EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples
Pin-Yu Chen, Yash Sharma, huan zhang, Jin-Feng Yi, Cho-Jui Hsieh
Code Available — Be the first to reproduce this paper.
ReproduceCode
- github.com/ysharma1126/EAD-AttackOfficialIn papertf★ 0
- github.com/BorealisAI/advertorch/blob/master/advertorch/attacks/ead.pypytorch★ 0
- github.com/cleverhans-lab/cleverhans/blob/master/cleverhans_v3.1.0/cleverhans/attacks/elastic_net_method.pytf★ 0
- github.com/Trusted-AI/adversarial-robustness-toolbox/blob/main/art/attacks/evasion/elastic_net.pypytorch★ 0
- github.com/IBM/EAD-Attacktf★ 0
- github.com/bethgelab/foolbox/blob/master/foolbox/attacks/ead.pyjax★ 0
Abstract
Recent studies have highlighted the vulnerability of deep neural networks (DNNs) to adversarial examples - a visually indistinguishable adversarial image can easily be crafted to cause a well-trained model to misclassify. Existing methods for crafting adversarial examples are based on L_2 and L_ distortion metrics. However, despite the fact that L_1 distortion accounts for the total variation and encourages sparsity in the perturbation, little has been developed for crafting L_1-based adversarial examples. In this paper, we formulate the process of attacking DNNs via adversarial examples as an elastic-net regularized optimization problem. Our elastic-net attacks to DNNs (EAD) feature L_1-oriented adversarial examples and include the state-of-the-art L_2 attack as a special case. Experimental results on MNIST, CIFAR10 and ImageNet show that EAD can yield a distinct set of adversarial examples with small L_1 distortion and attains similar attack performance to the state-of-the-art methods in different attack scenarios. More importantly, EAD leads to improved attack transferability and complements adversarial training for DNNs, suggesting novel insights on leveraging L_1 distortion in adversarial machine learning and security implications of DNNs.