Deep neural networks are facing a potential security threat from adversarial
examples, inputs that look normal but cause an incorrect classification by the
deep neural network. For example, the proposed threat could result in
hand-written digits on a scanned check being incorrectly classified but looking
normal when humans see them. This research assesses the extent to which
adversarial examples pose a security threat, when one considers the normal
image acquisition process. This process is mimicked by simulating the
transformations that normally occur in acquiring the image in a real world
application, such as using a scanner to acquire digits for a check amount or
using a camera in an autonomous car. These small transformations negate the
effect of the carefully crafted perturbations of adversarial examples,
resulting in a correct classification by the deep neural network. Thus just
acquiring the image decreases the potential impact of the proposed security
threat. We also show that the already widely used process of averaging over
multiple crops neutralizes most adversarial examples. Normal preprocessing,
such as text binarization, almost completely neutralizes adversarial examples.
This is the first paper to show that for text driven classification,
adversarial examples are an academic curiosity, not a security threat.

研究深度神经网络面临的潜在安全威胁 —— 对抗性样本，这些输入看起来很正常，但会导致深度神经网络错误分类；发现通过正常的图像获取进程实现的小扰动可以消除对抗性样本造成的影响，从而抵消了潜在威胁。同时，已经广泛使用的多次裁剪平均处理和正常预处理也可以在很大程度上消除对抗性样本。因此，该研究认为在文本分类中，对抗性样本仅仅是学术上的好奇现象，而非安全威胁。