Generating Adversarial Examples With Distance Constrained Adversarial Imitation Networks

Abstract

Recent studies have shown that neural networks are vulnerable to adversarial examples that are designed by adding small perturbations to clean examples in order to trick the classifier to misclassify. Various approaches based on optimization have been proposed for generating adversarial examples with minimal perturbation. Model training based methods such as Adversarial Transformation Network (ATN) provide a fundamentally new way to directly transform an input into an adversarial example, which promises fast generation of adversarial examples. However, the adversarial examples may have suboptimal quality with significantly large perturbations or low attack success rate at small perturbations. In this article, we propose a distance constrained <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">A</b> dversarial <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">I</b> mitation <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">N</b> etwork ( <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">AIN</b> ), which enhances ATN and is capable of generating both targeted and untargeted examples with an explicit distance constraint. AIN can not only generate large scale adversarial examples efficiently as achieved in ATN, but also imitate the behavior of state-of-the-art optimization-based methods, hence achieving improved quality. Extensive experiments show that AIN significantly outperforms ATN and other Generative Adversarial Networks (GAN) based methods in the quality of generated adversarial examples, and is much more efficient than optimization based methods while achieving comparable quality.