Adversarial Examples in Constrained Domains

• URL: http://arxiv.org/abs/2011.01183v3
• Date: Fri, 9 Sep 2022 17:00:28 GMT
• Title: Adversarial Examples in Constrained Domains
• Authors: Ryan Sheatsley, Nicolas Papernot, Michael Weisman, Gunjan Verma, Patrick McDaniel
• Abstract summary: We investigate whether constrained domains are less vulnerable than unconstrained domains to adversarial example generation algorithms. Our approaches generate misclassification rates in constrained domains that were comparable to those of unconstrained domains. Our investigation shows that the narrow attack surface exposed by constrained domains is still sufficiently large to craft successful adversarial examples.
• Score: 29.137629314003423
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Machine learning algorithms have been shown to be vulnerable to adversarial manipulation through systematic modification of inputs (e.g., adversarial examples) in domains such as image recognition. Under the default threat model, the adversary exploits the unconstrained nature of images; each feature (pixel) is fully under control of the adversary. However, it is not clear how these attacks translate to constrained domains that limit which and how features can be modified by the adversary (e.g., network intrusion detection). In this paper, we explore whether constrained domains are less vulnerable than unconstrained domains to adversarial example generation algorithms. We create an algorithm for generating adversarial sketches: targeted universal perturbation vectors which encode feature saliency within the envelope of domain constraints. To assess how these algorithms perform, we evaluate them in constrained (e.g., network intrusion detection) and unconstrained (e.g., image recognition) domains. The results demonstrate that our approaches generate misclassification rates in constrained domains that were comparable to those of unconstrained domains (greater than 95%). Our investigation shows that the narrow attack surface exposed by constrained domains is still sufficiently large to craft successful adversarial examples; and thus, constraints do not appear to make a domain robust. Indeed, with as little as five randomly selected features, one can still generate adversarial examples.

Related papers

• Uncertainty-based Detection of Adversarial Attacks in Semantic Segmentation [16.109860499330562]
  We introduce an uncertainty-based approach for the detection of adversarial attacks in semantic segmentation. We demonstrate the ability of our approach to detect perturbed images across multiple types of adversarial attacks.
  arXiv  Detail & Related papers  (2023-05-22T08:36:35Z)
• Quantifying and Understanding Adversarial Examples in Discrete Input Spaces [70.18815080530801]
  We formalize a notion of synonymous adversarial examples that applies in any discrete setting and describe a simple domain-agnostic algorithm to construct such examples. Our work is a step towards a domain-agnostic treatment of discrete adversarial examples analogous to that of continuous inputs.
  arXiv  Detail & Related papers  (2021-12-12T16:44:09Z)
• Discriminator-Free Generative Adversarial Attack [87.71852388383242]
  Agenerative-based adversarial attacks can get rid of this limitation. ASymmetric Saliency-based Auto-Encoder (SSAE) generates the perturbations. The adversarial examples generated by SSAE not only make thewidely-used models collapse, but also achieves good visual quality.
  arXiv  Detail & Related papers  (2021-07-20T01:55:21Z)
• AFAN: Augmented Feature Alignment Network for Cross-Domain Object Detection [90.18752912204778]
  Unsupervised domain adaptation for object detection is a challenging problem with many real-world applications. We propose a novel augmented feature alignment network (AFAN) which integrates intermediate domain image generation and domain-adversarial training. Our approach significantly outperforms the state-of-the-art methods on standard benchmarks for both similar and dissimilar domain adaptations.
  arXiv  Detail & Related papers  (2021-06-10T05:01:20Z)
• On the Robustness of Domain Constraints [0.4194295877935867]
  It is unclear if adversarial examples represent realistic inputs in the modeled domains. In this paper, we explore how domain constraints limit adversarial capabilities. We show how the learned constraints can be integrated into the adversarial crafting process.
  arXiv  Detail & Related papers  (2021-05-18T15:49:55Z)
• Domain Invariant Adversarial Learning [12.48728566307251]
  We present Domain Invariant Adversarial Learning (DIAL) that learns a feature representation which is both robust and domain invariant. We demonstrate our advantage by improving both robustness and natural accuracy compared to current state-of-the-art adversarial training methods.
  arXiv  Detail & Related papers  (2021-04-01T08:04:10Z)
• Learning to Separate Clusters of Adversarial Representations for Robust Adversarial Detection [50.03939695025513]
  We propose a new probabilistic adversarial detector motivated by a recently introduced non-robust feature. In this paper, we consider the non-robust features as a common property of adversarial examples, and we deduce it is possible to find a cluster in representation space corresponding to the property. This idea leads us to probability estimate distribution of adversarial representations in a separate cluster, and leverage the distribution for a likelihood based adversarial detector.
  arXiv  Detail & Related papers  (2020-12-07T07:21:18Z)
• An Analysis of Robustness of Non-Lipschitz Networks [35.64511156980701]
  Small input perturbations can often produce large movements in the network's final-layer feature space. In our model, the adversary may move data an arbitrary distance in feature space but only in random low-dimensional subspaces. We provide theoretical guarantees for setting algorithm parameters to optimize over accuracy-abstention trade-offs using data-driven methods.
  arXiv  Detail & Related papers  (2020-10-13T03:56:39Z)
• Gradually Vanishing Bridge for Adversarial Domain Adaptation [156.46378041408192]
  We equip adversarial domain adaptation with Gradually Vanishing Bridge (GVB) mechanism on both generator and discriminator. On the generator, GVB could not only reduce the overall transfer difficulty, but also reduce the influence of the residual domain-specific characteristics. On the discriminator, GVB contributes to enhance the discriminating ability, and balance the adversarial training process.
  arXiv  Detail & Related papers  (2020-03-30T01:36:13Z)
• CrDoCo: Pixel-level Domain Transfer with Cross-Domain Consistency [119.45667331836583]
  Unsupervised domain adaptation algorithms aim to transfer the knowledge learned from one domain to another. We present a novel pixel-wise adversarial domain adaptation algorithm.
  arXiv  Detail & Related papers  (2020-01-09T19:00:35Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.