In recent years, deep neural network approaches have been widely adopted for
machine learning tasks, including classification. However, they were shown to
be vulnerable to adversarial perturbations: carefully crafted small
perturbations can cause misclassification of legitimate images. We propose
Defense-GAN, a new framework leveraging the expressive capability of generative
models to defend deep neural networks against such attacks. Defense-GAN is
trained to model the distribution of unperturbed images. At inference time, it
finds a close output to a given image which does not contain the adversarial
changes. This output is then fed to the classifier. Our proposed method can be
used with any classification model and does not modify the classifier structure
or training procedure. It can also be used as a defense against any attack as
it does not assume knowledge of the process for generating the adversarial
examples. We empirically show that Defense-GAN is consistently effective
against different attack methods and improves on existing defense strategies.
Our code has been made publicly available at
this https URL

Defense-GAN 使用生成模型来抵御深度神经网络受到的对抗性攻击，并不需要修改分类器结构或者训练过程，可以适用于任何分类模型，并且不需要了解生成对抗性示例的过程。在不同的攻击方法下，实验证明 Defense-GAN 对抗性攻击防御策略具有一致的有效性，并可以提高现有的防御策略。

Defense-GAN: 使用生成模型保护分类器免受对抗攻击

Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using  Generative Models

We propose a new type of attack for finding adversarial examples for image
classifiers. Our method exploits spanners, i.e. deep neural networks whose
input space is low-dimensional and whose output range approximates the set of
images of interest. Spanners may be generators of GANs or decoders of VAEs. The
key idea in our attack is to search over latent code pairs to find ones that
generate nearby images with different classifier outputs. We argue that our
attack is stronger than searching over perturbations of real images. Moreover,
we show that our stronger attack can be used to reduce the accuracy of
Defense-GAN to 3\%, resolving an open problem from the well-known paper by
Athalye et al. We combine our attack with normal adversarial training to obtain
the most robust known MNIST classifier, significantly improving the state of
the art against PGD attacks. Our formulation involves solving a min-max
problem, where the min player sets the parameters of the classifier and the max
player is running our attack, and is thus searching for adversarial examples in
the {\em low-dimensional} input space of the spanner.
All code and models are available at
https://github.com/ajiljalal/manifold-defense.git

本文提出了一种利用 spanners 的新型攻击方法，通过搜索潜在的编码对，寻找生成在不同分类器输出下具有相似图像的对立范例，从而比传统扰动真实图像的攻击更具优势，在实验中，该攻击成功将 Defense-GAN 的准确率降至 3％，而且该技术与普通的对抗训练相结合，可以获得现有最强的 MNIST 分类器。