Recent works have demonstrated the existence of {\it adversarial examples} targeting a single machine learning system. In this paper we ask a simple but fundamental question of "selective fooling": given {\it multiple} machine learning systems assigned to solve the same classification problem and taking the same input signal, is it possible to construct a perturbation to the input signal that manipulates the outputs of these {\it multiple} machine learning systems {\it simultaneously} in arbitrary pre-defined ways? For example, is it possible to selectively fool a set of "enemy" machine learning systems but does not fool the other "friend" machine learning systems? The answer to this question depends on the extent to which these different machine learning systems "think alike". We formulate the problem of "selective fooling" as a novel optimization problem, and report on a series of experiments on the MNIST dataset. Our preliminary findings from these experiments show that it is in fact very easy to selectively manipulate multiple MNIST classifiers simultaneously, even when the classifiers are identical in their architectures, training algorithms and training datasets except for random initialization during training. This suggests that two nominally equivalent machine learning systems do not in fact "think alike" at all, and opens the possibility for many novel applications and deeper understandings of the working principles of deep neural networks.

该研究探讨了给定多个相同机器学习系统的情况下，是否可以利用一种扰动方式来同时改变这些系统的输出结果以达到预定的目的，并给出了一种新的优化问题的解决方案，证明了在MNIST数据集上可以简单地实现对多个MNIST分类器的同时操纵， 这表明两个名义上等价的机器学习系统实际上并没有相似的思考方式，为深入理解深度神经网络的工作原理和许多新的应用打开了可能性。

深度思维是否会相似？选择性对多个深度神经网络进行细粒度操纵的对抗攻击