Recent works found that deep neural networks (DNNs) can be fooled by adversarial examples, which are crafted by adding adversarial noise on clean inputs. The accuracy of DNNs on adversarial examples will decrease as the magnitude of the adversarial noise increase. In this study, we show that DNNs can be also fooled when the noise is very small under certain circumstances. This new type of attack is called Amplification Trojan Attack (ATAttack). Specifically, we use a trojan network to transform the inputs before sending them to the target DNN. This trojan network serves as an amplifier to amplify the inherent weakness of the target DNN. The target DNN, which is infected by the trojan network, performs normally on clean data while being more vulnerable to adversarial examples. Since it only transforms the inputs, the trojan network can hide in DNN-based pipelines, e.g. by infecting the pre-processing procedure of the inputs before sending them to the DNNs. This new type of threat should be considered in developing safe DNNs.

本研究发现，在特定情况下，当对干净数据添加非常小的噪音时（被称为放大特洛伊攻击），也能够欺骗深度神经网络的分类器。我们使用特洛伊网络作为放大器，以放大目标 DNN 的固有弱点，对干净数据产生了不可感知的影响，从而使目标 DNN 更脆弱于对抗性的样本，这种新的威胁应该在开发安全 DNNs 时加以考虑。

放大特洛伊网络：通过放大神经网络固有的弱点来进行攻击