Please enable JavaScript.

Coggle requires JavaScript to display documents.

Adversarial Examples Attacks and Defenses for Deep Learning (Proposed…

- - - - Equation
      - Disadvantage
        
        Time-consuming
        
        Impractical
      - Overview
        
        First introduced adversarial examples against DNN in 2014. Based optimization problem.
    - - Overview
        
        Use evolutionary algorithm to produce adversarial examples that is unrecognizable to human but very high confidence in DNN
      - Variant
        
        Direct encoding
        
        Indirect encoding
    - - Overview
        
        Targeted attack to defeat Defensive distillation.
        Optimization based problem
      - Advantage
        
        Effective for most existing adversarial detecting defenses
    - - Overview
        
        Black-box attack adversarial sample generation.
        Based on optimization problem
      - Advantage
        
        No need to access victim deep learning models (black-box attack)
      - Disadvantage
        
        Expensive computation to query and estimate the gradients
    - - Overview
        
        Generate perturbation that can be used for universal attack. Using deepfool algorithm for each iteration again each input data and update the perturbation to the total perturbation
      - Advantage
        
        One perturbation that can be used to full all images
      - Equation
    - - Overview
        
        Generate adversarial example by only modifying one pixel.
        Optimize the problem using using DE (differential evolution)
      - Advantage
        
        Only one pixel modified
      - Equation
    - - Overview
        
        Targeted attack by minimizing the distance of representation of internal neural network. Use constraint perturbation
      - Advantage
        
        adversarial images are more natural and closer to the targeted images in the internal layer
      - Equation
    - - Overview
        
        Find multiple adversarial examples for every single input.
        Introduced PASS metric for perturbation calculation
      - Equation
      - Advantage
        
        introduced novel perturbation measurement -> PASS
        
        Capable of generating large numbers of diverse adversarial images
    - - Overview
        
        Transferable adversarial examples to attack a black-box model.
      - Equation
      - Advantage
        
        Transferable
        
        Enhanced the power of adversarial example for black-box attack
  - - - Equation
      - Advantage
        
        Fast
        
        Robust to phototransformation
      - Disadvantage
        
        Easy to defend
      - Overview
        
        One step gradient update along the direction of sign of the gradient at each pixel.
    - - Overview
        
        replace the sign of gradient with the raw gradient
      - Equation
      - Advantage
        
        No constraints on each pixel
        
        can generate image with larger local different
    - - Overview
        
        applied momentum and iterative to FGSM
      - Equation
      - Advantage
        
        Increased the effectiveness of attack
        
        improved transferability
    - - Overview
        
        Extend FGSM by running finer optimization for multiple iterations and support targeted attack FGSM
      - Equations
        
        Equation
      - Advantage
        
        Avoid large change on each pixel
        
        Limit the change of generated adversarial image in each iteration
      - Disdvantage
        
        Can't resist photo transformation
    - - Overview
        
        FGSM with adversarial training and adding random when updating the adversarial examples to defeat adversarial training
      - Equations
      - Advantage
        
        Defeat adversarial training
    - - Overview
        
        An efficient saliency adversarial map.
        Compute Jacobian matrix of given sample x
      - Advantage
        
        Small perturbation can successfully induce large output variation
      - Disadvantage
        
        Runs very slow (significant computational cost)
      - Equation
    - - Overview
        
        Compute closest distance from the original input to the decision boundary of adversarial examples
      - Advantage
        
        Provided less perturbation compared to FGSM and JSMA
        
        Reduced the intensity of perturbation
      - Equations
  - - - Overview
        
        Generate more natural adversarial example (rather than randomly) using GANs
      - Advantage
        
        More natural adversarial examples
      - Equation
- - - - L-2
        
        Measures the Euclidean distance between the adversarial example and original sample
      - L-inf
        
        Denotes maximum change for all pixels in adversarial example
      - L-0
        
        Counts the number of pixels changed in adversarial example