Step 2: Finding adversarial examples

PreviousStep 1: Understanding adversarial examples NextStep 3: Defending against adversarial examples

Last updated 3 years ago

Step 2: Finding adversarial examples

We will now define adversarial examples more rigorously . Let’s take a model F with parameters theta, which has been trained correctly. The model can thus correctly assign the sample x to its label y:

F_{\theta}(x)=y.

The aim of the attacker will be to find a small noise vector $\delta$ to add to the input x in order to fool the model:

\delta \text{ s.t. } F_{\theta}(x +\delta)\neq y, \text{ where } ||\delta||_\infty \leq \epsilon.

Good adversarial examples are essential to increasing the robustness of the system, as we will further explore in the following session. In order to find adversarial examples, we will have to solve this maximisation problem. This is still an open issue in research, and . We will focus here on two standard algorithms in the literature: and . These methods frame the issue of finding adversarial examples as a , where:

The goal of the training will be to find the parameters $\theta$ that minimize the loss: $\min_\theta Loss(F(x;\theta),y)$ .
The goal of the attacker will be to find that maximises the loss: $\max_{\delta} Loss(F(x+\delta;\theta),y) \text{ with }||\delta||_{\infty}\leq\epsilon.$

There are different methods that have been proposed to maximise the loss:

FGSM perturbs each input by a small amount in the direction of the gradient: $\delta=\epsilon \cdot sign(\nabla_x Loss(F(x;\theta), y)).$
PGD has a similar approach, but it takes iterative steps in the direction of the gradient. As such, It finds the noise $\delta$ by repeating: $\delta_{t+1}=clip_{(-\epsilon, \epsilon)}(\delta_t+\alpha \cdot sign(\nabla_xLoss(F(x;\theta),y))).$

You can find a practical example of how to apply PGD in our notebook, which can be visualized , or downloaded as the following file:

PreviousStep 1: Understanding adversarial examples NextStep 3: Defending against adversarial examples

Last updated 3 years ago

F_{\theta}(x)=y.

The aim of the attacker will be to find a small noise vector $\delta$ to add to the input x in order to fool the model:

\delta \text{ s.t. } F_{\theta}(x +\delta)\neq y, \text{ where } ||\delta||_\infty \leq \epsilon.

The goal of the training will be to find the parameters $\theta$ that minimize the loss: $\min_\theta Loss(F(x;\theta),y)$ .
The goal of the attacker will be to find that maximises the loss: $\max_{\delta} Loss(F(x+\delta;\theta),y) \text{ with }||\delta||_{\infty}\leq\epsilon.$

There are different methods that have been proposed to maximise the loss:

FGSM perturbs each input by a small amount in the direction of the gradient: $\delta=\epsilon \cdot sign(\nabla_x Loss(F(x;\theta), y)).$
PGD has a similar approach, but it takes iterative steps in the direction of the gradient. As such, It finds the noise $\delta$ by repeating: $\delta_{t+1}=clip_{(-\epsilon, \epsilon)}(\delta_t+\alpha \cdot sign(\nabla_xLoss(F(x;\theta),y))).$

You can find a practical example of how to apply PGD in our notebook, which can be visualized , or downloaded as the following file: