Deep neural networks are demonstrating excellent performance on several classical vision problems. However, these networks are vulnerable to adversarial examples, minutely modified images that induce arbitrary attacker-chosen output from the network. We propose a mechanism to protect against these adversarial inputs based on a generative model of the data. We introduce a pre-processing step that projects on the range of a generative model using gradient descent before feeding an input into a classifier. We show that this step provides the classifier with robustness against first-order, substitute model, and combined adversarial attacks. Using a min-max formulation, we show that there may exist adversarial examples even in the range of the generator, natural-looking images extremely close to the decision boundary for which the classifier has unjustifiedly high confidence. We show that adversarial training on the generative manifold can be used to make a classifier that is robust to these attacks. Finally, we show how our method can be applied even without a pre-trained generative model using a recent method called the deep image prior. We evaluate our method on MNIST, CelebA and Imagenet and show robustness against the current state of the art attacks.

本文提出了一种利用 spanners 的新型攻击方法，通过搜索潜在的编码对，寻找生成在不同分类器输出下具有相似图像的对立范例，从而比传统扰动真实图像的攻击更具优势，在实验中，该攻击成功将 Defense-GAN 的准确率降至 3％，而且该技术与普通的对抗训练相结合，可以获得现有最强的 MNIST 分类器。

鲁棒流形防御：使用生成模型进行对抗训练