning models resistant to adversarial attacks. 2017.Google Scholar
  28. J. H. Metzen, T. Genewein, V. Fischer, and B. Bischoff. On detecting adversarial perturbations. In ICLR, 2017.Google Scholar
  29. N. Papernot, P. McDaniel, and I. Goodfellow. Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples. ArXiv e-prints, May 2016b.Google Scholar
  30. N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and A. Swami. Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS ’17, pages 506–519, New York, NY, USA, 2017. ACM.Google Scholar
  31. B. T. Polyak. Some methods of speeding up the convergence of iteration methods. USSR Computational Mathematics and Mathematical Physics, 4(5):1–17, 1964.CrossRefGoogle Scholar
  32. O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein, A. C. Berg, and L. Fei-Fei. Imagenet large scale visual recognition challenge. International Journal of Computer Vision, 115(3):211–252, Dec 2015.MathSciNetCrossRefGoogle Scholar
  33. M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security, Oct. 2016. To appear.Google Scholar
  34. I. Sutskever, J. Martens, G. Dahl, and G. Hinton. On the importance of initialization and momentum in deep learning. In ICML, 2013.Google Scholar
  35. C. Szegedy, S. Ioffe, V. Vanhoucke, and A. A. Alemi. Inception-v4, inception-resnet and the impact of residual connections on learning. In AAAI, 2017.Google Scholar
  36. C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna. Rethinking the inception architecture for computer vision, 2015.Google Scholar
  37. C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna. Rethinking the inception architecture for computer vision. In CVPR, 2016.Google Scholar
  38. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks. In International Conference on Learning Representations, 2014.Google Scholar
  39. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus. Intriguing properties of neural networks. ICLR, abs/1312.6199, 2014.Google Scholar
  40. F. Tramr, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh, and P. McDaniel. Ensemble adversarial training: Attacks and defenses. In arxiv, 2017.Google Scholar
  41. P. Vincent, H. Larochelle, Y. Bengio, and P.-A. Manzagol. Extracting and composing robust features with denoising autoencoders. In International Conference on Machine learning, pages 1096–1103, 2008.Google Scholar
  42. C. Xie, J. Wang, Z. Zhang, Z. Ren, and A. Yuille. Mitigating adversarial effects through randomization. In International Conference on Learning Representations, 2018.Google Scholar
  43. W. Xu, D. Evans, and Y. Qi. Feature squeezing: Detecting adversarial examples in deep neural networks. CoRR, abs/1704.01155, 2017.Google Scholar
  44. K. Zhang, W. Zuo, Y. Chen, D. Meng, and L. Zhang. Beyond a gaussian denoiser: Residual learning of deep cnn for image denoising. IEEE Transactions on Image Processing, 2017.Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Alexey Kurakin
    • 1
  • Ian Goodfellow
    • 1
  • Samy Bengio
    • 1
  • Yinpeng Dong
    • 2
  • Fangzhou Liao
    • 2
  • Ming Liang
    • 2
  • Tianyu Pang
    • 2
  • Jun Zhu
    • 2
  • Xiaolin Hu
    • 2
  • Cihang Xie
    • 3
  • Jianyu Wang
    • 4
  • Zhishuai Zhang
    • 3
  • Zhou Ren
    • 5
  • Alan Yuille
    • 3
  • Sangxia Huang
    • 6
  • Yao Zhao
    • 7
  • Yuzhe Zhao
    • 8
  • Zhonglin Han
    • 9
  • Junjiajia Long
    • 10
  • Yerkebulan Berdibekov
    • 11
  • Takuya Akiba
    • 12
  • Seiya Tokui
    • 12
  • Motoki Abe
    • 12
  1. 1.Google BrainMountain ViewUSA
  2. 2.Department of Computer Science and TechnologyTsinghua UniversityBeijingChina
  3. 3.Department of Computer ScienceThe Johns Hopkins UniversityBaltimoreUSA
  4. 4.Baidu ResearchSunnyvaleUSA
  5. 5.Snap Inc.Los AngelesUSA
  6. 6.Sony Mobile CommunicationsLundSweden
  7. 7.Microsoft CorporationRedmondUSA
  8. 8.Department of Computer ScienceYale UniverisityNew HavenUSA
  9. 9.Smule IncSan FranciscoUSA
  10. 10.Department of PhysicsYale UniversityNew HavenUSA
  11. 11.Independent ScholarAlmatyKazakhstan
  12. 12.Preferred Networks, Inc.TokyoJapan

Personalised recommendations