利用具可適性之生成對抗網路客製化對抗例生成器

Abstract

對抗例(adversarial examples) 指的是那些為了使神經網絡錯誤分類而特製的資料。當我們討論創造這些對抗例的方法時，我們通常會聯想到基於擾動的方法─ 在正常的資料上添加不可見的擾動來製造對抗例。對人類來說，由擾動法產生的對抗例將完全保留其原本資料的視覺外觀，從而使人類分不出和正常資料的差異，但DNN 模型會將兩者視為完全不同的外觀，從而產生誤導性的預測。然而，在本文中，我們認為只依賴這個將現有資料轉化成對抗例的架構會限制對抗例的多樣性。我們提出了一個基於非擾動的框架，該框架以基於條件約束生成對抗網絡的生成模型直接生成對抗例。因此，生成的對抗例不會與任何現有的資料有外觀上的相似性，從而擴大了對抗例的多樣性，增加了防禦對抗例的難度。並且，我們將這個框架擴展到預先訓練的條件約束生成對抗網絡模型，其中，我們能將現有的普通生成模型經過些微的訓練後，轉變成一個專門生成對抗例的「對抗例生成模型」。我們針對MNIST 和CIFAR10 資料集進行了實驗，結果令人滿意，表明這種方法可做為先前對抗例製造策略的替代方案。

Adversarial examples are malicious data designed with the intention of causing misbehavior of neural networks. Typically, these examples are featured in terms of similar physical appearance to normal images, yet discrepancy in the prediction result when similar normal image and adversarial example are evaluated by the same DNN model. To create such examples, current methods rely mainly on techniques that overlay invisible perturbations onto normal images. The resulting adversarial examples therefore resemble the original images, but with different output in DNN’s result. In this work, however, we consider crafting adversarial examples from existing data as a limitation to example diversity. We propose a non-perturbation-based framework that generates native adversarial examples from class-conditional generative adversarial networks. As such, the generated data will not resemble any existing data and thus expand example diversity, raising the difficulty in adversarial defense. We then extend this framework to pre-trained conditional GANs, in which we turn an existing generator into an ”adversarial-example generator”. We conduct experiments on our approach for MNIST and CIFAR10 datasets and have satisfactory results, showing that this approach can be a potential alternative to previous attack strategies.