Paper Review: Adversarial Examples

1. One pixel attack for fooling deep neural networks

• Motivation:
  - Generating adversarial images can be formalized as an optimization problem with constraints. We assume an input image can be represented by a vector in which each scalar element represents one pixel. Let $f$f be the target image clas- sifier which receives n-dimensional inputs
  - Let $f$f be the target image classifier which receives n-dimensional inputs, $\mathbf{x}=(x_1,...,x_n)$x=(x1​,...,xn​) be the original natural image correctly classified as class $t$t.
  - The probability of $\mathbf{x}$x belonging to the class t is therefore $f_t(\mathbf{x})$ft​(x).
  - The vector $e(\mathbf{x})=(e_1,...,e_n)$e(x)=(e1​,...,en​) is an additive adver- sarial perturbation according to $\mathbf{x}$x, the target class $adv$adv and the limitation of maximum modification $L$L.
  - Note that $L$L is always measured by the length of vector $e(\mathbf{x})$e(x).
  - The goal of adversaries in the case of targeted attacks is to find the optimized solution $e(\mathbf{x})^*$e(x)∗ for the following question:
  

• (a) which dimensions that need to be perturbed
• (b) the correspond- ing strength of the modification for each dimension

- In our approach, the equation is slightly different:

• In the case of one-piexl attack $d=1$d=1.
• Previous works commonly modify a part of all dimensions while in our approach only d dimensions are modified with the other dimensions of $e(\mathbf{x})$e(x) left to zeros.
• Do the experiment on three different networks for classification (All Convolution Network, Network in Network, VGG16 Network)

• Some results for CIFAR-10 classification