This blog post mainly introduces Adversarial Attack.

Motivation

example of attack

Add noise to the matrix of photos （attacked image）


The two photos are different

How to attack

There are many ways to calculate the distance between pictures
among $d(x^0,x)$need to consider human perception.

attack approach

white box v.s. black box

Black box attack in non-targeted It's easier to succeed
Some people think ,data It's the cause of adversarial attack The culprit of .
Other types of data may also be attack

attack in the physical world

License plate recognition system ：

adversarial reprogramming

“backdoor” in model

It's possible to add... To the training materials attack

Defense

passive defense

Slightly blurred , that will do defense,attack The signal of success is special , It could be some kind of... In one direction .

But when the fuzziness is serious , It may also produce some kind of side effect

Another kind defense Approach is to randomization

proactive defense