├── 2013 └── Evasion_attacks_against_machine_learning_at_test_time.md ├── 2014 ├── Intriguing_properties_of_neural_networks.md ├── Rich_feature_hierarchies_for_accurate_object_detection_and_semantic_segmentation.md └── Towards_deep_neural_network_architectures_robust_to_adversarial_examples.md ├── 2015 └── Explaining_and_Harnessing_Adversarial_Examples.md ├── 2016 ├── Adversarial_Images_for_Variational_Autoencoders.md ├── Autoencoding_beyond_pixels_using_a_learned_similarity_metric.md ├── DeepFool.md ├── Learning_Deep_Features_for_Discriminative_Localization.md ├── Robustness_of_classifiers_from_adversarial_to_random_noise.md ├── The_limitations_of_deep_learning_in_adversarial_settings.md ├── Toward_evaluating_the_robustness_of_neural_networks.md └── Transferability_in_machine_learning.md ├── 2017 ├── A-Fast-RCNN_Hard_Positive_Generation_via_Adversary_for_Object_Detection.md ├── Adversarial_Examples_Detection_in_Deep_Networks_with_Convolutional_Filter_Statistics.md ├── Adversarial_Examples_for_Semantic_Segmentation_and_Object_Detection.md ├── Adversarial_Examples_that_Fool_Detectors.md ├── Adversarial_transformation_networks_Learning_to_generate_adversarial_examples.md ├── CVAE-GAN_Fine-Grained_Image_Generation_Through_Asymmetric_Training.md ├── Conditional_Image_Synthesis_with_Auxiliary_Classifier_GANs.md ├── Countering_Adversarial_Images_using_Input_Transformations.md ├── Delving_into_Transferable_Adversarial_Examples_and_Black-box_Attacks.md ├── Detecting_Adversarial_Samples_from_Artifacts.md ├── On_Detecting_Adversarial_Perturbations.md ├── Universal_Adversarial_Perturbations.md └── Universal_Adversarial_Perturbations_Against_Semantic_Image_Segmentation.md ├── 2018 ├── Adversarial_Logit_Pairing.md ├── Art_of_Singular_Vectors_and_Universal_Adversarial_Perturbations.md ├── Boosting_Adversarial_Attacks_With_Momentum.md ├── Characterizing_Adversarial_Examples_Based_on_Spatial_Consistency_Information_for_Semantic_Segmentation.md ├── Constructing_Unrestricted_Adversarial_Examples_with_Generative_Models.md ├── Defense-{GAN}_Protecting_Classifiers_Against_Adversarial_Attacks_Using_Generative_Models.md ├── Defense_Against_Adversarial_Attacks_Using_High_Level_Representation_Guided_Denoiser.md ├── Defense_Against_Universal_Adversarial_Perturbations.md ├── Deflecting_Adversarial_Attacks_With_Pixel_Deflection.md ├── Ensemble_Adversarial_Training_Attacks_and_Defenses.md ├── Evaluating_and_understanding_the_robustness_of_adversarial_logit_pairing.md ├── Faster_Neural_Networks_Straight_from_JPEG.md ├── Generating_Adversarial_Examples_with_Adversarial_Networks.md ├── Generating_Natural_Adversarial_Examples.md ├── Generative_Adversarial_Perturbations.md ├── Learning_Universal_Adversarial_Perturbations_with_Generative_Models.md ├── Machine_Learning_with_Membership_Privacy_Using_Adversarial_Regularization.md ├── Multi_Scale_Dense_Networks_for_Resource_Efficient_Image_Classification.md ├── Obfuscated_Gradients_Give_a_False_Sense_of_Security_Circumventing_Defenses_to_Adversarial_Examples.md ├── Robust_physical_world_attacks_on_deep_learning_visual_classification.md ├── SPATIALLY_TRANSFORMED_ADVERSARIAL_EXAMPLES.md └── Virtual_adversarial_training_a_regularization_method_for_supervised_and_semi_supervised_learning.md ├── 2019 ├── A_Closer_Look_at_Double_Backpropagation.md ├── A_New_Defense_Against_Adversarial_Images_Turning_a_Weakness_into_a_Strength.md ├── AdvIT_Adversarial_Frames_Identifier_Based_on_Temporal_Consistency_in_Videos.md ├── Adversarial_Attacks_on_Graph_Neural_Networks_via_Meta_Learning.md ├── Adversarial_Examples_Are_Not_Bugs_They_Are_Features.md ├── Adversarial_Examples_Are_a_Natural_Consequence_of_Test_Error_in_Noise.md ├── Adversarial_Learning_With_Margin_Based_Triplet_Embedding_Regularization.md ├── Adversarial_Robustness_as_a_Prior_for_Learned_Representations.md ├── Adversarial_Robustness_through_Local_Linearization.md ├── Adversarial_Training_and_Robustness_for_Multiple_Perturbations.md ├── Adversarially_Robust_Distillation.md ├── Are_Labels_Required_for_Improving_Adversarial_Robustness.md ├── Are_adversarial_examples_inevitable.md ├── Be_Your_Own_Teacher_Improve the_Performance_of_Convolutional_Neural_Networks_via_Self_Distillation.md ├── CIIDefence_Defeating_Adversarial_Attacks_by_Fusing_Class_Specific_Image_Inpainting_and_Image_Denoising.md ├── Cross_Domain_Transferability_of_Adversarial_Perturbations.md ├── Cycle_Consistent_Adversarial_{GAN}_the_integration_of_adversarial_attack_and_defense.md ├── Decoupling_Direction_and_Norm_for_Efficient_Gradient_Based_L2_Adversarial_Attacks_and_Defenses.md ├── Defending_Adversarial_Attacks_by_Correcting_logits.md ├── Defense_Against_Adversarial_Attacks_Using_Feature_Scattering_based_Adversarial_Training.md ├── Feature_Denoising_for_Improving_Adversarial_Robustness.md ├── Feature_Space_Perturbations_Yield_More_Transferable_Adversarial_Examples.md ├── Fine_grained_Synthesis_of_Unrestricted_Adversarial_Examples.md ├── Generalizable_Adversarial_Attacks_Using_Generative_Models.md ├── Generalizable_Data_Free_Objective_for_Crafting_Universal_Adversarial_Perturbations.md ├── Generating_Realistic_Unrestricted_Adversarial_Inputs_using_Dual_Objective_{GAN}_Training.md ├── Improving_Adversarial_Robustness_via_Guided_Complement_Entropy.md ├── Improving_the_Robustness_of_Deep_Neural_Networks_via_Adversarial_Training_with_Triplet_Loss.md ├── Interpreting_Adversarially_Trained_Convolutional_Neural_Networks.md ├── Joint_Adversarial_Training_Incorporating_both_Spatial_and_Pixel_Attacks.md ├── Knowledge_Distillation_from_Internal_Representations.md ├── Metric_Learning_for_Adversarial_Robustness.md ├── NATTACK_Learning_the_Distributions_of_Adversarial_Examples_for_an_Improved_Black_Box_Attack_on_Deep_Neural_Networks.md ├── Natural_Adversarial_Examples.md ├── Noise2Self_Blind_Denoising_by_Self_Supervision.md ├── On_the_Connection_Between_Adversarial_Robustness_and_Saliency_Map_Interpretability.md ├── One_pixel_attack_for_fooling_deep_neural_networks.md ├── Perturbations_are_not_Enough_Generating_Adversarial_Examples_with_Spatial_Distortions.md ├── Real_Image_Denoising_With_Feature_Attention.md ├── Rethinking_Data_Augmentation_Self_Supervision_and_Self_Distillation.md ├── Retrieval_Augmented_Convolutional_Neural_Networks_against_Adversarial_Examples.md ├── Rob_GAN_Generator_Discriminator_and_Adversarial_Attacker.md ├── Robust_Attribution_Regularization.md ├── Robustness_May_Be_at_Odds_with_Accuracy.md ├── SemanticAdv_Generating_Adversarial_Examples_via_Attribute_conditional_Image_Editing.md ├── SinGAN_Learning_a_Generative_Model_From_a_Single_Natural_Image.md ├── Sparse_and_Imperceivable_Adversarial_Attacks.md ├── The_Limitations_of_Adversarial_Training_and_the_Blind-Spot_Attack.md ├── Theoretically_Principled_Trade_off_between_Robustness_and_Accuracy.md ├── Transferable_Adversarial_Attacks_for_Image_and_Video_Object_Detection.md └── Using_Pre_Training_Can_Improve_Model_Robustness_and_Uncertainty.md ├── 2020 ├── A_Closer_Look_at_Accuracy_vs_Robustness.md ├── A_Self_supervised_Approach_for_Adversarial_Robustness.md ├── Adversarial_Examples_Improve_Image_Recognition.md ├── Adversarially_Robust_Representations_with_Smooth_Encoders.md ├── Confidence_Calibrated_Adversarial_Training_Generalizing_to_Unseen_Attacks.md ├── Contrastive_Representation_Distillation.md ├── DVERGE_Diversifying_Vulnerabilities_for_Enhanced_Robust_Generation_of_Ensembles.md ├── Deflecting_Adversarial_Attacks.md ├── Energy_based_Out_of_distribution_Detection.md ├── Enhancing_Transformation_Based_Defenses_Against_Adversarial_Attacks_with_a_Distribution_Classifier.md ├── Fooling_Detection_Alone_is_Not_Enough_Adversarial_Attack_against_Multiple_Object_Tracking.md ├── Heat_and_Blur_An_Effective_and_Fast_Defense_Against_Adversarial_Examples.md ├── High_Frequency_Component_Helps_Explain_the_Generalization_of_Convolutional_Neural_Networks.md ├── Improving_Adversarial_Robustness_Requires_Revisiting_Misclassified_Examples.md ├── Jacobian_Adversarially_Regularized_Networks_for_Robustness.md ├── Manifold_regularization_for_adversarial_robustness.md ├── On_Robustness_of_Neural_Ordinary_Differential_Equations.md ├── Out_of_Distribution_Generalization_via_Risk_Extrapolation.md ├── Pay_Attention_to_Features_Transfer_Learn_Faster_CNNs.md ├── Robust_And_Interpretable_Blind_Image_Denoising_Via_Bias_Free_Convolutional_Neural_Networks.md ├── Robust_Local_Features_for_Improving_the_Generalization_of_Adversarial_Training.md ├── Sponge_Examples_Energy_Latency_Attacks_on_Neural_Networks.md ├── Supervised_Contrastive_Learning.md ├── Triple_Wins_Boosting_Accuracy_Robustness_and_Efficiency_Together_by_Enabling_Input_Adaptive_Inference.md ├── Wavelet_Integrated_CNNs_for_Noise_Robust_Image_Classification.md └── What_it_Thinks_is_Important_is_Important_Robustness_Transfers_through_Input_Gradients.md ├── 2021 └── On_the_Limitations_of_Denoising_Strategies_as_Adversarial_Defenses.md ├── .gitattributes ├── LICENSE ├── README.md ├── asset ├── survey.bib └── template.md └── pics ├── algo1_2019arXiv191205699C.png ├── algo1_DongLPS0HL18.png ├── algo1_PrakashMGDS18.png ├── algo1_Rony_2019_CVPR.png ├── algo1_Xie_2020_CVPR.png ├── algo1_ZhangSGCBM19.png ├── algo1_Zhong_2019_ICCV.png ├── algo1_chan2020jacobian.png ├── eqn10_Zhong_2019_ICCV.png ├── eqn1_NIPS2019_8339.png ├── eqn3_2020arXiv200411362K.png ├── eqn3_Zhong_2019_ICCV.png ├── eqn3_pmlr-v97-zhang19p.png ├── eqn4_yang2020dverge.png ├── eqn5_gu2014towards.png ├── eqn6_abs-1711-00117.png ├── eqn6_gu2014towards.png ├── eqn7_song2020robust.png ├── eqn8_wang2020improving.png ├── eqn9_song2020robust.png ├── fig1_Gupta_2019_ICCV.png ├── fig1_MetzenGFB17.png ├── fig1_NIPS2019_8339.png ├── fig1_abs-1910-03723.png ├── fig1_chan2020jacobian.png ├── fig1_song2020robust.png ├── fig1_wang2020improving.png ├── fig2_2019arXiv191205699C.png ├── fig2_AkhtarLM18.png ├── fig2_NIPS2019_8339.png ├── fig2_Naseer_2020_CVPR.png ├── fig2_ZhangSGCBM19.png ├── fig2_abs-1711-00117.png ├── fig2_anwar_2009_iccv.png ├── fig2_ijcai2019-134.png ├── fig3_Xie_2020_CVPR.png ├── fig4_2020arXiv200302460Y.png ├── fig4_onepixel.png ├── fig5_li2020wavelet.png ├── fig9_8423654.png ├── tab1_ijcai2019-134.png ├── tab1_jin2020manifold.png ├── tab1_wang2020improving.png ├── tab2_10114532437343243855.png ├── tab4_yang2020dverge.png ├── tab5_yang2020dverge.png ├── text_DongLPS0HL18.png └── xiewzzxy17_algo1.png /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /2013/Evasion_attacks_against_machine_learning_at_test_time.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{biggio2013evasion, 3 | title={Evasion attacks against machine learning at test time}, 4 | author={Biggio, Battista and Corona, Igino and Maiorca, Davide and Nelson, Blaine and {\v{S}}rndi{\'c}, Nedim and Laskov, Pavel and Giacinto, Giorgio and Roli, Fabio}, 5 | booktitle={Joint European conference on machine learning and knowledge discovery in databases}, 6 | pages={387--402}, 7 | year={2013}, 8 | organization={Springer} 9 | } 10 | ``` 11 | ## Summary 12 | The authors presented a gradient-decent based appproach to attack the target model. The attack strategy is 13 | $$ 14 | \begin{aligned} \mathbf{x}^{*}=\underset{\mathbf{x}}{\arg \min } & \hat{g}(\mathbf{x}) \\ \text { s.t. } & d\left(\mathbf{x}, \mathbf{x}^{0}\right) \leq d_{\max } \end{aligned} 15 | \tag{1} 16 | $$ 17 | $\hat{g}(x)$ is the estimated targeted model and $x^0$ is the targeted example. 18 | 19 | This strategy is particularly susceptible to failure because $\hat{g}(x)$ may be non-convex and descent appproaches may not achieve a global optima. As shown in Figure 1(1st row), not all points switched to blue area. 20 | 21 | The discriminant function does not incorporate the evidence we have about the data distribution, p(x), and thus, using gradient descent to optimize Eq. $1$ may lead into unsupported regions $(p(x) ≈ 0)$. 22 | 23 | Then an additional component is introduced, the objective is below: 24 | $$ 25 | \begin{array}{c}{\arg \min _{x} F(\mathbf{x})=\hat{g}(\mathbf{x})-\frac{\lambda}{n} \sum_{i | y_{i}^{c}=-1} k\left(\frac{\mathbf{x}-\mathbf{x}_{i}}{h}\right)} \\ {\text { s.t. } d\left(\mathbf{x}, \mathbf{x}^{0}\right) \leq d_{\max }}\end{array} 26 | $$ 27 | where h is a bandwidth parameter for a kernel density estimator (KDE), and n is the number of benign samples (yc = −1) available to the adversary. 28 | 29 | The added component estimates $p(x|y^c = −1)$ using a density estimator. This term acts as a penalizer for x in low density regions and is weighted by a parameter λ ≥ 0. 30 | In doing so, it reshapes the objective function and thereby biases the resulting gradient descent towards regions where the negative class is concentrated. 31 | 32 | ## Question 33 | :x: I do not understand the relationship between the component and $p(x|y^c = −1)$. How to derive it? 34 | 35 | -------------------------------------------------------------------------------- /2014/Intriguing_properties_of_neural_networks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:journals/corr/SzegedyZSBEGF13, 3 | author = {Christian Szegedy and 4 | Wojciech Zaremba and 5 | Ilya Sutskever and 6 | Joan Bruna and 7 | Dumitru Erhan and 8 | Ian J. Goodfellow and 9 | Rob Fergus}, 10 | title = {Intriguing properties of neural networks}, 11 | booktitle = {2nd International Conference on Learning Representations, {ICLR} 2014, 12 | Banff, AB, Canada, April 14-16, 2014, Conference Track Proceedings}, 13 | year = {2014}, 14 | crossref = {DBLP:conf/iclr/2014}, 15 | url = {http://arxiv.org/abs/1312.6199}, 16 | timestamp = {Thu, 04 Apr 2019 13:20:07 +0200}, 17 | biburl = {https://dblp.org/rec/bib/journals/corr/SzegedyZSBEGF13}, 18 | bibsource = {dblp computer science bibliography, https://dblp.org} 19 | } 20 | ``` 21 | ## Summary 22 | This paper presented two counter-intuitive properties of deep neural networks. 23 | 24 | #### 1. Semantic meaning of individual units. 25 | 26 | Previous works interpret an activation of a hidden unit as a meaningful feature. They found images satisfying the following equation and concluded that these images have same semantic meaning. 27 | $$ 28 | x^{\prime}=\underset{x \in \mathcal{I}}{\arg \max }\left\langle\phi(x), e_{i}\right\rangle 29 | $$ 30 | where $e_{i}$ is the natural basis vector associated with the i-th hidden unit. 31 | 32 | The authors, however, replaced $e_{i}$ with a random vector and got similar results. It means the space actually has semantic meaning but the coordinates(units). 33 | 34 | #### 2. Stability of neural networks wrt small purturbations. 35 | **This property that networks are vulnerable to inperceptible tiny purturbations is what we should focus on.** This paper proposed a method to generate adversarial examples. Finding adversarial examples is formulated as a optimization problem as: 36 | $$ 37 | \begin{array}{c}{\cdot \text { Minimize }\|r\|_{2} \text { subject to: }} \\ {\text { 1. } f(x+r)=l} \\ {\text { 2. } x+r \in[0,1]^{m}}\end{array} 38 | \tag{1} 39 | $$ 40 | where $l$ is the targeted label, $r$ is the noise added, and $x$ is the original image. Usually $x$ is normalized. 41 | 42 | It is hard to solve this optimization, so they approximated it by using a box-constrained L-BFGS.Concretely, they found an approximation of equation $(1)$ by performing line-search to find the minimum c > 0 for which 43 | the minimizer $r$ of the following problem satisfies $f(x + r) = l$. 44 | $$ 45 | \bullet \text { Minimize } c|r|+\operatorname{loss}_{f}(x+r, l) \text { subject to } x+r \in[0,1]^{m} 46 | $$ 47 | 48 | 49 | ### My questions 50 | 1. Have no idea of L-BFGS and how to do the transformation? 51 | 2. Check the [code](https://github.com/akshaychawla/Adversarial-Examples-in-PyTorch) though it does not use L-BFGS. 52 | -------------------------------------------------------------------------------- /2014/Rich_feature_hierarchies_for_accurate_object_detection_and_semantic_segmentation.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{girshick2014rich, 3 | author = {Girshick, Ross and Donahue, Jeff and Darrell, Trevor and Malik, Jitendra}, 4 | booktitle = {Proceedings of the IEEE conference on computer vision and pattern recognition}, 5 | pages = {580--587}, 6 | title = {{Rich feature hierarchies for accurate object detection and semantic segmentation}}, 7 | year = {2014} 8 | } 9 | ``` 10 | [R-CNN](https://blog.csdn.net/liuxiaoheng1992/article/details/81743161) -------------------------------------------------------------------------------- /2014/Towards_deep_neural_network_architectures_robust_to_adversarial_examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{gu2014towards, 3 | author = {Gu, Shixiang and Rigazio, Luca}, 4 | journal = {arXiv preprint arXiv:1412.5068}, 5 | title = {{Towards deep neural network architectures robust to adversarial examples}}, 6 | year = {2014} 7 | } 8 | ``` 9 | Dataset: MNIST 10 | 11 | - All autoencoders are able to recover from at least 90% of of adversarial errors, regardless of the model from which it originates. 12 | - **Drawback:** The autoencoders and its corresponding classifier can be stacked to form a new feed-forward neural network, then adversarial examples can again generated from this stacked network. Such adversarial examples have a significantly smaller distortion. One possible explanation is that since the autoencoder is trained without the knowledge of teh classification objective, it has more blind-spots with respect to that final objective. 13 | - In particular, a denoising auto-encoder with $\sigma=0.1$ Gaussian Noise could denoise adversarial examples almost as well as an autoencoder trained on actual adversarial noises. 14 | 15 | ## Deep Contractive Network 16 | ![](../pics/eqn5_gu2014towards.png) 17 | 18 | ![](../pics/eqn6_gu2014towards.png) -------------------------------------------------------------------------------- /2015/Explaining_and_Harnessing_Adversarial_Examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:journals/corr/GoodfellowSS14, 3 | author = {Goodfellow, Ian J and Shlens, Jonathon and Szegedy, Christian}, 4 | booktitle = {3rd International Conference on Learning Representations, {\{}ICLR{\}} 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings}, 5 | editor = {Bengio, Yoshua and LeCun, Yann}, 6 | title = {{Explaining and Harnessing Adversarial Examples}}, 7 | url = {http://arxiv.org/abs/1412.6572}, 8 | year = {2015} 9 | } 10 | ``` 11 | ## Summary 12 | **Reading through this paper even hundreds times is not enough.** 13 | 14 | #### FSGM 15 | In this paper, Goodfellow *et~al.* first proposed the linearity of neural networks in high dimentions. Based on this linearity, they designed a method *FGSM* to generate adversarial examples efficiently. The noise in max-norm could be formulated as below: 16 | $$ 17 | \boldsymbol{\eta}=\epsilon \operatorname{sign}\left(\nabla_{\boldsymbol{x}} J(\boldsymbol{\theta}, \boldsymbol{x}, y)\right) 18 | $$ 19 | where $\epsilon$ is the maximal noise in max-norm. 20 | 21 | Then the adversarial examples are obtained as $\tilde{\boldsymbol{x}} = \boldsymbol{x} + \boldsymbol{\eta}$. Note here the loss function is seen as a function of $\boldsymbol{x}$ rather than $\theta$. So $\tilde{\boldsymbol{x}}$ is modified to make the loss function move in a gradient-ascending direction. 22 | 23 | #### Adversarial training 24 | *"Obviously, standard supervised training does not specify that the chosen function be resistant to adversarial examples. This must be encoded in the training procedure somehow.supervised training does not specify that the chosen function be resistant to adversarial examples. This must be encoded in the training procedure somehow."* 25 | 26 | $$ 27 | \tilde{J}(\boldsymbol{\theta}, \boldsymbol{x}, y)=\alpha J(\boldsymbol{\theta}, \boldsymbol{x}, y)+(1-\alpha) J\left(\boldsymbol{\theta}, \boldsymbol{x}+\epsilon \operatorname{sign}\left(\nabla_{\boldsymbol{x}} J(\boldsymbol{\theta}, \boldsymbol{x}, y)\right)\right. 28 | $$ 29 | 30 | The second term on the right means that we could continue updating the adversarial examples based on the current model in the training process. 31 | 32 | **Chapter 10 summarizes the main ideas of this paper! Go and have a look.** 33 | ### My questions 34 | Find the [code](../codes/fgsm). -------------------------------------------------------------------------------- /2016/Adversarial_Images_for_Variational_Autoencoders.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{DBLP:journals/corr/TabacofTV16, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1612.00155}, 5 | author = {Tabacof, Pedro and Tavares, Julia and Valle, Eduardo}, 6 | eprint = {1612.00155}, 7 | journal = {CoRR}, 8 | title = {{Adversarial Images for Variational Autoencoders}}, 9 | url = {http://arxiv.org/abs/1612.00155}, 10 | volume = {abs/1612.0}, 11 | year = {2016} 12 | } 13 | ``` 14 | -------------------------------------------------------------------------------- /2016/Autoencoding_beyond_pixels_using_a_learned_similarity_metric.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{larsen2015autoencoding, 3 | address = {New York, New York, USA}, 4 | author = {Larsen, Anders Boesen Lindbo and S{\o}nderby, S{\o}ren Kaae and Larochelle, Hugo and Winther, Ole}, 5 | booktitle = {Proceedings of The 33rd International Conference on Machine Learning}, 6 | editor = {Balcan, Maria Florina and Weinberger, Kilian Q}, 7 | isbn = {9781510829008}, 8 | pages = {1558--1566}, 9 | publisher = {PMLR}, 10 | series = {Proceedings of Machine Learning Research}, 11 | title = {{Autoencoding beyond pixels using a learned similarity metric}}, 12 | url = {http://proceedings.mlr.press/v48/larsen16.html}, 13 | volume = {48}, 14 | year = {2016} 15 | } 16 | ``` 17 | To my best knowledge, this paper is the first paper of VAE-GAN. I did not read though this paper but read some materials from others. I think I figured out the funciton of each loss. 18 | 19 | - This [blog](https://pravn.wordpress.com/category/vae-gan-vaegan/) 20 | - [official implementation](https://github.com/andersbll/autoencoding_beyond_pixels) 21 | - [Deriving the KL divergence loss for VAEs](https://stats.stackexchange.com/questions/318748/deriving-the-kl-divergence-loss-for-vaes) 22 | - [Variational Autoencoders Explained](http://kvfrans.com/variational-autoencoders-explained/) -------------------------------------------------------------------------------- /2016/DeepFool.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{moosavi2016deepfool, 3 | author = {Moosavi-Dezfooli, Seyed-Mohsen and Fawzi, Alhussein and Frossard, Pascal}, 4 | booktitle = {Proceedings of the IEEE conference on computer vision and pattern recognition}, 5 | pages = {2574--2582}, 6 | title = {{Deepfool: a simple and accurate method to fool deep neural networks}}, 7 | year = {2016} 8 | } 9 | ``` 10 | ## Summary 11 | Check the [summary](https://towardsdatascience.com/deepfool-a-simple-and-accurate-method-to-fool-deep-neural-networks-17e0d0910ac0) by others. -------------------------------------------------------------------------------- /2016/Learning_Deep_Features_for_Discriminative_Localization.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/cvpr/ZhouKLOT16, 3 | author = {Zhou, Bolei and Khosla, Aditya and Lapedriza, {\`{A}}gata and Oliva, Aude and Torralba, Antonio}, 4 | booktitle = {2016 {\{}IEEE{\}} Conference on Computer Vision and Pattern Recognition, {\{}CVPR{\}} 2016, Las Vegas, NV, USA, June 27-30, 2016}, 5 | doi = {10.1109/CVPR.2016.319}, 6 | pages = {2921--2929}, 7 | publisher = {{\{}IEEE{\}} Computer Society}, 8 | title = {{Learning Deep Features for Discriminative Localization}}, 9 | url = {https://doi.org/10.1109/CVPR.2016.319}, 10 | year = {2016} 11 | } 12 | ``` 13 | 14 | 15 | 16 | 17 | ## Resources 18 | - https://glassboxmedicine.com/2019/06/11/cnn-heat-maps-class-activation-mapping-cam/ 19 | - -------------------------------------------------------------------------------- /2016/Robustness_of_classifiers_from_adversarial_to_random_noise.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/nips/FawziMF16, 3 | author = {Fawzi, Alhussein and Moosavi-Dezfooli, Seyed-Mohsen and Frossard, Pascal}, 4 | booktitle = {Advances in Neural Information Processing Systems 29: Annual Conference on Neural Information Processing Systems 2016, December 5-10, 2016, Barcelona, Spain}, 5 | editor = {Lee, Daniel D and Sugiyama, Masashi and von Luxburg, Ulrike and Guyon, Isabelle and Garnett, Roman}, 6 | pages = {1624--1632}, 7 | title = {{Robustness of classifiers: from adversarial to random noise}}, 8 | url = {http://papers.nips.cc/paper/6331-robustness-of-classifiers-from-adversarial-to-random-noise}, 9 | year = {2016} 10 | } 11 | ``` 12 | worst-case perturbations mean adversarial perturbations. 13 | 14 | They quantify the robustness of nonlinear classifiers in two practical noise regimes, **random** and **semi-random** noise regimes. 15 | In the random noise regime, datapoints are perturbed by noise with random direction in the input space. 16 | In the semi-random refime generalizes this model to random subspaces of arbitrary dimension, where a worst-case perturbation is sought with the subspace. -------------------------------------------------------------------------------- /2016/The_limitations_of_deep_learning_in_adversarial_settings.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{papernot2016limitations, 3 | author = {Papernot, Nicolas and McDaniel, Patrick and Jha, Somesh and Fredrikson, Matt and Celik, Z Berkay and Swami, Ananthram}, 4 | booktitle = {2016 IEEE European Symposium on Security and Privacy (EuroS{\&}P)}, 5 | file = {:F$\backslash$:/Google Drive/{\#}BAI TAO{\#} Adversarial ML/Mendeley/2016 - The limitations of deep learning in adversarial settings.pdf:pdf}, 6 | organization = {IEEE}, 7 | pages = {372--387}, 8 | title = {{The limitations of deep learning in adversarial settings}}, 9 | year = {2016} 10 | } 11 | ``` 12 | ## Summary 13 | This paper proposed a method to craft adversarial examples by constructing a mapping from input perturbations to output variation, which is different from other methods that using output variations to find corresponding input perturbations. Their method needs the architechture, activation function and parameters of DNNs. And the problem is formulated as 14 | $$ 15 | \arg \min _{\delta_{\mathbf{X}}}\left\|\delta_{\mathbf{X}}\right\| \text { s.t. } \mathbf{F}(\mathbf{X}+\delta \mathbf{x})=\mathbf{Y}^{*} 16 | $$ 17 | $\mathbf{X},\mathbf{Y}, \mathbf{Y}^{*}, \delta_{\mathbf{X}}, \mathbf{F}$ are input, label, target label, purturbations and the NN respectively. 18 | 19 | The authors defined the Jacobian matrix of the function $\mathbf{F}$ as *forward derivative*, which is shown as follows: 20 | $$ 21 | \nabla \mathbf{F}(\mathbf{X})=\frac{\partial \mathbf{F}(\mathbf{X})}{\partial \mathbf{X}}=\left[\frac{\partial \mathbf{F}_{j}(\mathbf{X})}{\partial x_{i}}\right]_{i \in 1 \ldots M, j \in 1 \ldots N} 22 | $$ 23 | This forward derivative is similar to that in backpropagation, but forward derivative is the derivative of the networks rather than cost functions and it is w.r.t. the input features rather than the networks parameters. 24 | 25 | With the chain rule, forward derivative is rewritten as 26 | $$ 27 | \begin{aligned} \frac{\partial \mathbf{F}_{j}(\mathbf{X})}{\partial x_{i}}=&\left(\mathbf{W}_{n+1, j} \cdot \frac{\partial \mathbf{H}_{n}}{\partial x_{i}}\right) \times \\ & \frac{\partial f_{n+1, j}}{\partial x_{i}}\left(\mathbf{W}_{n+1, j} \cdot \mathbf{H}_{n}+b_{n+1, j}\right) \end{aligned} 28 | $$ 29 | $$ 30 | \frac{\partial \mathbf{H}_{k}(\mathbf{X})}{\partial x_{i}}=\left[\frac{\partial f_{k, p}\left(\mathbf{W}_{k, p} \cdot \mathbf{H}_{k-1}+b_{k, p}\right)}{\partial x_{i}}\right]_{p \in 1 \ldots m_{k}} 31 | $$ 32 | where $\mathbf{H}_{k}$ is the output vector of hidden layer $k$ and $f_{k,j}$ is the activation function of output neuron $j$ in layer $k$. 33 | 34 | The $adversarial saliency map$ is constructed with 35 | $$ 36 | S(\mathbf{X}, t)[i]=\left\{\begin{array}{l}{0 \text { if } \frac{\partial \mathbf{F}_{t}(\mathbf{X})}{\partial \mathbf{X}_{i}}<0 \text { or } \sum_{j \neq t} \frac{\partial \mathbf{F}_{j}(\mathbf{X})}{\partial \mathbf{X}_{i}}>0} \\ {\left(\frac{\partial \mathbf{F}_{t}(\mathbf{X})}{\partial \mathbf{X}_{i}}\right)\left|\sum_{j \neq t} \frac{\partial \mathbf{F}_{j}(\mathbf{X})}{\partial \mathbf{X}_{i}}\right| \text { otherwise }}\end{array}\right. 37 | $$ 38 | where $t$ is the target class. 39 | 40 | **Large absolute values correspond to features with a significant impact on the output when perturbed.** 41 | 42 | **The authors said their method is appliable to unsupervised-trained DNNs too, but it is a future work.** -------------------------------------------------------------------------------- /2016/Toward_evaluating_the_robustness_of_neural_networks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{carlini2017towards, 3 | author = {Carlini, Nicholas and Wagner, David}, 4 | booktitle = {2017 IEEE Symposium on Security and Privacy (SP)}, 5 | organization = {IEEE}, 6 | pages = {39--57}, 7 | title = {{Towards evaluating the robustness of neural networks}}, 8 | year = {2017} 9 | } 10 | ``` 11 | 12 | ## Summary 13 | C&W could be the benchmark of adversarial attacks. In this paper, their targeted model is distilled model, which was the SOTA defense at that time. 14 | 15 | In this paper, they proposed three metrics to evaluate the distance between adversarial examples and original images. 16 | 17 | This is optimization based method the problem is formulated as: 18 | $$ 19 | \begin{array}{cl}{{\operatorname{minimize}}} & {\mathcal{D}(x, x+\delta)} \\ {\text { such that }} & {C(x+\delta)=t} \\ {} & {x+\delta \in[0,1]^{n}}\end{array} 20 | $$ 21 | 22 | But it is difficult to solve it directly, the objective function $f$ is defined such that $C(x+\delta)=t$ iff $f(x+\delta) \leq 0$. The possible choices of f: 23 | $$ 24 | \begin{aligned} f_{1}\left(x^{\prime}\right) &=-\operatorname{loss}_{F, t}\left(x^{\prime}\right)+1 \\ f_{2}\left(x^{\prime}\right) &=\left(\max _{i \neq t}\left(F\left(x^{\prime}\right)_{i}\right)-F\left(x^{\prime}\right)_{t}\right)^{+} \\ f_{3}\left(x^{\prime}\right) &=\operatorname{softplus}\left(\max _{i \neq t}\left(F\left(x^{\prime}\right)_{i}\right)-F\left(x^{\prime}\right)_{t}\right)-\log (2) \\ f_{4}\left(x^{\prime}\right) &=\left(0.5-F\left(x^{\prime}\right)_{t}\right)^{+} \\ f_{5}\left(x^{\prime}\right) &=-\log \left(2 F\left(x^{\prime}\right)_{t}-2\right) \\ f_{6}\left(x^{\prime}\right) &=\left(\max _{i \neq t}\left(Z\left(x^{\prime}\right)_{t}\right)-Z\left(x^{\prime}\right)_{t}\right)^{+} \\ f_{7}\left(x^{\prime}\right) &=\operatorname{softplus}\left(\max _{i \neq t}\left(Z\left(x^{\prime}\right)_{i}\right)-Z\left(x^{\prime}\right)_{t}\right)-\log (2) \end{aligned} 25 | $$ 26 | where $s$ is the correct classification, $(e)^+ = \max(e,0)$, $\operatorname{softplus}(x)=\log (1+\exp (x))$ and $loss_{F,s}(x)$ is the cross entropy loss for $x$. 27 | 28 | Then the new objective function is 29 | $$ 30 | \begin{array}{ll}{\text { minimize }} & {\mathcal{D}(x, x+\delta)} \\ {\text { such that }} & {f(x+\delta) \leq 0} \\ {} & {x+\delta \in[0,1]^{n}}\end{array} 31 | $$ 32 | and rewritten as 33 | $$ 34 | \begin{array}{ll}{\operatorname{minimize}} & {\mathcal{D}(x, x+\delta)+c \cdot f(x+\delta)} \\ {\text { such that }} & {x+\delta \in[0,1]^{n}}\end{array} 35 | $$ 36 | 37 | $c$ is a constant and often the best way to choose 38 | $c$ is to use the smallest value of c for which the resulting solution $x∗$ has $f(x∗) ≤ 0$. This causes gradient descent to minimize both of the terms simultaneously instead of picking only one to optimize over first. 39 | 40 | To ensure the modification yields a valid image, there is a box constraints on $\epsilon$. 41 | $$ 42 | 0 \leq x_{i}+\delta_{i} \leq 1 43 | $$ 44 | Projected gradient descent and Clipped gradient descent have different drawbacks. So they adapted another way: **Change of variables**. 45 | $$ 46 | \delta_{i}=\frac{1}{2}\left(\tanh \left(w_{i}\right)+1\right)-x_{i} 47 | $$ 48 | Since $-1 \leq \tanh \left(w_{i}\right) \leq 1$, it follows that $0 \leq x_{i}+\delta_{i} \leq 1$. 49 | 50 | The authors also disscussed the problems of how to choose $f$ and discretization. 51 | 52 | The $L_2$ Attack: 53 | $$ 54 | \left\|\frac{1}{2}(\tanh (w)+1)-x\right\|_{2}^{2}+c \cdot f\left(\frac{1}{2}(\tanh (w)+1)\right). 55 | $$ 56 | $$ 57 | f\left(x^{\prime}\right)=\max \left(\max \left\{Z\left(x^{\prime}\right)_{i} : i \neq t\right\}-Z\left(x^{\prime}\right)_{t},-\kappa\right) 58 | $$ -------------------------------------------------------------------------------- /2016/Transferability_in_machine_learning.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{papernot2016transferability, 3 | author = {Papernot, Nicolas and McDaniel, Patrick and Goodfellow, Ian}, 4 | journal = {arXiv preprint arXiv:1605.07277}, 5 | title = {{Transferability in machine learning: from phenomena to black-box attacks using adversarial samples}}, 6 | year = {2016} 7 | } 8 | ``` 9 | 10 | Generally speaking, this paper first investigated the transferability of adversarial examples. This transferability not only exits in the models trained in same methods(neural networks and neural networks, or dicision tree and dicision tree), but also exits in models with different training methods(e.g. dicision tree and neural networks). The authors did several experiments to prove it. -------------------------------------------------------------------------------- /2017/A-Fast-RCNN_Hard_Positive_Generation_via_Adversary_for_Object_Detection.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{8099807, 3 | author = {Wang, X and Shrivastava, A and Gupta, A}, 4 | booktitle = {2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR)}, 5 | doi = {10.1109/CVPR.2017.324}, 6 | issn = {1063-6919}, 7 | keywords = {Detectors,Fast-RCNN pipeline,Feature extraction,Object detection,Proposals,Strain,Training,VOC07,VOC2012 object detection challenge,adversarial network,data-driven strategy,hard positive generation,image classification,large-scale datasets,model invariant,object deformations,object detection,object detector,object instances}, 8 | month = {jul}, 9 | pages = {3039--3048}, 10 | title = {{A-Fast-RCNN: Hard Positive Generation via Adversary for Object Detection}}, 11 | year = {2017} 12 | } 13 | ``` 14 | Their method generates adversarial examples with obvious occlusions to boost the performance of Fast R CNN. -------------------------------------------------------------------------------- /2017/Adversarial_Examples_Detection_in_Deep_Networks_with_Convolutional_Filter_Statistics.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/iccv/LiL17, 3 | author = {Li, Xin and Li, Fuxin}, 4 | booktitle = {{\{}IEEE{\}} International Conference on Computer Vision, {\{}ICCV{\}} 2017, Venice, Italy, October 22-29, 2017}, 5 | doi = {10.1109/ICCV.2017.615}, 6 | isbn = {978-1-5386-1032-9}, 7 | pages = {5775--5783}, 8 | publisher = {{\{}IEEE{\}} Computer Society}, 9 | title = {{Adversarial Examples Detection in Deep Networks with Convolutional Filter Statistics}}, 10 | url = {https://doi.org/10.1109/ICCV.2017.615}, 11 | year = {2017} 12 | } 13 | ``` 14 | One deciding property is that there is a strong regularization effect in the adversarial examples on almost all the informative directionis. Hence, the predictions in adversarial examples are lower than those in normal examples, rather than the confidence values may have indicated. -------------------------------------------------------------------------------- /2017/Adversarial_Examples_for_Semantic_Segmentation_and_Object_Detection.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/iccv/XieWZZXY17, 3 | author = {Xie, Cihang and Wang, Jianyu and Zhang, Zhishuai and Zhou, Yuyin and Xie, Lingxi and Yuille, Alan L}, 4 | booktitle = {{\{}IEEE{\}} International Conference on Computer Vision, {\{}ICCV{\}} 2017, Venice, Italy, October 22-29, 2017}, 5 | doi = {10.1109/ICCV.2017.153}, 6 | isbn = {978-1-5386-1032-9}, 7 | pages = {1378--1387}, 8 | publisher = {{\{}IEEE{\}} Computer Society}, 9 | title = {{Adversarial Examples for Semantic Segmentation and Object Detection}}, 10 | url = {https://doi.org/10.1109/ICCV.2017.153}, 11 | year = {2017} 12 | } 13 | ``` 14 | ## Motivation 15 | Natural images with visually imperceptible perturbations added, cause deep networks fail on images classification. Segmentation and detection are based on classifying multiple targets on an image. 16 | 17 | ## Methods 18 | ### Dense Adversary Generation (DAG). 19 | - DAG aims at generating recognition failures o the original proposals. To increase the robust-ness of adversarial attack, we change the intersection-over-union (IOU) rate to preserve an increased but still reason-able number of proposals in optimization. 20 | - algorithms 21 | ![Pic](../pics/xiewzzxy17_algo1.png) 22 | - Section 3.2 describes the selection of Input proposals for detection. I am not familiar with detection algorithms, but the main idea is getting dense input proposals for robust adversarial examples. 23 | 24 | 25 | 26 | 27 | ## Findings 28 | - Generating an adversarial example is more difficult in detection than in segmentation, as the number of targets is orders of magnitude larger in the former case. 29 | - when the proposals are dense enough on the original image, it is highly likely that incorrect recognition results are also produced on the new proposals generated on the perturbed image. 30 | - adding two or more heterogeneous perturbations significantly increases the transferability, which provides an effective way of performing black-box adversarial attack 31 | - Different network structures generate roughly orthogonal perturbations. Combined perturbations is bale to confuse both network structures. -------------------------------------------------------------------------------- /2017/Adversarial_Examples_that_Fool_Detectors.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{2017arXiv171202494L, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.CV/1712.02494}, 5 | author = {Lu, Jiajun and Sibai, Hussein and Fabry, Evan}, 6 | eprint = {1712.02494}, 7 | journal = {arXiv e-prints}, 8 | keywords = {Computer Science - Artificial Intelligence,Computer Science - Computer Vision and Pattern Rec,Computer Science - Graphics,Computer Science - Machine Learning}, 9 | month = {dec}, 10 | pages = {arXiv:1712.02494}, 11 | primaryClass = {cs.CV}, 12 | title = {{Adversarial Examples that Fool Detectors}}, 13 | year = {2017} 14 | } 15 | ``` 16 | ## Motivation 17 | Attacking classifiers is different from attacking detectors. 18 | 19 | ## Methods 20 | Propose a method to generate **digital** and **physical** adversarial examples that are robust to changes of viewing conditions. 21 | 22 | ### Data 23 | - Stop signs 24 | - Faces 25 | 26 | ### Thoughts 27 | I should get myself familiar with detection and tracking algorithms ASAP. -------------------------------------------------------------------------------- /2017/Adversarial_transformation_networks_Learning_to_generate_adversarial_examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/aaai/BalujaF18, 3 | author = {Baluja, Shumeet and Fischer, Ian}, 4 | booktitle = {Proceedings of the Thirty-Second {\{}AAAI{\}} Conference on Artificial Intelligence, (AAAI-18), the 30th innovative Applications of Artificial Intelligence (IAAI-18), and the 8th {\{}AAAI{\}} Symposium on Educational Advances in Artificial Intelligence (EAAI-18), New}, 5 | editor = {McIlraith, Sheila A and Weinberger, Kilian Q}, 6 | pages = {2687--2695}, 7 | publisher = {{\{}AAAI{\}} Press}, 8 | title = {{Learning to Attack: Adversarial Transformation Networks}}, 9 | url = {https://www.aaai.org/ocs/index.php/AAAI/AAAI18/paper/view/16529}, 10 | year = {2018} 11 | } 12 | 13 | ``` 14 | This paper proposed Adversarial Transformation Network(ATN) generate adversarial examples, including Perturbation ATN and Adversarial Autoencoding(AAE). Their method aimed at white-box targeted attacks. AAE could generate adversarial examples directly rather than generate purturbations, this is the reason that it is called transformation. **And they added $tanh()$ as the last operation to make sure the values of images are valid, which I think is better than clipping arbitrarily.** 15 | 16 | There are two losses in their objective function: one is the input-space loss function to make the adversarial examples similar to original images; the other is the adversarial loss function. 17 | 18 | This adversarial loss function is interesting. See the paper for details. 19 | $$ 20 | L_{\mathcal{Y}, t}\left(\mathbf{y}^{\prime}, \mathbf{y}\right)=L_{2}\left(\mathbf{y}^{\prime}, r(\mathbf{y}, t)\right) 21 | $$ 22 | 23 | $$ 24 | r_{\alpha}(\mathbf{y}, t)=\operatorname{norm}\left(\left\{\begin{array}{cc}{\alpha * \max \mathbf{y}} & {\text { if } k=t} \\ {} & {y_{k} \quad \text { otherwise }}\end{array}\right\}_{k \in \mathbf{y}}\right) 25 | $$ 26 | 27 | $\alpha$ equals to 1.5 in the experiments. 28 | 29 | And generated images seems better than that in [1]. 30 | 31 | ## References 32 | [1] Xiao, C., Li, B., Zhu, J.-Y., He, W., Liu, M., & Song, D. (2018). Generating Adversarial Examples with Adversarial Networks. In J. Lang (Ed.), Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence, {IJCAI} 2018, July 13-19, 2018, Stockholm, Sweden. (pp. 3905–3911). https://doi.org/10.24963/ijcai.2018/543 -------------------------------------------------------------------------------- /2017/CVAE-GAN_Fine-Grained_Image_Generation_Through_Asymmetric_Training.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Bao_2017_ICCV, 3 | author = {Bao, Jianmin and Chen, Dong and Wen, Fang and Li, Houqiang and Hua, Gang}, 4 | booktitle = {The IEEE International Conference on Computer Vision (ICCV)}, 5 | month = {oct}, 6 | title = {{CVAE-GAN: Fine-Grained Image Generation Through Asymmetric Training}}, 7 | year = {2017} 8 | } 9 | ``` 10 | 11 | This paper combined VAE and GAN together, and took the targeted class label as a condition. Thus the model could produce good examples. 12 | 13 | 14 | 15 | 16 | 17 | Bullets: 18 | 1. [Mean Discrepancy](https://blog.csdn.net/he_min/article/details/69397975) -------------------------------------------------------------------------------- /2017/Conditional_Image_Synthesis_with_Auxiliary_Classifier_GANs.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{pmlr-v70-odena17a, 3 | address = {International Convention Centre, Sydney, Australia}, 4 | author = {Odena, Augustus and Olah, Christopher and Shlens, Jonathon}, 5 | booktitle = {Proceedings of the 34th International Conference on Machine Learning}, 6 | editor = {Precup, Doina and Teh, Yee Whye}, 7 | pages = {2642--2651}, 8 | publisher = {PMLR}, 9 | series = {Proceedings of Machine Learning Research}, 10 | title = {{Conditional Image Synthesis with Auxiliary Classifier {\{}GAN{\}}s}}, 11 | url = {http://proceedings.mlr.press/v70/odena17a.html}, 12 | volume = {70}, 13 | year = {2017} 14 | } 15 | ``` 16 | This paper leveraged some techniques to improved GAN variant called AC-GAN. In addition, they also proposed *methods for measuring the extent to which a model makes use of its given output resolution, methods for measuring perceptual variability of samples from the model*. 17 | 18 | The code is [here](https://github.com/gitlimlab/ACGAN-PyTorch) -------------------------------------------------------------------------------- /2017/Countering_Adversarial_Images_using_Input_Transformations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{DBLP:journals/corr/abs-1711-00117, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1711.00117}, 5 | author = {Guo, Chuan and Rana, Mayank and Ciss{\'{e}}, Moustapha and van der Maaten, Laurens}, 6 | eprint = {1711.00117}, 7 | journal = {CoRR}, 8 | title = {{Countering Adversarial Images using Input Transformations}}, 9 | url = {http://arxiv.org/abs/1711.00117}, 10 | volume = {abs/1711.0}, 11 | year = {2017} 12 | } 13 | ``` 14 | 15 | ### Total Variance Minimization 16 | This approach randomly selects a small set of pixels, and reconstructs the “simplest” image that is consistent with the selected pixels. The re- constructed image does not contain the adver- sarial perturbations because these perturbations tend to be small and localized. 17 | 18 | ![](../pics/eqn6_abs-1711-00117.png) 19 | 20 | ![](../pics/fig2_abs-1711-00117.png) -------------------------------------------------------------------------------- /2017/Delving_into_Transferable_Adversarial_Examples_and_Black-box_Attacks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/iclr/LiuCLS17, 3 | author = {Liu, Yanpei and Chen, Xinyun and Liu, Chang and Song, Dawn}, 4 | booktitle = {5th International Conference on Learning Representations, {\{}ICLR{\}} 2017, Toulon, France, April 24-26, 2017, Conference Track Proceedings}, 5 | publisher = {OpenReview.net}, 6 | title = {{Delving into Transferable Adversarial Examples and Black-box Attacks}}, 7 | url = {https://openreview.net/forum?id=Sys6GJqxl}, 8 | year = {2017} 9 | } 10 | ``` 11 | 12 | Overall, they proposed an ensemble-based method to generate transferable adversarial examples, which is an intuitive way. And they provided some geometric insights and I am not very clear about that. 13 | 14 | [this](https://blog.csdn.net/qq_35414569/article/details/82383788) may be helpful. -------------------------------------------------------------------------------- /2017/Detecting_Adversarial_Samples_from_Artifacts.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{feinman2017detecting, 3 | author = {Feinman, Reuben and Curtin, Ryan R and Shintre, Saurabh and Gardner, Andrew B}, 4 | file = {:E$\backslash$:/GoogleDrive/{\#}BAI TAO{\#} Adversarial ML/Mendeley/2017 - Detecting adversarial samples from artifacts.pdf:pdf}, 5 | journal = {arXiv preprint arXiv:1703.00410}, 6 | title = {{Detecting adversarial samples from artifacts}}, 7 | year = {2017} 8 | } 9 | ``` 10 | I am not sure I understand this paper. It seems that this work estimated the probability of the data point being an adversarial example. If got time, I will read it for second time. 11 | -------------------------------------------------------------------------------- /2017/On_Detecting_Adversarial_Perturbations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/iclr/MetzenGFB17, 3 | author = {Metzen, Jan Hendrik and Genewein, Tim and Fischer, Volker and Bischoff, Bastian}, 4 | booktitle = {5th International Conference on Learning Representations, {\{}ICLR{\}} 2017, Toulon, France, April 24-26, 2017, Conference Track Proceedings}, 5 | file = {:E$\backslash$:/GoogleDrive/{\#}BAI TAO{\#} Adversarial ML/Mendeley/2017 - On Detecting Adversarial Perturbations.pdf:pdf}, 6 | publisher = {OpenReview.net}, 7 | title = {{On Detecting Adversarial Perturbations}}, 8 | url = {https://openreview.net/forum?id=SJzCSf9xg}, 9 | year = {2017} 10 | } 11 | ``` 12 | 13 | The main idea of this paper is quite simple, attaching a detector of adversarial examples with a regular classifier. Something original is that they extended it to a dynamic senerio and proposed dynamic adversary training. 14 | 15 | I do not understand the architechture of their networks. 16 | 17 | ![Fig 1](../pics/fig1_MetzenGFB17.png) 18 | 19 | And The Paper *Detecting adversarial samples from artifacts* pointed out some drawbacks of this work at Section 2. -------------------------------------------------------------------------------- /2017/Universal_Adversarial_Perturbations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/cvpr/Moosavi-Dezfooli17, 3 | author = {Moosavi-Dezfooli, Seyed-Mohsen and Fawzi, Alhussein and Fawzi, Omar and Frossard, Pascal}, 4 | booktitle = {2017 {\{}IEEE{\}} Conference on Computer Vision and Pattern Recognition, {\{}CVPR{\}} 2017, Honolulu, HI, USA, July 21-26, 2017}, 5 | doi = {10.1109/CVPR.2017.17}, 6 | isbn = {978-1-5386-0457-1}, 7 | pages = {86--94}, 8 | publisher = {{\{}IEEE{\}} Computer Society}, 9 | title = {{Universal Adversarial Perturbations}}, 10 | url = {https://doi.org/10.1109/CVPR.2017.17}, 11 | year = {2017} 12 | } 13 | ``` 14 | 15 | This paper proposed to a novel method to produce universal perturbations. Its basic idea is to generate perturbations iteratively on the training set. After calculating one perturbation on the first data, it is added to the next training data. If this perturbation fails, the algorithm tries to find another perturbation on the perturbed data. If it succeeds, the new perturbation is the sum of this two. And the new perturbation is supposed to be less than $\epsilon$ in $L_p$ norm. This process will terminate when this perturbation is able to fool the models at a certain rate, say $1-\delta$. 16 | 17 | Note that this universal perturbation is not unique. The order of training data will influence the generation of perturbations. 18 | 19 | This perturbation, according to the authors, is not only transferable within training data, but also within models. And they found there is a dominant direction of perturbations. In other words, images added universal perturbations are misclassified to several classes. 20 | 21 | This attack is non-targeted when designing, but shows some targeted features. So in my opinion, it is possible to generate targeted universal perturbations. 22 | 23 | **update** 24 | One paper called *Defense Against Universal Adversarial Perturbations* cited this paper. -------------------------------------------------------------------------------- /2017/Universal_Adversarial_Perturbations_Against_Semantic_Image_Segmentation.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/iccv/MetzenKBF17, 3 | author = {Metzen, Jan Hendrik and Kumar, Mummadi Chaithanya and Brox, Thomas and Fischer, Volker}, 4 | booktitle = {{\{}IEEE{\}} International Conference on Computer Vision, {\{}ICCV{\}} 2017, Venice, Italy, October 22-29, 2017}, 5 | doi = {10.1109/ICCV.2017.300}, 6 | isbn = {978-1-5386-1032-9}, 7 | pages = {2774--2783}, 8 | publisher = {{\{}IEEE{\}} Computer Society}, 9 | title = {{Universal Adversarial Perturbations Against Semantic Image Segmentation}}, 10 | url = {https://doi.org/10.1109/ICCV.2017.300}, 11 | year = {2017} 12 | } 13 | ``` -------------------------------------------------------------------------------- /2018/Adversarial_Logit_Pairing.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{DBLP:journals/corr/abs-1803-06373, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1803.06373}, 5 | author = {Kannan, Harini and Kurakin, Alexey and Goodfellow, Ian J}, 6 | eprint = {1803.06373}, 7 | journal = {CoRR}, 8 | title = {{Adversarial Logit Pairing}}, 9 | url = {http://arxiv.org/abs/1803.06373}, 10 | volume = {abs/1803.0}, 11 | year = {2018} 12 | } 13 | ``` 14 | - Adversarial logit pairing 15 | - Clean logit pairing 16 | - Clean logit squeeze 17 | 18 | Mixup trains the model on input points that are interpolated between training examples. 19 | 20 | The better performance of ALP than VAT may be due to the fact that the KL divergence can suffer from saturating gradients or it may be due to the fact that the KL divergence is invariant to a shift of all the logits for an individual example while the logit pairing loss is not. 21 | 22 | 23 | Our results suggest that feature pairing (matching adversarial and clean intermediate features instead of logits) may also prove useful in the future. 24 | 25 | 26 | [Evaluating and Understanding the Robustness of Adversarial Logit Pairing](https://arxiv.org/abs/1807.10272) -------------------------------------------------------------------------------- /2018/Art_of_Singular_Vectors_and_Universal_Adversarial_Perturbations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/cvpr/KhrulkovO18, 3 | author = {Khrulkov, Valentin and Oseledets, Ivan V}, 4 | booktitle = {2018 {\{}IEEE{\}} Conference on Computer Vision and Pattern Recognition, {\{}CVPR{\}} 2018, Salt Lake City, UT, USA, June 18-22, 2018}, 5 | doi = {10.1109/CVPR.2018.00893}, 6 | pages = {8562--8570}, 7 | publisher = {{\{}IEEE{\}} Computer Society}, 8 | title = {{Art of Singular Vectors and Universal Adversarial Perturbations}}, 9 | url = {http://openaccess.thecvf.com/content{\_}cvpr{\_}2018/html/Khrulkov{\_}Art{\_}of{\_}Singular{\_}CVPR{\_}2018{\_}paper.html}, 10 | year = {2018} 11 | } 12 | `` -------------------------------------------------------------------------------- /2018/Boosting_Adversarial_Attacks_With_Momentum.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/cvpr/DongLPS0HL18, 3 | author = {Dong, Yinpeng and Liao, Fangzhou and Pang, Tianyu and Su, Hang and Zhu, Jun and Hu, Xiaolin and Li, Jianguo}, 4 | booktitle = {2018 {\{}IEEE{\}} Conference on Computer Vision and Pattern Recognition, {\{}CVPR{\}} 2018, Salt Lake City, UT, USA, June 18-22, 2018}, 5 | doi = {10.1109/CVPR.2018.00957}, 6 | pages = {9185--9193}, 7 | publisher = {{\{}IEEE{\}} Computer Society}, 8 | title = {{Boosting Adversarial Attacks With Momentum}}, 9 | url = {http://openaccess.thecvf.com/content{\_}cvpr{\_}2018/html/Dong{\_}Boosting{\_}Adversarial{\_}Attacks{\_}CVPR{\_}2018{\_}paper.html}, 10 | year = {2018} 11 | } 12 | ``` 13 | ![](../pics/algo1_DongLPS0HL18.png) 14 | 15 | ![](../pics/text_DongLPS0HL18.png) -------------------------------------------------------------------------------- /2018/Characterizing_Adversarial_Examples_Based_on_Spatial_Consistency_Information_for_Semantic_Segmentation.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{xiao2018characterizing, 3 | author = {Xiao, Chaowei and Deng, Ruizhi and Li, Bo and Yu, Fisher and Liu, Mingyan and Song, Dawn}, 4 | booktitle = {Proceedings of the European Conference on Computer Vision (ECCV)}, 5 | pages = {217--234}, 6 | title = {{Characterizing adversarial examples based on spatial consistency information for semantic segmentation}}, 7 | year = {2018} 8 | } 9 | ``` -------------------------------------------------------------------------------- /2018/Constructing_Unrestricted_Adversarial_Examples_with_Generative_Models.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/nips/SongSKE18, 3 | author = {Song, Yang and Shu, Rui and Kushman, Nate and Ermon, Stefano}, 4 | booktitle = {Advances in Neural Information Processing Systems 31: Annual Conference on Neural Information Processing Systems 2018, NeurIPS 2018, 3-8 December 2018, Montr{\'{e}}al, Canada.}, 5 | editor = {Bengio, Samy and Wallach, Hanna M and Larochelle, Hugo and Grauman, Kristen and Cesa-Bianchi, Nicol{\`{o}} and Garnett, Roman}, 6 | pages = {8322--8333}, 7 | title = {{Constructing Unrestricted Adversarial Examples with Generative Models}}, 8 | url = {http://papers.nips.cc/paper/8052-constructing-unrestricted-adversarial-examples-with-generative-models}, 9 | year = {2018} 10 | } 11 | ``` 12 | This paper proposed a new type of adversarial examples which are not constrained by adding imperceptible noise to exiting images, but generated by generative models from scratch. In their approach, they used GAN, where the conditional generator takes label as input and an auxiliary classifier is tnroduced to predict the label s of both training and generated images. 13 | 14 | Specifically, they adapted WGAN with gradient penalty and Auxiliary Classifier GAN(AC-GAN) to stabilize training and use conditions. The objective functions can be found in their paper. And for adversarial loss, it consists of three parts: The first part is to encourage the targeted classifier to misclassify inputs; the second part soft-constrains the search region of randomly sampled noise vector, and according to the paper, the optimization may always converge to the sample example for each class without this constraint(but I do not figure out the reason); the third part is to encourage the auxiliary classifier to give correct preditions. 15 | 16 | In addtion to this basic attack, they also proposed a noise-augmented attack, which added extra noise to the generated images. And the authors said *The representation power of the AC-GAN generator can be improved if we add small trainable noise to the generated image*. 17 | 18 | Find the code [here](https://github.com/ermongroup/generative_adversary). 19 | 20 | ### Addded on Oct. 2nd. 21 | This paper first trained a ACGAN to generate images from noises. After that, give an inital noise to the Generator and calculate the adversarial loss. Then use gradient descent to find the right noise. And there is a constraint on the search space. -------------------------------------------------------------------------------- /2018/Defense-{GAN}_Protecting_Classifiers_Against_Adversarial_Attacks_Using_Generative_Models.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{samangouei2018defensegan, 3 | author = {Samangouei, Pouya and Kabkab, Maya and Chellappa, Rama}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Defense-{\{}GAN{\}}: Protecting Classifiers Against Adversarial Attacks Using Generative Models}}, 6 | url = {https://openreview.net/forum?id=BkJ3ibb0-}, 7 | year = {2018} 8 | } 9 | ``` 10 | This paper proposed a method called Defense-GAN as a pre-processing technique before feeding the input to a classifier. Specifically, they trained a WGAN to learn the distribution in latent space. Then they sampled the points in the latent space and used pretrained WGAN to reconstruct the images. Computing the L2 distance between the original images and the reconstructed images, the reconstructed image which has least distance with the original image is selected and fed to the classifier. The classifier could be trained on the original datasets or the reconstructed, which leads to little difference to accuracy. 11 | -------------------------------------------------------------------------------- /2018/Defense_Against_Adversarial_Attacks_Using_High_Level_Representation_Guided_Denoiser.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/cvpr/LiaoLDPH018, 3 | author = {Liao, Fangzhou and Liang, Ming and Dong, Yinpeng and Pang, Tianyu and Hu, Xiaolin and Zhu, Jun}, 4 | booktitle = {2018 {\{}IEEE{\}} Conference on Computer Vision and Pattern Recognition, {\{}CVPR{\}} 2018, Salt Lake City, UT, USA, June 18-22, 2018}, 5 | doi = {10.1109/CVPR.2018.00191}, 6 | pages = {1778--1787}, 7 | publisher = {{\{}IEEE{\}} Computer Society}, 8 | title = {{Defense Against Adversarial Attacks Using High-Level Representation Guided Denoiser}}, 9 | url = {http://openaccess.thecvf.com/content{\_}cvpr{\_}2018/html/Liao{\_}Defense{\_}Against{\_}Adversarial{\_}CVPR{\_}2018{\_}paper.html}, 10 | year = {2018} 11 | } 12 | ``` 13 | It has been broken. 14 | https://arxiv.org/abs/1804.03286 -------------------------------------------------------------------------------- /2018/Defense_Against_Universal_Adversarial_Perturbations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/cvpr/AkhtarLM18, 3 | author = {Akhtar, Naveed and Liu, Jian and Mian, Ajmal}, 4 | booktitle = {2018 {\{}IEEE{\}} Conference on Computer Vision and Pattern Recognition, {\{}CVPR{\}} 2018, Salt Lake City, UT, USA, June 18-22, 2018}, 5 | doi = {10.1109/CVPR.2018.00357}, 6 | pages = {3389--3398}, 7 | publisher = {{\{}IEEE{\}} Computer Society}, 8 | title = {{Defense Against Universal Adversarial Perturbations}}, 9 | url = {http://openaccess.thecvf.com/content{\_}cvpr{\_}2018/html/Akhtar{\_}Defense{\_}Against{\_}Universal{\_}CVPR{\_}2018{\_}paper.html}, 10 | year = {2018} 11 | } 12 | ``` 13 | ## Motivation 14 | The first paper to study defense on universal adversarial perturbations. 15 | 16 | ## Methods 17 | A Perturbations rectifying network to remove perturbations. 18 | A classifier to detect if there exists perturbations. They used SVM as the classifier and the log-absolute values of the 2D-DCT coefficients of the grey-scaled image. 19 | ![](./../pics/fig2_AkhtarLM18.png) 20 | 21 | As mentioned in the paper, synthesized perturbations are helpful to train the PRN. Thus they proposed a method to generate perturbations. 22 | 23 | 24 | ## Thoughts 25 | - Honestly I don't understand the algorithm that synthesizes perturbations clearly. 26 | - What's intuition for using DCT as feature extractor? 27 | 28 | ## References 29 | https://blog.csdn.net/xunbaobao123/article/details/103028477 -------------------------------------------------------------------------------- /2018/Deflecting_Adversarial_Attacks_With_Pixel_Deflection.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/cvpr/PrakashMGDS18, 3 | author = {Prakash, Aaditya and Moran, Nick and Garber, Solomon and DiLillo, Antonella and Storer, James A}, 4 | booktitle = {2018 {\{}IEEE{\}} Conference on Computer Vision and Pattern Recognition, {\{}CVPR{\}} 2018, Salt Lake City, UT, USA, June 18-22, 2018}, 5 | doi = {10.1109/CVPR.2018.00894}, 6 | pages = {8571--8580}, 7 | publisher = {{\{}IEEE{\}} Computer Society}, 8 | title = {{Deflecting Adversarial Attacks With Pixel Deflection}}, 9 | url = {http://openaccess.thecvf.com/content{\_}cvpr{\_}2018/html/Prakash{\_}Deflecting{\_}Adversarial{\_}Attacks{\_}CVPR{\_}2018{\_}paper.html}, 10 | year = {2018} 11 | } 12 | ``` 13 | Pixel deflection and wavelet transform. 14 | 15 | ## Motivation 16 | Image classifiers tend to be robust to natural noise, and adversarial attacks tend to be agnostic to object location. 17 | 18 | These observations motivate our strategy, which leverages model robustness to defend against adversarial perturba- tions by forcing the image to match **natural image statistics**. 19 | 20 | what is natural image statistics? 21 | 22 | ## Two techniques 23 | ### Pixel deflection. 24 | 25 | even changing as much as $1\%$ of original pixels does not alter the classification of a clean image. 26 | 27 | ![](../pics/algo1_PrakashMGDS18.png) 28 | 29 | ### adaptive soft-thresholding in the wavelet domain. 30 | 31 | ## Targeted Pixel Deflection 32 | Utilized the localization of objects. 33 | - Class activation map. 34 | - saliency maps. 35 | 36 | ### robust activation map 37 | they used an exponentially weighted average of teh maps of the top-k classes. 38 | 39 | $$\widehat{M}(x, y)=\sum_{i}^{k} \frac{M_{c_{i}}(x, y)}{2^{i}}$$ 40 | 41 | 42 | ## Wavelet denoising with adaptive thresholding -------------------------------------------------------------------------------- /2018/Ensemble_Adversarial_Training_Attacks_and_Defenses.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{tramèr2018ensemble, 3 | author = {Tram{\`{e}}r, Florian and Kurakin, Alexey and Papernot, Nicolas and Goodfellow, Ian and Boneh, Dan and McDaniel, Patrick}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Ensemble Adversarial Training: Attacks and Defenses}}, 6 | url = {https://openreview.net/forum?id=rkZvSe-RZ}, 7 | year = {2018} 8 | } 9 | ``` 10 | When adversarial training is first proposed, perturbations are crafted using fast single-step methods that maximize a linear approximation of the model's loss. This form of adversarial training converges to a degenerate global minimum, wherein small curvature artefacts near the data points obfuscate a linear approximation of the loss. Adversarially trained models using single-step methods remain vulnerable to simple attacks. For black-box adversaries, we find that perturbations crafted on an undefended model often transfer to an adversarially trained one. 11 | 12 | **Ensemble adversarial training** augments training data with perturbations transferred from other models. It decouples adversarial example generation from the parameters of the trained model, and increases the diversity of the perturbations seen during training. -------------------------------------------------------------------------------- /2018/Evaluating_and_understanding_the_robustness_of_adversarial_logit_pairing.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{engstrom2018evaluating, 3 | author = {Engstrom, Logan and Ilyas, Andrew and Athalye, Anish}, 4 | journal = {arXiv preprint arXiv:1807.10272}, 5 | title = {{Evaluating and understanding the robustness of adversarial logit pairing}}, 6 | year = {2018} 7 | } 8 | ``` 9 | Adversarial training 10 | $$\min _{\theta} \mathbb{E}_{(x, y) \sim \mathcal{D}}\left[\max _{\delta \in S} L(\theta, x+\delta, y)\right]$$ 11 | 12 | Adversarial Logit pairing 13 | $$\begin{array}{c} 14 | \min _{\theta} \mathbb{E}_{(x, y) \sim \mathcal{D}}\left[L(\theta, x, y)+\lambda D\left(f(\theta, x), f\left(\theta, x+\delta^{*}\right)\right)\right] \\ 15 | \text { where } \delta^{*}=\underset{\delta \in \mathcal{S}}{\arg \max } L(\theta, x+\delta, y) 16 | \end{array}$$ 17 | 18 | ## Analyzing the defense objective 19 | ### Training on natural vs. adversarial images. 20 | In adversarial training, the minimization with respect to $\theta$ is done over the inputs that have been crafted by the max player; $\theta$ is not minimized with respect to any natural data $x \sim \mathcal{D}$. 21 | 22 | In the ALP, regularization is applyied to the loss on clean data. 23 | 24 | ### Generating targeted adversarial examples. 25 | ALP generates targeted adversarial examples during the training process. This again deviates from the robust optimization-inspired saddle point formulation for adversarial training, as the inner maximization player no longer maximizes $L(\theta, x+\delta, y)$, but rather minimizes $L\left(\theta, x+\delta, y_{a d v}\right)$ for another class $y_{adv}$. 26 | 27 | ## Analyzing empirical robustness 28 | Overall, the attack on ALP-trained network required more steps of gradient descent to converge, but robustness had not increased. The optimization landscape of the ALP-trained network is less amenable to gradient descent. -------------------------------------------------------------------------------- /2018/Faster_Neural_Networks_Straight_from_JPEG.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @incollection{NIPS2018_7649, 3 | author = {Gueguen, Lionel and Sergeev, Alex and Kadlec, Ben and Liu, Rosanne and Yosinski, Jason}, 4 | booktitle = {Advances in Neural Information Processing Systems 31}, 5 | editor = {Bengio, S and Wallach, H and Larochelle, H and Grauman, K and Cesa-Bianchi, N and Garnett, R}, 6 | pages = {3933--3944}, 7 | publisher = {Curran Associates, Inc.}, 8 | title = {{Faster Neural Networks Straight from JPEG}}, 9 | url = {http://papers.nips.cc/paper/7649-faster-neural-networks-straight-from-jpeg.pdf}, 10 | year = {2018} 11 | } 12 | ``` 13 | 14 | learning the DCT filters is hard with one convolution layer and produce sub-performant networks. Moreover leveraging directly the DCT weights allow better error rates, making the JPEG DCT coefficients an appealing representation for feeding CNN. -------------------------------------------------------------------------------- /2018/Generating_Adversarial_Examples_with_Adversarial_Networks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/ijcai/XiaoLZHLS18, 3 | author = {Xiao, Chaowei and Li, Bo and Zhu, Jun-Yan and He, Warren and Liu, Mingyan and Song, Dawn}, 4 | booktitle = {Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence, {\{}IJCAI{\}} 2018, July 13-19, 2018, Stockholm, Sweden.}, 5 | doi = {10.24963/ijcai.2018/543}, 6 | editor = {Lang, J{\'{e}}r{\^{o}}me}, 7 | isbn = {978-0-9992411-2-7}, 8 | pages = {3905--3911}, 9 | publisher = {ijcai.org}, 10 | title = {{Generating Adversarial Examples with Adversarial Networks}}, 11 | url = {https://doi.org/10.24963/ijcai.2018/543}, 12 | year = {2018} 13 | } 14 | ``` 15 | This paper proposed to use GAN to generate adversarial examples. To my best knowledge, this is the first paper which generated adversarial examples with GAN. But there are a few shortbacks of their method: 16 | 1. Their method takes the label in the loss when training, which means once the model is trained, it is only be able to generate one class images. 17 | 2. The quality of generated images are not satisfying. In MNIST, for example, the adversarial examples look like unnatural, where shadows are easy to recognize. -------------------------------------------------------------------------------- /2018/Generating_Natural_Adversarial_Examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{zhao2018generating, 3 | author = {Zhao, Zhengli and Dua, Dheeru and Singh, Sameer}, 4 | booktitle = {6th International Conference on Learning Representations, {\{}ICLR{\}} 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings}, 5 | title = {{Generating Natural Adversarial Examples}}, 6 | url = {https://openreview.net/forum?id=H1BLjgZCb}, 7 | year = {2018} 8 | } 9 | ``` 10 | 11 | This paper proposed to generate adversarial examples more naturally. This method first trained a WGAN to generate examples with a vector $z$ from a gaussian distribution, then trained a Inverter, which transformed the images to a vector $\tilde{z}$ with same length of $z$. The loss function is to make $\tilde{z}$ close to $z$. In other words, the aim is to find $\tilde{z}$ in gaussian distribution. Next is adding purturbations to $\tilde{z}$ and find the optimal noise. But the search process could be time-consuming. 12 | 13 | This method could generate adversarial examples with images and texts. -------------------------------------------------------------------------------- /2018/Generative_Adversarial_Perturbations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/cvpr/PoursaeedKGB18, 3 | author = {Poursaeed, Omid and Katsman, Isay and Gao, Bicheng and Belongie, Serge J}, 4 | booktitle = {2018 {\{}IEEE{\}} Conference on Computer Vision and Pattern Recognition, {\{}CVPR{\}} 2018, Salt Lake City, UT, USA, June 18-22, 2018}, 5 | doi = {10.1109/CVPR.2018.00465}, 6 | publisher = {{\{}IEEE{\}} Computer Society}, 7 | title = {{Generative Adversarial Perturbations}}, 8 | url = {http://openaccess.thecvf.com/content{\_}cvpr{\_}2018/html/Poursaeed{\_}Generative{\_}Adversarial{\_}Perturbations{\_}CVPR{\_}2018{\_}paper.html}, 9 | year = {2018} 10 | } 11 | ``` 12 | This paper investigated methods to generate adversarial perturbations. They classified the perturbations with universal/iamge-dependent, and targeted/untargeted. 13 | 14 | Something interesting is that the perturbations converted to a bird-like perturbation when generating universal perturbations. And the targeted universal perturbations contains patterns resembling the target class. **This is the first paper to generate targeted universal perturbations**. 15 | 16 | And according to the experiments, teh Resnet Generator introduced in [1] outperforms the U-net. 17 | 18 | [1] Johnson, J., Alahi, A., & Fei-Fei, L. (2016). Perceptual losses for real-time style transfer and super-resolution. European Conference on Computer Vision, 694–711. -------------------------------------------------------------------------------- /2018/Learning_Universal_Adversarial_Perturbations_with_Generative_Models.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{8424631, 3 | author = {Hayes, J and Danezis, G}, 4 | booktitle = {2018 IEEE Security and Privacy Workshops (SPW)}, 5 | doi = {10.1109/SPW.2018.00015}, 6 | keywords = {Atmospheric modeling,Error analysis,Machine learning,Measurement,Perturbation methods,Security,Training,adversarial examples,adversarial training,deep learning,generative models,generative network,known universal adversarial attacks,learning (artificial intelligence),misclassification,neural nets,neural networks,pattern classification,single perturbation,source input,universal adversarial networks,universal adversarial perturbations learning,universal perturbations}, 7 | month = {may}, 8 | pages = {43--49}, 9 | title = {{Learning Universal Adversarial Perturbations with Generative Models}}, 10 | year = {2018} 11 | } 12 | ``` 13 | This paper proposed to generate universal adversarial perturbations using generative models. The loss function are 14 | $$ 15 | L_{n t}=\underbrace{\log \left[f\left(\delta^{\prime}+x\right)\right]_{c_{0}}-\max _{i \neq c_{0}} \log \left[f\left(\delta^{\prime}+x\right)\right]_{i}}_{L_{f s}}+\underbrace{\alpha \cdot\left\|\delta^{\prime}\right\|_{p}}_{L_{d i s t}} 16 | $$ 17 | for untargeted attacks, which is adapted from C&W attack and ZOO. 18 | 19 | $$ 20 | \min _{w} \frac{1}{N_{\mathrm{tr}}} \sum_{i=1}^{N_{\mathrm{tr}}}\left[\ell\left(f\left(x_{i} ; w\right), y_{i}\right)+\lambda \cdot\left\|\frac{\partial}{\partial x_{i}} \ell\left(f\left(x_{i} ; w\right), y_{i}\right)\right\|_{2}\right] 21 | $$ 22 | 23 | According to the experiments, it outperforms the two former work [Universal Adversarial Perturbations](../2017/Universal_Adversarial_Perturbations.md) and [Deep Fool](../2016/DeepFool.md). -------------------------------------------------------------------------------- /2018/Machine_Learning_with_Membership_Privacy_Using_Adversarial_Regularization.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{10.1145/3243734.3243855, 3 | address = {New York, NY, USA}, 4 | author = {Nasr, Milad and Shokri, Reza and Houmansadr, Amir}, 5 | booktitle = {Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security}, 6 | doi = {10.1145/3243734.3243855}, 7 | isbn = {9781450356930}, 8 | pages = {634--646}, 9 | publisher = {Association for Computing Machinery}, 10 | series = {CCS '18}, 11 | title = {{Machine Learning with Membership Privacy Using Adversarial Regularization}}, 12 | url = {https://doi.org/10.1145/3243734.3243855}, 13 | year = {2018} 14 | } 15 | ``` 16 | ## Summary 17 | This paper adopts adversarial training to protect the membership privacy. 18 | ## Motivation 19 | Train machine learning models that guarantee membership privacy: no adversary should be able to distinguish between the predictions of the model on its training set and other data samples from the same underlying distribution. 20 | The objective is to achieve membership privacy with the minimum classification. 21 | ## Method(s) 22 | ### Min-max membership privacy game 23 | joint privacy and classification objectives optimization 24 | $$\min _{f}(L_{D}(f)+\lambda \underbrace{\max _{h} G_{f, D, D^{\prime}}(h)}_{\text {optimal inference }})$$ 25 | ## Evaluation 26 | ### Dataset 27 | - CIFAR100 28 | - Purchase100 29 | - Texas100 30 | 31 | ![](../pics/tab2_10114532437343243855.png) 32 | ## Conclusion 33 | - the adversarial training for membership privacy strongly regulaizes the model. Such mechanism not only protects membership privacy but also significantly prevents overfitting. 34 | - The min-max mechanism achieves membership privacy with minimum generalization error. 35 | - Their privacy-preserving mechanism can guarantee maximum achievable membership privacy with only a neg- ligible drop in the model’s predictive power. To 36 | ## Related work -------------------------------------------------------------------------------- /2018/Multi_Scale_Dense_Networks_for_Resource_Efficient_Image_Classification.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{ 3 | huang2018multiscale, 4 | title={Multi-Scale Dense Networks for Resource Efficient Image Classification}, 5 | author={Gao Huang and Danlu Chen and Tianhong Li and Felix Wu and Laurens van der Maaten and Kilian Weinberger}, 6 | booktitle={International Conference on Learning Representations}, 7 | year={2018}, 8 | url={https://openreview.net/forum?id=Hk2aImxAb}, 9 | } 10 | ``` 11 | There are two reasons why intermediate early-exit classifiers hurt the performance of deep neural networks: **early classifiers lack coarse-level features** and **classifiers throughout interfere with the feature generation process.** 12 | 13 | Empirically, we find that using the same weight for all loss functions (i.e., setting ∀k : wk = 1) works well in 14 | practice. -------------------------------------------------------------------------------- /2018/Obfuscated_Gradients_Give_a_False_Sense_of_Security_Circumventing_Defenses_to_Adversarial_Examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{pmlr-v80-athalye18a, 3 | address = {Stockholmsm{\"{a}}ssan, Stockholm Sweden}, 4 | author = {Athalye, Anish and Carlini, Nicholas and Wagner, David}, 5 | booktitle = {Proceedings of the 35th International Conference on Machine Learning}, 6 | editor = {Dy, Jennifer and Krause, Andreas}, 7 | pages = {274--283}, 8 | publisher = {PMLR}, 9 | series = {Proceedings of Machine Learning Research}, 10 | title = {{Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples}}, 11 | url = {http://proceedings.mlr.press/v80/athalye18a.html}, 12 | volume = {80}, 13 | year = {2018} 14 | } 15 | ``` 16 | ## Summary 17 | ## Motivation 18 | Obfuscated gradients, a term defined as a special case of gradient masking. Without a good gradient, where following the gradient does not successfully optimize the loss, iterarive optimization based methods cannot succeed. 19 | - **shattered gradients** are caused when a defense is non- differentiable, introduces numeric instability, or otherwise causes a gradient to be nonexistent or incorrect. Defenses that cause gradient shattering can do so unintentionally, by using differentiable operations but where following the gradient does not maximize classification loss globally. 20 | - **stochastic gradients** are caused by randomized defenses, where either the network itself is randomized or the input is randomly transformed before being fed to the classifier, causing the gradients to become randomized. This causes methods using a single sample of the randomness to incor- rectly estimate the true gradient. 21 | - **vanishing/exploding gradients** are often caused by de- fenses that consist of multiple iterations of neural network evaluation, feeding the output of one computation as the input of the next. This type of computation, when unrolled, can be viewed as an extremely deep neural network evalua- tion, which can cause vanishing/exploding gradients. 22 | 23 | #### Identifying obfuscated & masked gradients 24 | - one-step attacks peform better than iterative attacks. 25 | - black-box attacks are better than white-box attacks. 26 | - unbounded attacks do not reach 100% success. 27 | - random sampling finds adversarial examples. 28 | - increasing distortion bound does not increase success. 29 | 30 | ## Method(s) 31 | ### Backward Pass Differentiaable Approximation 32 | the main idea is to approximate the non-differentiable operations $g(x)=f^i(x)$. 33 | then in the backward pass, use g(x) to calculate gradients. 34 | 35 | ## Evaluation 36 | ## Conclusion 37 | ## Related work -------------------------------------------------------------------------------- /2018/Robust_physical_world_attacks_on_deep_learning_visual_classification.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{eykholt2018robust, 3 | author = {Eykholt, Kevin and Evtimov, Ivan and Fernandes, Earlence and Li, Bo and Rahmati, Amir and Xiao, Chaowei and Prakash, Atul and Kohno, Tadayoshi and Song, Dawn}, 4 | booktitle = {Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition}, 5 | pages = {1625--1634}, 6 | title = {{Robust physical-world attacks on deep learning visual classification}}, 7 | year = {2018} 8 | } 9 | ``` 10 | ## Motivation 11 | For physical-world attacks 12 | - Environmental conditions. The distance and angle. 13 | - Spatial Constraints. For a physical road sign, the attacker cannot manipulate background imagery. The road sign will change depending on the distance and angle of the viewing camera. 14 | - Physical limits on Imperceptibility. We need to ensure that a camera could perceive the perturbations. 15 | - Fabrication Error. All perturbation values must be valid colours that can be reproduced in the real world. 16 | 17 | ## Methods 18 | ### Overview 19 | 1. start with the optimization method that generates a perturbation for a single image, without considering other physical conditions. 20 | 2. update the algorithm taking the physical challenges above into account. 21 | 22 | ### Details 23 | - For **Environmental conditions**, model the distribution of images containing object under both physical and digital transformations $X^V$. Sample instances from $X^V$ by both generating experimental data that contains actual physical condition variability as well as synthetic transformations. 24 | - For **spatial constraints** and **physical limits on imperceptibility**, introduce a mask to project the computed perturbations to a physical region on the surface of the object. This mask also helps generate perturbations that are visible but inconspicuous to human observers. 25 | - For **fabrication error**, add an additional term to objective function that models printer color reproduction errors. This term is based upon the Non-Printability Score(NPS). 26 | ## Thoughts 27 | 1. Use L1 metric to find the most vulnerable positions, and then use L2 metric to reproduce the perturbation. 28 | 29 | -------------------------------------------------------------------------------- /2018/SPATIALLY_TRANSFORMED_ADVERSARIAL_EXAMPLES.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{xiao2018spatially, 3 | author = {Xiao, Chaowei and Zhu, Jun-Yan and Li, Bo and He, Warren and Liu, Mingyan and Song, Dawn}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Spatially Transformed Adversarial Examples}}, 6 | url = {https://openreview.net/forum?id=HyydRMZC-}, 7 | year = {2018} 8 | } 9 | ``` 10 | [OpenReview](https://openreview.net/forum?id=HyydRMZC-) 11 | 12 | To my best knowledge, this is the first paper to generate adversarial examples by modifying the geometry of images. It is a new type of adversarial examples. 13 | 14 | In this paper, they defined a new loss called $\mathcal{L}_{flow}$ to evaluate the distortion. 15 | $$ 16 | \mathcal{L}_{f l o w}(f)=\sum_{p}^{\text {all pixels}} \sum_{q \in \mathcal{N}(p)} \sqrt{\left\|\Delta u^{(p)}-\Delta u^{(q)}\right\|_{2}^{2}+\left\|\Delta v^{(p)}-\Delta v^{(q)}\right\|_{2}^{2}} 17 | $$ -------------------------------------------------------------------------------- /2018/Virtual_adversarial_training_a_regularization_method_for_supervised_and_semi_supervised_learning.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{miyato2018virtual, 3 | author = {Miyato, Takeru and Maeda, Shin-ichi and Koyama, Masanori and Ishii, Shin}, 4 | journal = {IEEE transactions on pattern analysis and machine intelligence}, 5 | number = {8}, 6 | pages = {1979--1993}, 7 | publisher = {IEEE}, 8 | title = {{Virtual adversarial training: a regularization method for supervised and semi-supervised learning}}, 9 | volume = {41}, 10 | year = {2018} 11 | } 12 | ``` 13 | 14 | Ref 15 | - https://divamgupta.com/unsupervised-learning/semi-supervised-learning/2019/05/31/introduction-to-virtual-adversarial-training.html 16 | 17 | Code: 18 | - https://github.com/9310gaurav/virtual-adversarial-training -------------------------------------------------------------------------------- /2019/A_Closer_Look_at_Double_Backpropagation.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{2020arXiv200301895S, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.CV/2003.01895}, 5 | author = {Sun, Chengjin and Chen, Sizhe and Huang, Xiaolin}, 6 | eprint = {2003.01895}, 7 | journal = {arXiv e-prints}, 8 | keywords = {Computer Science - Computer Vision and Pattern Rec,Computer Science - Machine Learning}, 9 | month = {mar}, 10 | pages = {arXiv:2003.01895}, 11 | primaryClass = {cs.CV}, 12 | title = {{Double Backpropagation for Training Autoencoders against Adversarial Attack}}, 13 | year = {2020} 14 | } 15 | ``` 16 | ### Double Backpropagation 17 | $$\ell(f(x), y)+\lambda \cdot\left\|\nabla_{x} \ell(f(x), y)\right\|_{2}^{2}$$ 18 | 19 | Frobenius Norm, similar to l2 norm for vectors. 20 | 21 | 22 | Too much mathmatics for me to summarize. -------------------------------------------------------------------------------- /2019/A_New_Defense_Against_Adversarial_Images_Turning_a_Weakness_into_a_Strength.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @incollection{NIPS2019_8441, 3 | author = {Hu, Shengyuan and Yu, Tao and Guo, Chuan and Chao, Wei-Lun and Weinberger, Kilian Q}, 4 | booktitle = {Advances in Neural Information Processing Systems 32}, 5 | editor = {Wallach, H and Larochelle, H and Beygelzimer, A and d$\backslash$textquotesingle Alch{\'{e}}-Buc, F and Fox, E and Garnett, R}, 6 | pages = {1633--1644}, 7 | publisher = {Curran Associates, Inc.}, 8 | title = {{A New Defense Against Adversarial Images: Turning a Weakness into a Strength}}, 9 | url = {http://papers.nips.cc/paper/8441-a-new-defense-against-adversarial-images-turning-a-weakness-into-a-strength.pdf}, 10 | year = {2019} 11 | } 12 | ``` 13 | ## Motivation 14 | Recent studies[1][2] show the existence of adversarial perturbations may be an inherent property of natural data distributions in high dimensinal spaces. 15 | The authors use this inherent property as a signature to attest that if a natural image is unperturbed. 16 | 17 | On one hand, natural images lie with high probability near the decision boundary to any given label [1][2]. on the other hand, natural images are robust to random noise [49], which means these small “pockets” of spaces where the input is misclassified have low density and are unlikely to be found through random perturbations. 18 | 19 | ## Methods 20 | **Existing methods**: 21 | - feature squeezing *W. Xu, D. Evans, and Y. Qi. Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. Network and Distributed Systems Security Symposium (NDSS), 2018.* 22 | - Artifacts *R. Feinman, R. R. Curtin, S. Shintre, and A. B. Gardner. Detecting Adversarial Samples from Artifacts.* 23 | 24 | **Criterion 1: Robustness to random noise.** Sample $\epsilon \sim N\left(0, \sigma^{2} I\right)$ and compute $\Delta=\|h(\mathbf{x})-h(\mathbf{x}+\epsilon)\|_{1}$. The input is rejected as asversarial if $\Delta$ is sufficiently large. 25 | 26 | This is beacuse adversarial perturbations push the benign image near the boundary to the incorrect class. With gaussian noise, the image may move to the original class. 27 | 28 | However, C1 is not enough if the image is pushed into deep area of incorrect class. 29 | 30 | **Criterion 2: Susceptibility to adversarial noise.** For a chosen first-order iterative attack algorithm A, evaluate A on the input x and record the minimum number of steps K required to adversarially perturb x. The input is rejected as adversarial if K is sufficiently large. 31 | 32 | The tuition is that real images requires very few steps to reach the dicision boundary of any random target class. 33 | 34 | 35 | 36 | 37 | 38 | ## References 39 | [1] Fawzi, A., Fawzi, H., & Fawzi, O. (2018). Adversarial vulnerability for any classifier. In S. Bengio, H. M. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, & R. Garnett (Eds.), Advances in Neural Information Processing Systems 31: Annual Conference on Neural Information Processing Systems 2018, NeurIPS 2018, 3-8 December 2018, Montréal, Canada. (pp. 1186–1195). Retrieved from http://papers.nips.cc/paper/7394-adversarial-vulnerability-for-any-classifier 40 | [2] Shafahi, A., Huang, W. R., Studer, C., Feizi, S., & Goldstein, T. (2019). Are adversarial examples inevitable? 7th International Conference on Learning Representations, {ICLR} 2019, New Orleans, LA, USA, May 6-9, 2019. Retrieved from https://openreview.net/forum?id=r1lWUoA9FQ -------------------------------------------------------------------------------- /2019/AdvIT_Adversarial_Frames_Identifier_Based_on_Temporal_Consistency_in_Videos.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Xiao_2019_ICCV, 3 | author = {Xiao, Chaowei and Deng, Ruizhi and Li, Bo and Lee, Taesung and Edwards, Benjamin and Yi, Jinfeng and Song, Dawn and Liu, Mingyan and Molloy, Ian}, 4 | booktitle = {The IEEE International Conference on Computer Vision (ICCV)}, 5 | month = {oct}, 6 | title = {{AdvIT: Adversarial Frames Identifier Based on Temporal Consistency in Videos}}, 7 | year = {2019} 8 | } 9 | ``` -------------------------------------------------------------------------------- /2019/Adversarial_Attacks_on_Graph_Neural_Networks_via_Meta_Learning.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{zügner2018adversarial, 3 | author = {Z{\"{u}}gner, Daniel and G{\"{u}}nnemann, Stephan}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Adversarial Attacks on Graph Neural Networks via Meta Learning}}, 6 | url = {https://openreview.net/forum?id=Bylnx209YX}, 7 | year = {2019} 8 | } 9 | ``` -------------------------------------------------------------------------------- /2019/Adversarial_Examples_Are_Not_Bugs_They_Are_Features.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @incollection{NIPS2019_8307, 3 | author = {Ilyas, Andrew and Santurkar, Shibani and Tsipras, Dimitris and Engstrom, Logan and Tran, Brandon and Madry, Aleksander}, 4 | booktitle = {Advances in Neural Information Processing Systems 32}, 5 | editor = {Wallach, H and Larochelle, H and Beygelzimer, A and d$\backslash$textquotesingle Alch{\'{e}}-Buc, F and Fox, E and Garnett, R}, 6 | pages = {125--136}, 7 | publisher = {Curran Associates, Inc.}, 8 | title = {{Adversarial Examples Are Not Bugs, They Are Features}}, 9 | url = {http://papers.nips.cc/paper/8307-adversarial-examples-are-not-bugs-they-are-features.pdf}, 10 | year = {2019} 11 | } 12 | ``` 13 | 14 | https://distill.pub/2019/advex-bugs-discussion/response-5/ -------------------------------------------------------------------------------- /2019/Adversarial_Examples_Are_a_Natural_Consequence_of_Test_Error_in_Noise.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/icml/GilmerFCC19, 3 | author = {Gilmer, Justin and Ford, Nicolas and Carlini, Nicholas and Cubuk, Ekin D}, 4 | booktitle = {Proceedings of the 36th International Conference on Machine Learning, {\{}ICML{\}} 2019, 9-15 June 2019, Long Beach, California, {\{}USA{\}}}, 5 | editor = {Chaudhuri, Kamalika and Salakhutdinov, Ruslan}, 6 | pages = {2280--2289}, 7 | publisher = {PMLR}, 8 | series = {Proceedings of Machine Learning Research}, 9 | title = {{Adversarial Examples Are a Natural Consequence of Test Error in Noise}}, 10 | url = {http://proceedings.mlr.press/v97/gilmer19a.html}, 11 | volume = {97}, 12 | year = {2019} 13 | } 14 | ``` 15 | ## Motivation 16 | Image classifiers also lack human-level performance on randomly corrupted images, such as images with additive Gaussian noise. **This paper tries to establishing close connections between the adversarial robustness and corruption robustness resaserch programs.** 17 | 18 | Two types of errors: 19 | - adversarial example resaerchers seek to measure and improve robustness to small-worst case perturbations of the input 20 | - corruption robustness researchers seek to measure and improve model robustness to distributional shift. 21 | 22 | Overall, it's a paper I couldn't understand clearly. 23 | 24 | # updates 25 | improving an alternate notion of adversarial robustness requires that error rates large additive noise be reduced to essentially zero. -------------------------------------------------------------------------------- /2019/Adversarial_Learning_With_Margin_Based_Triplet_Embedding_Regularization.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Zhong_2019_ICCV, 3 | author = {Zhong, Yaoyao and Deng, Weihong}, 4 | booktitle = {The IEEE International Conference on Computer Vision (ICCV)}, 5 | month = {oct}, 6 | title = {{Adversarial Learning With Margin-Based Triplet Embedding Regularization}}, 7 | year = {2019} 8 | } 9 | ``` 10 | Put it simple, it is like a margin-based adversarial training. 11 | 12 | ![](../pics/algo1_Zhong_2019_ICCV.png) 13 | ![](../pics/eqn3_Zhong_2019_ICCV.png) 14 | ![](../pics/eqn10_Zhong_2019_ICCV.png) -------------------------------------------------------------------------------- /2019/Adversarial_Robustness_as_a_Prior_for_Learned_Representations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{engstrom2019adversarial, 3 | author = {Engstrom, Logan and Ilyas, Andrew and Santurkar, Shibani and Tsipras, Dimitris and Tran, Brandon and Madry, Aleksander}, 4 | journal = {arXiv preprint arXiv:1906.00945}, 5 | title = {{Adversarial robustness as a prior for learned representations}}, 6 | year = {2019} 7 | } 8 | ``` 9 | -------------------------------------------------------------------------------- /2019/Adversarial_Robustness_through_Local_Linearization.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @incollection{NIPS2019_8821, 3 | author = {Tramer, Florian and Boneh, Dan}, 4 | booktitle = {Advances in Neural Information Processing Systems 32}, 5 | editor = {Wallach, H and Larochelle, H and Beygelzimer, A and d$\backslash$textquotesingle Alch{\'{e}}-Buc, F and Fox, E and Garnett, R}, 6 | pages = {5858--5868}, 7 | publisher = {Curran Associates, Inc.}, 8 | title = {{Adversarial Training and Robustness for Multiple Perturbations}}, 9 | url = {http://papers.nips.cc/paper/8821-adversarial-training-and-robustness-for-multiple-perturbations.pdf}, 10 | year = {2019} 11 | } 12 | ``` 13 | ## Motivation 14 | the computational cost of adversarial training grows prohibitively as the size of the model and number of input dimensions increase. 15 | 16 | training against less expensive and therefore weaker adversaries produces models that are robust against weak attacks but break down under attacks that are stronger. 17 | 18 | One approach which can alleviate the cost of adversar- ial training is training against weaker adversaries that are cheaper to compute. For example, by taking fewer gradi- ent steps to compute adversarial examples during training. 19 | However, this can produce models which are robust against weak attacks, but break down under strong attacks – often due to **gradient obfuscation**. 20 | 21 | If the loss surface was linear in the vicinity of the training examples, which is to say well-predicted by local gradient information, gradient obfuscation cannot occur. 22 | 23 | find the subplementary to learn about the algorithms. -------------------------------------------------------------------------------- /2019/Adversarial_Training_and_Robustness_for_Multiple_Perturbations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @incollection{NIPS2019_8821, 3 | author = {Tramer, Florian and Boneh, Dan}, 4 | booktitle = {Advances in Neural Information Processing Systems 32}, 5 | editor = {Wallach, H and Larochelle, H and Beygelzimer, A and d$\backslash$textquotesingle Alch{\'{e}}-Buc, F and Fox, E and Garnett, R}, 6 | pages = {5858--5868}, 7 | publisher = {Curran Associates, Inc.}, 8 | title = {{Adversarial Training and Robustness for Multiple Perturbations}}, 9 | url = {http://papers.nips.cc/paper/8821-adversarial-training-and-robustness-for-multiple-perturbations.pdf}, 10 | year = {2019} 11 | } 12 | ``` 13 | Extending defenses to multiple perturbations unveils a clear robustness trade-off. -------------------------------------------------------------------------------- /2019/Adversarially_Robust_Distillation.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/iccv/ZhangSGCBM19, 3 | author = {Zhang, Linfeng and Song, Jiebo and Gao, Anni and Chen, Jingwei and Bao, Chenglong and Ma, Kaisheng}, 4 | booktitle = {2019 {\{}IEEE/CVF{\}} International Conference on Computer Vision, {\{}ICCV{\}} 2019, Seoul, Korea (South), October 27 - November 2, 2019}, 5 | doi = {10.1109/ICCV.2019.00381}, 6 | pages = {3712--3721}, 7 | publisher = {IEEE}, 8 | title = {{Be Your Own Teacher: Improve the Performance of Convolutional Neural Networks via Self Distillation}}, 9 | url = {https://doi.org/10.1109/ICCV.2019.00381}, 10 | year = {2019} 11 | } 12 | ``` 13 | ## Motivation 14 | This paper studies how adversarial robustness transfers from teacher to student during knowledge distillation. 15 | 16 | ![](../pics/algo1_ZhangSGCBM19.png) 17 | 18 | 19 | **Not worthy reading. Writing is bad.** -------------------------------------------------------------------------------- /2019/Are_Labels_Required_for_Improving_Adversarial_Robustness.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @incollection{NIPS2019_9388, 3 | author = {Alayrac, Jean-Baptiste and Uesato, Jonathan and Huang, Po-Sen and Fawzi, Alhussein and Stanforth, Robert and Kohli, Pushmeet}, 4 | booktitle = {Advances in Neural Information Processing Systems 32}, 5 | editor = {Wallach, H and Larochelle, H and Beygelzimer, A and d$\backslash$textquotesingle Alch{\'{e}}-Buc, F and Fox, E and Garnett, R}, 6 | pages = {12192--12202}, 7 | publisher = {Curran Associates, Inc.}, 8 | title = {{Are Labels Required for Improving Adversarial Robustness?}}, 9 | url = {http://papers.nips.cc/paper/9388-are-labels-required-for-improving-adversarial-robustness.pdf}, 10 | year = {2019} 11 | } 12 | ``` 13 | 14 | ## Summary 15 | This paper demonstrates that with training on unlabelled data, adversarial robustness can be improved. They proposed two unsupervised training loss. One of the key points is that controlling the smoothness loss is the key to adversarial generalization as it is observed that the smoothness loss dominates the classification loss on the test set. 16 | 17 | ## Motivation 18 | Central hypothesis is that additional unlabeled wxamples may suffice for adversarial robustness. 19 | - adversarial robustness depends on the smoothness of the classifier around natural images, which can be estimated from unlabeled data. 20 | - only a realtively small amount of labeled data is needed for standard generalization. 21 | 22 | Unsupervised adversarial training (UAT) to use unlabeled data for adversarial training. 23 | ## Method(s) 24 | ## Evaluation 25 | ## Conclusion 26 | ## Related work -------------------------------------------------------------------------------- /2019/Are_adversarial_examples_inevitable.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{shafahi2018are, 3 | annote = {Need to read through the papers mentioned in the background. Very good summary.}, 4 | author = {Shafahi, Ali and Huang, W Ronny and Studer, Christoph and Feizi, Soheil and Goldstein, Tom}, 5 | booktitle = {7th International Conference on Learning Representations, {\{}ICLR{\}} 2019, New Orleans, LA, USA, May 6-9, 2019}, 6 | file = {:E$\backslash$:/GoogleDrive/{\#}BAI TAO{\#} Adversarial ML/Mendeley/2019 - Are adversarial examples inevitable.pdf:pdf}, 7 | title = {{Are adversarial examples inevitable?}}, 8 | url = {https://openreview.net/forum?id=r1lWUoA9FQ}, 9 | year = {2019} 10 | } 11 | ``` 12 | This paper contains lots of math. I need to find a time to read through. **Besides, the background gives a good summary of current progress in this field.** -------------------------------------------------------------------------------- /2019/Be_Your_Own_Teacher_Improve the_Performance_of_Convolutional_Neural_Networks_via_Self_Distillation.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/iccv/ZhangSGCBM19, 3 | author = {Zhang, Linfeng and Song, Jiebo and Gao, Anni and Chen, Jingwei and Bao, Chenglong and Ma, Kaisheng}, 4 | booktitle = {2019 {\{}IEEE/CVF{\}} International Conference on Computer Vision, {\{}ICCV{\}} 2019, Seoul, Korea (South), October 27 - November 2, 2019}, 5 | doi = {10.1109/ICCV.2019.00381}, 6 | pages = {3712--3721}, 7 | publisher = {IEEE}, 8 | title = {{Be Your Own Teacher: Improve the Performance of Convolutional Neural Networks via Self Distillation}}, 9 | url = {https://doi.org/10.1109/ICCV.2019.00381}, 10 | year = {2019} 11 | } 12 | 13 | ``` 14 | ## Motivation 15 | Two existing problems in traditional knowledge distillation. 16 | - Low efficiency on knowledge transfer, which means student model scarcely exploit all knowledge from teacher models. Rare student models outperform teacher models. 17 | - How to design and train proper teacher models. 18 | ## Methods 19 | ![](../pics/fig2_ZhangSGCBM19.png) 20 | 21 | 22 | #### Deep supervision 23 | Deep supervision is based on the observation that classifiers trained on highly discriminating features can improve the performance in inference[1]. 24 | 25 | [1] Lee, C. Y., Xie, S., Gallagher, P., Zhang, Z., & Tu, Z. (2015, February). Deeply-supervised nets. In Artificial intelligence and statistics (pp. 562-570). -------------------------------------------------------------------------------- /2019/CIIDefence_Defeating_Adversarial_Attacks_by_Fusing_Class_Specific_Image_Inpainting_and_Image_Denoising.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Gupta_2019_ICCV, 3 | author = {Gupta, Puneet and Rahtu, Esa}, 4 | booktitle = {The IEEE International Conference on Computer Vision (ICCV)}, 5 | month = {oct}, 6 | title = {{CIIDefence: Defeating Adversarial Attacks by Fusing Class-Specific Image Inpainting and Image Denoising}}, 7 | year = {2019} 8 | } 9 | ``` 10 | ![](../pics/fig1_Gupta_2019_ICCV.png) 11 | 12 | One of the key ideas in CIIDefence is to select those using Class Activation Map (CAM) technique that pinpoints the image parts most influential to the classification outcome. 13 | 14 | Finally, we fuse our inpaint- ing based defence with wavelet based image denoising [1] to further improve the results. In addition, this combination provides a non-differentiable layer that turns out to be diffi- cult to approximate with simple differentiable alternatives 15 | 16 | [1] Prakash, A., Moran, N., Garber, S., DiLillo, A., & Storer, J. A. (2018). Deflecting Adversarial Attacks With Pixel Deflection. 2018 {IEEE} Conference on Computer Vision and Pattern Recognition, {CVPR} 2018, Salt Lake City, UT, USA, June 18-22, 2018, 8571–8580. https://doi.org/10.1109/CVPR.2018.00894 -------------------------------------------------------------------------------- /2019/Cross_Domain_Transferability_of_Adversarial_Perturbations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @incollection{NIPS2019_9450, 3 | archivePrefix = {arXiv}, 4 | arxivId = {arXiv:1905.11736v3}, 5 | author = {Naseer, Muzammal Muhammad Muzammal and Khan, Salman H and Khan, Haris and Khan, Fahad Shahbaz and Porikli, Fatih and Khan, Muhammad Haris and {Shahbaz Khan}, Fahad and Porikli, Fatih}, 6 | booktitle = {Advances in Neural Information Processing Systems 32}, 7 | eprint = {arXiv:1905.11736v3}, 8 | pages = {12885--12895}, 9 | publisher = {Curran Associates, Inc.}, 10 | title = {{Cross-Domain Transferability of Adversarial Perturbations}}, 11 | url = {http://papers.nips.cc/paper/9450-cross-domain-transferability-of-adversarial-perturbations.pdf}, 12 | year = {2019} 13 | } 14 | ``` 15 | - an instance-agnostic adversarial perturbation generated by GAN. 16 | - proposed a relativistic cross entropy. 17 | -------------------------------------------------------------------------------- /2019/Cycle_Consistent_Adversarial_{GAN}_the_integration_of_adversarial_attack_and_defense.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{DBLP:journals/corr/abs-1904-06026, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1904.06026}, 5 | author = {Jiang, Lingyun and Qiao, Kai and Qin, Ruoxi and Wang, Linyuan and Chen, Jian and Bu, Haibing and Yan, Bin}, 6 | eprint = {1904.06026}, 7 | journal = {CoRR}, 8 | title = {{Cycle-Consistent Adversarial {\{}GAN:{\}} the integration of adversarial attack and defense}}, 9 | url = {http://arxiv.org/abs/1904.06026}, 10 | volume = {abs/1904.0}, 11 | year = {2019} 12 | } 13 | ``` 14 | This is a paper you can image what they did when you see the title. I, however, happened to have a similar idea. -------------------------------------------------------------------------------- /2019/Decoupling_Direction_and_Norm_for_Efficient_Gradient_Based_L2_Adversarial_Attacks_and_Defenses.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Rony_2019_CVPR, 3 | author = {Rony, Jerome and Hafemann, Luiz G and Oliveira, Luiz S and Ayed, Ismail Ben and Sabourin, Robert and Granger, Eric}, 4 | booktitle = {The IEEE Conference on Computer Vision and Pattern Recognition (CVPR)}, 5 | month = {jun}, 6 | title = {{Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses}}, 7 | year = {2019} 8 | } 9 | ``` 10 | ## Motivation 11 | CW attack is presently the most effective white-box attack in the literature but is slow and requires thousands of iterations. 12 | 13 | This aatack optimizes the cross-entropy loss, and instead of penalizing the norm in each iteration, projects the perturbation onto a $L_2-sphere$ centered at the original image. 14 | 15 | ## Methods 16 | **Decoupled Direction and Norm Attack (DDN)** 17 | 18 | Penalty methods like CW attacks result in slow convergence and need to select the hyperparameter carefully. 19 | 20 | In this method, there is no penalty on the $L_2$ norm during the optimization. Instead, the norm is constrianed by projecting the adversarial perturbation $\delta$ on an $\epsilon-$sphere around the original image $x$. 21 | 22 | It is like finding the lowest perturbations for $x$ to make it an adversarial example. 23 | 24 | ![](../pics/algo1_Rony_2019_CVPR.png) -------------------------------------------------------------------------------- /2019/Defending_Adversarial_Attacks_by_Correcting_logits.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{DBLP:journals/corr/abs-1906-10973, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1906.10973}, 5 | author = {Li, Yifeng and Xie, Lingxi and Zhang, Ya and Zhang, Rui and Wang, Yanfeng and Tian, Qi}, 6 | eprint = {1906.10973}, 7 | journal = {CoRR}, 8 | title = {{Defending Adversarial Attacks by Correcting logits}}, 9 | url = {http://arxiv.org/abs/1906.10973}, 10 | volume = {abs/1906.1}, 11 | year = {2019} 12 | } 13 | ``` 14 | Don't think there are some insights. -------------------------------------------------------------------------------- /2019/Defense_Against_Adversarial_Attacks_Using_Feature_Scattering_based_Adversarial_Training.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @incollection{NIPS2019_8459, 3 | author = {Zhang, Haichao and Wang, Jianyu}, 4 | booktitle = {Advances in Neural Information Processing Systems 32}, 5 | editor = {Wallach, H and Larochelle, H and Beygelzimer, A and d$\backslash$textquotesingle Alch{\'{e}}-Buc, F and Fox, E and Garnett, R}, 6 | pages = {1829--1839}, 7 | publisher = {Curran Associates, Inc.}, 8 | title = {{Defense Against Adversarial Attacks Using Feature Scattering-based Adversarial Training}}, 9 | url = {http://papers.nips.cc/paper/8459-defense-against-adversarial-attacks-using-feature-scattering-based-adversarial-training.pdf}, 10 | year = {2019} 11 | } 12 | ``` 13 | ## Motivation 14 | Conventional adversarial training approaches leverage a supervised scheme in generating attacks for training, which typically suffer from issues such as label leaking. 15 | 16 | This paper introduces optimal transport to feature matching. And based on the feature matching distance, they formulated the feature scattering method, which intuitively interpreted as maximizing the feature matching distance between the original and perturbed empirical distributions with respect to the inputs. 17 | 18 | When generating adversarial examples, it takes the inter-sample relationships into consideration. -------------------------------------------------------------------------------- /2019/Feature_Denoising_for_Improving_Adversarial_Robustness.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/cvpr/XieWMYH19, 3 | author = {Xie, Cihang and Wu, Yuxin and van der Maaten, Laurens and Yuille, Alan L and He, Kaiming}, 4 | booktitle = {{\{}IEEE{\}} Conference on Computer Vision and Pattern Recognition, {\{}CVPR{\}} 2019, Long Beach, CA, USA, June 16-20, 2019}, 5 | pages = {501--509}, 6 | publisher = {Computer Vision Foundation / {\{}IEEE{\}}}, 7 | title = {{Feature Denoising for Improving Adversarial Robustness}}, 8 | url = {http://openaccess.thecvf.com/content{\_}CVPR{\_}2019/html/Xie{\_}Feature{\_}Denoising{\_}for{\_}Improving{\_}Adversarial{\_}Robustness{\_}CVPR{\_}2019{\_}paper.html}, 9 | year = {2019} 10 | } 11 | ``` 12 | ## Motivation 13 | Adversarial purturbations on images lead to noise in the features constructed by these networks. 14 | 15 | ## Methods 16 | They developed new network architectures that increase adversarial robustness by performing feature denoising. Specifically, their networks contains blocks that denoise the features using non-means or other filters and the networks are trained end-to-end combined with adversarial training. 17 | 18 | The denoising block processes the input features by a denosing operation, such as non-local means or other variants. The denoised representation is first processed by a 1x1 convolutional layer, and then added to the block's input via a residual connection. 19 | Only the non-local means operation in the denoising block is actually doing the denoising; the 1x1 convolutions and the residual connection are mainly for feature combination. The authors however presented the effectiveness of both residual connection and 1x1 convolution. -------------------------------------------------------------------------------- /2019/Feature_Space_Perturbations_Yield_More_Transferable_Adversarial_Examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Inkawhich_2019_CVPR, 3 | author = {Inkawhich, Nathan and Wen, Wei and Li, Hai (Helen) and Chen, Yiran}, 4 | booktitle = {The IEEE Conference on Computer Vision and Pattern Recognition (CVPR)}, 5 | month = {jun}, 6 | title = {{Feature Space Perturbations Yield More Transferable Adversarial Examples}}, 7 | year = {2019} 8 | } 9 | ``` 10 | 11 | This paper investigated the influence of feature space on adversarial examples's transferability. They proposed a new attack method for better transferability. The loss function is designed as the Euclidean distance between the vectorized source image activations and vectorized target image activations at some layer L. if two images is similar at some hidden layers, they are likely to be classified as one class. Based on this loss function, the image will be modified. 12 | 13 | They also did some experiments to investigate which layer is the best layer to be involved in the loss function. They mesured the Euclidean distance between original images purturbed images from two perspectives: image domain and the first two principal component directions. Details are in Section 6.3. -------------------------------------------------------------------------------- /2019/Fine_grained_Synthesis_of_Unrestricted_Adversarial_Examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{2019arXiv191109058P, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.CV/1911.09058}, 5 | author = {Poursaeed, Omid and Jiang, Tianxing and Yang, Harry and Belongie, Serge and Lim, Ser-Nam}, 6 | eprint = {1911.09058}, 7 | keywords = {Computer Science - Computer Vision and Pattern Rec,Computer Science - Cryptography and Security,Computer Science - Machine Learning,Statistics - Machine Learning}, 8 | month = {nov}, 9 | pages = {arXiv:1911.09058}, 10 | primaryClass = {cs.CV}, 11 | title = {{Fine-grained Synthesis of Unrestricted Adversarial Examples}}, 12 | year = {2019} 13 | } 14 | 15 | ``` 16 | ## Motivation 17 | There are several different methods generating **unrestricted adversarial methods**[1-3]. These methods are not controllable. 18 | 19 | ## Methods 20 | They leverage disentangled latent representations of images for unrestricted adversarial examples. Style-GAN is a SOTA generative model which learns to disentangle high-level attributes and stochastic variations in an unsupervised manner. More specifically, stylistic variations are represented by style variables and stochastic details are captured by noise variables. Changing the noise only affects low-level details, leaving the over composition and high-level aspects such as identity intact. This makes it possible to manipulate the noise variables such that variations are barely noticeable by the human eye, yet the synthesized image can fool a pre-trained classifier. 21 | 22 | This approach is able to break the SOTA certified defense but adversarial training makes the target models more robust. Also doing adversarial training based on this approach does not affect the accuracy of the models. 23 | 24 | 25 | 26 | [1] Xiao, C., Zhu, J.-Y., Li, B., He, W., Liu, M., & Song, D. (2018). Spatially Transformed Adversarial Examples. 6th International Conference on Learning Representations, {ICLR} 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings. 27 | [2] Song, Y., Shu, R., Kushman, N., & Ermon, S. (2018). Constructing Unrestricted Adversarial Examples with Generative Models. In S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, & R. Garnett (Eds.), Advances in Neural Information Processing Systems 31 (pp. 8312–8323). 28 | [3] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., & Tao, D. (2019). Perceptual-Sensitive {GAN} for Generating Adversarial Patches. The Thirty-Third {AAAI} Conference on Artificial Intelligence, {AAAI} 2019, The Thirty-First Innovative Applications of Artificial Intelligence Conference, {IAAI} 2019, The Ninth {AAAI} Symposium on Educational Advances in Artificial Intelligence, {EAAI}, 1028–1035. 29 | -------------------------------------------------------------------------------- /2019/Generalizable_Adversarial_Attacks_Using_Generative_Models.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{Bose2019, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1905.10864}, 5 | author = {Bose, Avishek Joey and Cianflone, Andre and Hamilton, William L}, 6 | eprint = {1905.10864}, 7 | month = {may}, 8 | title = {{Generalizable Adversarial Attacks Using Generative Models}}, 9 | url = {http://arxiv.org/abs/1905.10864}, 10 | year = {2019} 11 | } 12 | ``` 13 | This paper proposed a general framework for attacks. The main idea is using a encoder to get the latent vector of input data, then a decoder to generate the perturbations, which I think it is just VAE. Then combine the perturbations and images together to get adversarial examples. 14 | 15 | The overall loss function have 3 parts: 16 | - One loss funciton is max-margin misclassification loss provided by a pretrained classifier. 17 | - One is to constrain the magnitude of the perturbation. 18 | - One is to make the distribution of latent vector similar to normal distribution. -------------------------------------------------------------------------------- /2019/Generalizable_Data_Free_Objective_for_Crafting_Universal_Adversarial_Perturbations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{8423654, 3 | address = {Los Alamitos, CA, USA}, 4 | author = {Mopuri, K and Ganeshan, A and Babu, R}, 5 | doi = {10.1109/TPAMI.2018.2861800}, 6 | issn = {1939-3539}, 7 | journal = {IEEE Transactions on Pattern Analysis {\&} Machine Intelligence}, 8 | keywords = {data models,feature extraction,image segmentation,machine learning,perturbation methods,task analysis,training data}, 9 | month = {oct}, 10 | number = {10}, 11 | pages = {2452--2465}, 12 | publisher = {IEEE Computer Society}, 13 | title = {{Generalizable Data-Free Objective for Crafting Universal Adversarial Perturbations}}, 14 | volume = {41}, 15 | year = {2019} 16 | } 17 | ``` 18 | 19 | ## Motivation 20 | Existing methods to craft universal perturbations are 21 | - task specific 22 | - require samples from the training data distribution 23 | - perform complex optimizations 24 | 25 | Fooling ability of the crafted perturbations is proportional to the available training data. 26 | 27 | **The focus of the proposed work is to craft $\delta$ without requiring any data samples**. 28 | 29 | ## Methods 30 | 31 | Objective function: 32 | $$\text { Loss }=-\log \left(\prod_{i=1}^{K}\left\|l_{i}(\delta)\right\|_{2}\right), \quad \text { such that } \quad\|\delta\|_{\infty}<\xi$$ 33 | 34 | With priors: 35 | $$ 36 | \operatorname{Loss}=-\sum_{d \sim \mathcal{N}(\mu, \sigma)} \log \left(\prod_{i=1}^{K}\left\|l_{i}(d+\delta)\right\|_{2}\right) 37 | $$ 38 | such that $\|\delta\|_{\infty}<\xi$ 39 | 40 | $$\begin{aligned} 41 | &\text { Loss }=-\sum_{x \sim \mathcal{X}} \log \left(\prod_{i=1}^{K}\left\|l_{i}(x+\delta)\right\|_{2}\right)\\ 42 | &\text { such that }\|\delta\|_{\infty}<\xi 43 | \end{aligned}$$ 44 | 45 | They proposed a adaptive re-scaling of $\delta$ based on the rate of saturation(reaching the extreme values of the constraint). This re-scaling operation not only allow an improved utilization of the gradients, it also retains the pattern learnt in the optimization process till that iteration. 46 | 47 | **Changes resulted by the perturbation.** 48 | ![](../pics/fig9_8423654.png) 49 | -------------------------------------------------------------------------------- /2019/Generating_Realistic_Unrestricted_Adversarial_Inputs_using_Dual_Objective_{GAN}_Training.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{DBLP:journals/corr/abs-1905-02463, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1905.02463}, 5 | author = {Dunn, Isaac and Melham, Tom and Kroening, Daniel}, 6 | eprint = {1905.02463}, 7 | journal = {CoRR}, 8 | title = {{Generating Realistic Unrestricted Adversarial Inputs using Dual-Objective {\{}GAN{\}} Training}}, 9 | url = {http://arxiv.org/abs/1905.02463}, 10 | volume = {abs/1905.0}, 11 | year = {2019} 12 | } 13 | ``` 14 | I did not read it through. 15 | 16 | This paper should be compared with [Constructing Unrestricted Adversarial Examples with Generative Models](./2018/Constructing_Unrestricted_Adversarial_Examples_with_Generative_Models.md). -------------------------------------------------------------------------------- /2019/Improving_Adversarial_Robustness_via_Guided_Complement_Entropy.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Chen_2019_ICCV, 3 | author = {Chen, Hao-Yun and Liang, Jhao-Hong and Chang, Shih-Chieh and Pan, Jia-Yu and Chen, Yu-Ting and Wei, Wei and Juan, Da-Cheng}, 4 | booktitle = {The IEEE International Conference on Computer Vision (ICCV)}, 5 | month = {oct}, 6 | title = {{Improving Adversarial Robustness via Guided Complement Entropy}}, 7 | year = {2019} 8 | } 9 | ``` 10 | ## Summary 11 | This paper proposed a new loss function to produce adversarially robust models without training on adversarial examples. However, it did not compare with PGD adversarial training, and did not evaluate on PGD attacks. 12 | ## Motivation 13 | 1. Adversarial training is computational intensive, and not flexible. 14 | 2. Existing methods achieves adversarial robustness at a cost of model performance. 15 | 16 | ## Method(s) 17 | ### Complement Entropy 18 | $$-\frac{1}{N} \sum_{i=1}^{N} \sum_{j=1, j \neq g}^{K}\left(\frac{\hat{y}_{i j}}{1-\hat{y}_{i g}}\right) \log \left(\frac{\hat{y}_{i j}}{1-\hat{y}_{i g}}\right)$$ 19 | 20 | The idea behind complement entropy is to flatten the weight distribution among the incorrect classes. Mathematically, a distribution is flattened when its entropy is maximized, so Complement Entropy incorporates a negative sign to make it a loss function to be minimized. 21 | 22 | ### Guided Complement Entropy 23 | $$-\frac{1}{N} \sum_{i=1}^{N} \hat{y}_{i g}^{\alpha} \sum_{j=1, j \neq g}^{K}\left(\frac{\hat{y}_{i j}}{1-\hat{y}_{i g}}\right) \log \left(\frac{\hat{y}_{i j}}{1-\hat{y}_{i g}}\right)$$ 24 | 25 | The main difference is that GCE also introduces a guiding factor of $\hat{y}_{i g}$ to modulate the effect of the complement loss factor, according to the model’s prediction quality during the training iterations 26 | 27 | ## Evaluation 28 | 29 | ## Conclusion 30 | 1. robust against several kinds of "white-box" adversarial attacks. 31 | 2. in adversarial training, substituting the GCE loss gives more robust models. 32 | ## Related work -------------------------------------------------------------------------------- /2019/Improving_the_Robustness_of_Deep_Neural_Networks_via_Adversarial_Training_with_Triplet_Loss.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{ijcai2019-403, 3 | author = {Li, Pengcheng and Yi, Jinfeng and Zhou, Bowen and Zhang, Lijun}, 4 | booktitle = {Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, {\{}IJCAI-19{\}}}, 5 | doi = {10.24963/ijcai.2019/403}, 6 | pages = {2909--2915}, 7 | publisher = {International Joint Conferences on Artificial Intelligence Organization}, 8 | title = {{Improving the Robustness of Deep Neural Networks via Adversarial Training with Triplet Loss}}, 9 | url = {https://doi.org/10.24963/ijcai.2019/403}, 10 | year = {2019} 11 | } 12 | ``` 13 | This paper proposed to incorperate the Tripet Loss into adversarial training. The difference is that they modify the anchor of triplet loss with adversarial examples and examples with different labels in the embedding space. 14 | 15 | The second distribution is that they proposed the tripet loss can be formulated as a regularization term with other defense methods. 16 | -------------------------------------------------------------------------------- /2019/Interpreting_Adversarially_Trained_Convolutional_Neural_Networks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/icml/ZhangZ19, 3 | author = {Zhang, Tianyuan and Zhu, Zhanxing}, 4 | booktitle = {Proceedings of the 36th International Conference on Machine Learning, {\{}ICML{\}} 2019, 9-15 June 2019, Long Beach, California, {\{}USA{\}}}, 5 | editor = {Chaudhuri, Kamalika and Salakhutdinov, Ruslan}, 6 | pages = {7502--7511}, 7 | publisher = {PMLR}, 8 | series = {Proceedings of Machine Learning Research}, 9 | title = {{Interpreting Adversarially Trained Convolutional Neural Networks}}, 10 | url = {http://proceedings.mlr.press/v97/zhang19s.html}, 11 | volume = {97}, 12 | year = {2019} 13 | } 14 | ``` 15 | 16 | We find that AT-CNNs are better at captur-ing long-range correlations such as shapes, and less biased towards textures than normally trained CNNs in popular object recognition datasets. -------------------------------------------------------------------------------- /2019/Joint_Adversarial_Training_Incorporating_both_Spatial_and_Pixel_Attacks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{DBLP:journals/corr/abs-1907-10737, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1907.10737}, 5 | author = {Zhang, Haichao and Wang, Jianyu}, 6 | eprint = {1907.10737}, 7 | journal = {CoRR}, 8 | title = {{Joint Adversarial Training: Incorporating both Spatial and Pixel Attacks}}, 9 | url = {http://arxiv.org/abs/1907.10737}, 10 | volume = {abs/1907.1}, 11 | year = {2019} 12 | } 13 | ``` 14 | Adversarial training as a defense of spatial distortion and purturbations. -------------------------------------------------------------------------------- /2019/Knowledge_Distillation_from_Internal_Representations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{DBLP:journals/corr/abs-1910-03723, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1910.03723}, 5 | author = {Aguilar, Gustavo and Ling, Yuan and Zhang, Yu and Yao, Benjamin and Fan, Xing and Guo, Edward}, 6 | eprint = {1910.03723}, 7 | journal = {CoRR}, 8 | title = {{Knowledge Distillation from Internal Representations}}, 9 | url = {http://arxiv.org/abs/1910.03723}, 10 | volume = {abs/1910.03723}, 11 | year = {2019} 12 | } 13 | ``` 14 | Not interesting. 15 | 16 | ![](../pics/fig1_abs-1910-03723.png) -------------------------------------------------------------------------------- /2019/Metric_Learning_for_Adversarial_Robustness.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @incollection{NIPS2019_8339, 3 | author = {Mao, Chengzhi and Zhong, Ziyuan and Yang, Junfeng and Vondrick, Carl and Ray, Baishakhi}, 4 | booktitle = {Advances in Neural Information Processing Systems 32}, 5 | pages = {478--489}, 6 | publisher = {Curran Associates, Inc.}, 7 | title = {{Metric Learning for Adversarial Robustness}}, 8 | url = {http://papers.nips.cc/paper/8339-metric-learning-for-adversarial-robustness.pdf}, 9 | year = {2019} 10 | } 11 | ``` 12 | ## Motivation 13 | we investigate what happens to the latent representations as they undergo attack. Our results show that the attack shifts the latent representations of adversarial samples away from their true class and closer to the false class. 14 | The adversarial representations often spread across the false class distribution in such a way that the natural images of the false class become indistinguishable from the adversarial images. 15 | 16 | In short, the motivation is that the triplet loss function will pull all the images of one class, both natural and adversarial, closer while pushing the images of other classes far apart. 17 | 18 | ![](../pics/fig1_NIPS2019_8339.png) 19 | 20 | ![](../pics/fig2_NIPS2019_8339.png) 21 | 22 | ![](../pics/eqn1_NIPS2019_8339.png) -------------------------------------------------------------------------------- /2019/NATTACK_Learning_the_Distributions_of_Adversarial_Examples_for_an_Improved_Black_Box_Attack_on_Deep_Neural_Networks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/icml/LiLWZG19, 3 | author = {Li, Yandong and Li, Lijun and Wang, Liqiang and Zhang, Tong and Gong, Boqing}, 4 | booktitle = {Proceedings of the 36th International Conference on Machine Learning, {\{}ICML{\}} 2019, 9-15 June 2019, Long Beach, California, {\{}USA{\}}}, 5 | editor = {Chaudhuri, Kamalika and Salakhutdinov, Ruslan}, 6 | pages = {3866--3876}, 7 | publisher = {PMLR}, 8 | series = {Proceedings of Machine Learning Research}, 9 | title = {{{\{}NATTACK:{\}} Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks}}, 10 | url = {http://proceedings.mlr.press/v97/li19g.html}, 11 | volume = {97}, 12 | year = {2019} 13 | } 14 | ``` 15 | 16 | Rejected by ICLR 2019 but accepted by ICML 2019. Find the [Review from ICLR](https://openreview.net/forum?id=ryeoxnRqKQ). 17 | 18 | I did not read it through and got no idea. According to the review, it shares many similarities with [1]. 19 | 20 | 21 | [1] Ilyas, A., Engstrom, L., Athalye, A., & Lin, J. (2018). Black-box Adversarial Attacks with Limited Queries and Information. In J. Dy & A. Krause (Eds.), Proceedings of the 35th International Conference on Machine Learning (pp. 2137–2146). Retrieved from http://proceedings.mlr.press/v80/ilyas18a.html -------------------------------------------------------------------------------- /2019/Natural_Adversarial_Examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{DBLP:journals/corr/abs-1907-07174, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1907.07174}, 5 | author = {Hendrycks, Dan and Zhao, Kevin and Basart, Steven and Steinhardt, Jacob and Song, Dawn}, 6 | eprint = {1907.07174}, 7 | journal = {CoRR}, 8 | title = {{Natural Adversarial Examples}}, 9 | url = {http://arxiv.org/abs/1907.07174}, 10 | volume = {abs/1907.0}, 11 | year = {2019} 12 | } 13 | ``` 14 | This is a new dataset called **IMAGENET-A**, which contains adversarial examples exiting in the real world. -------------------------------------------------------------------------------- /2019/Noise2Self_Blind_Denoising_by_Self_Supervision.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/icml/BatsonR19, 3 | author = {Batson, Joshua and Royer, Lo$\backslash$"$\backslash$ic}, 4 | booktitle = {Proceedings of the 36th International Conference on Machine Learning, {\{}ICML{\}} 2019, 9-15 June 2019, Long Beach, California, {\{}USA{\}}}, 5 | editor = {Chaudhuri, Kamalika and Salakhutdinov, Ruslan}, 6 | pages = {524--533}, 7 | publisher = {PMLR}, 8 | series = {Proceedings of Machine Learning Research}, 9 | title = {{Noise2Self: Blind Denoising by Self-Supervision}}, 10 | url = {http://proceedings.mlr.press/v97/batson19a.html}, 11 | volume = {97}, 12 | year = {2019} 13 | } 14 | ``` 15 | No prior on the signal, no estimate of the noise, and no clean training data. 16 | 17 | The only assumption is that the noise exhibits statistical independence across different dimensions of the measurement, while the true signal exhibits some correlation. 18 | -------------------------------------------------------------------------------- /2019/On_the_Connection_Between_Adversarial_Robustness_and_Saliency_Map_Interpretability.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/icml/EtmannLMS19, 3 | author = {Etmann, Christian and Lunz, Sebastian and Maass, Peter and Sch{\"{o}}nlieb, Carola}, 4 | booktitle = {Proceedings of the 36th International Conference on Machine Learning, {\{}ICML{\}} 2019, 9-15 June 2019, Long Beach, California, {\{}USA{\}}}, 5 | editor = {Chaudhuri, Kamalika and Salakhutdinov, Ruslan}, 6 | pages = {1823--1832}, 7 | publisher = {PMLR}, 8 | series = {Proceedings of Machine Learning Research}, 9 | title = {{On the Connection Between Adversarial Robustness and Saliency Map Interpretability}}, 10 | url = {http://proceedings.mlr.press/v97/etmann19a.html}, 11 | volume = {97}, 12 | year = {2019} 13 | } 14 | ``` 15 | 16 | ## Motivation 17 | Recent studies on the adversarial vulnerability of neural networks have shown that models trained to be more robust to adversarial attacks exhibit more interpretable saliency maps than their non-robust counterparts. 18 | 19 | 20 | we show that the interpretability of the saliency maps of a robustified neural network is not only a side-effect of adversarial training, but a general property enjoyed by networks with a high degree of robustness to adversarial perturbations. 21 | 22 | 23 | We empirically demonstrate that the more linear the model is, the stronger the connection between robustness and alignment becomes. -------------------------------------------------------------------------------- /2019/One_pixel_attack_for_fooling_deep_neural_networks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{su2019one, 3 | author = {Su, Jiawei and Vargas, Danilo Vasconcellos and Sakurai, Kouichi}, 4 | journal = {IEEE Transactions on Evolutionary Computation}, 5 | publisher = {IEEE}, 6 | title = {{One pixel attack for fooling deep neural networks}}, 7 | year = {2019} 8 | } 9 | ``` 10 | 11 | This paper investigated a extreme attack senerio which only allows one pixel modification. The main difference is that this method uses 0-norm of the noise vector as a constraint of number of pixels, while other methods use L-infinity or L2 to limit the amount of noise. Besides, one pixel method does not limit the strength of the modification. 12 | 13 | ![alt](../pics/fig4_onepixel.png) 14 | 15 | And this method adapted Differential Evolution(DE) to solve the objective function, which is one method of evolotionary algorithms(EA). There are three main advantages of DE: 16 | - Higher probability of Finding Global Optima 17 | - Require Less Information from Target System 18 | - Simplicity 19 | 20 | [Here](https://pablormier.github.io/2017/09/05/a-tutorial-on-differential-evolution-with-python/#) is a good tutorial of DE. 21 | And [This](https://github.com/Hyperparticle/one-pixel-attack-keras) is the code in Keras. -------------------------------------------------------------------------------- /2019/Perturbations_are_not_Enough_Generating_Adversarial_Examples_with_Spatial_Distortions.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{2019arXiv191001329Z, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.LG/1910.01329}, 5 | author = {Zhao, He and Le, Trung and Montague, Paul and {De Vel}, Olivier and Abraham, Tamas and Phung, Dinh}, 6 | eprint = {1910.01329}, 7 | journal = {arXiv e-prints}, 8 | keywords = {Computer Science - Cryptography and Security,Computer Science - Machine Learning,Statistics - Machine Learning}, 9 | month = {oct}, 10 | pages = {arXiv:1910.01329}, 11 | primaryClass = {cs.LG}, 12 | title = {{Perturbations are not Enough: Generating Adversarial Examples with Spatial Distortions}}, 13 | year = {2019} 14 | } 15 | ``` 16 | 17 | Jointly learning to make spatial distortion and perturbations at the same time. -------------------------------------------------------------------------------- /2019/Real_Image_Denoising_With_Feature_Attention.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Anwar_2019_ICCV, 3 | author = {Anwar, Saeed and Barnes, Nick}, 4 | booktitle = {The IEEE International Conference on Computer Vision (ICCV)}, 5 | month = {oct}, 6 | title = {{Real Image Denoising With Feature Attention}}, 7 | year = {2019} 8 | } 9 | ``` 10 | ## Motivation 11 | Deep convolutional neural networks perform better 12 | on images containing spatially invariant noise (synthetic noise); however, their performance is limited on real-noisy photographs and requires multiple stage network modeling. 13 | 14 | ## Methods 15 | They use a residual on the residual structure to ease the flow of low-frequency information and apply feature attention to exploit the channel dependencies. 16 | ![](../pics/fig2_anwar_2009_iccv.png) 17 | -------------------------------------------------------------------------------- /2019/Rethinking_Data_Augmentation_Self_Supervision_and_Self_Distillation.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{lee2019rethinking, 3 | title={Rethinking Data Augmentation: Self-Supervision and Self-Distillation}, 4 | author={Lee, Hankook and Hwang, Sung Ju and Shin, Jinwoo}, 5 | journal={arXiv preprint arXiv:1910.05872}, 6 | year={2019} 7 | } 8 | ``` 9 | ## Motivation 10 | In the supervised setting, a common practice for data augmentation is to assign 11 | the same label to all augmented samples of the same source. However, if the 12 | augmentation results in large distributional discrepancy among them (e.g., rotations), forcing their label invariance may be too difficult to solve and often hurts 13 | the performance. 14 | 15 | ## Methods 16 | The key idea is to remove teh unnecessary invariant property of the classifier. To this end, they use a joint softmax classifier which represents the joint probability. 17 | 18 | - aggregated inference. Since the transformation is known, they predict a lable using the conditional probability. 19 | - self-distillation from aggregation. -------------------------------------------------------------------------------- /2019/Retrieval_Augmented_Convolutional_Neural_Networks_against_Adversarial_Examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{cho2019retrieval, 3 | author = {Cho, Kyunghyun and Others}, 4 | booktitle = {Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition}, 5 | pages = {11563--11571}, 6 | title = {{Retrieval-Augmented Convolutional Neural Networks Against Adversarial Examples}}, 7 | year = {2019} 8 | } 9 | ``` 10 | 11 | ## Motivation 12 | Adversarial examples could be categorized into those off the data manifold, which is defined as a manifold on which training examples lie, and those on the data manifold[1]. 13 | They proposed to tackle both off- and on manifold adversarial examples by incorporating an off-the-shelf retrieval mechanism which indexes a large set of examples and training this combination of a deep neural network classifier and the retreval engine to behave linearly on the data manifold. 14 | 15 | ## Methods 16 | 1. define a feature convex hull as a reasonable local approximation to the data manifold. 17 | 2. learn a goal-driven projection procedure based on the attention mechanism. This trainable projection could be thought of as learning to project an off-manifold example on the locally-approximated manifold to maximize the classification accuracy. 18 | 3. constrain the final classifier to work only with a point inside a feature-space convex hull of neighboring training examples. This constraint alleviates the issue of the classifier's misbehaviors in the region outside the data manifold up to a certain degree. 19 | 4. To ensure the robustness of the proposed approach to on-manifold adversarial examples, a **local mixup**[2] is used in which a new mixed example pair is created by Kraemer Algorithm. When training, the classifier only observes a very small subset of any feature-space convex hull. 20 | 21 | ## Experiments 22 | Test their method in 2 scenarios: attacks to classifiers and to retrieval engine. 23 | 24 | [1] Gilmer, J., Metz, L., Faghri, F., Schoenholz, S. S., Raghu, M., Wattenberg, M., & Goodfellow, I. (2018). Adversarial Spheres. ArXiv E-Prints, arXiv:1801.02774. 25 | [2] Zhang, H., Cisse, M., Dauphin, Y. N., & Lopez-Paz, D. (2017). mixup: Beyond empirical risk minimization. arXiv preprint arXiv:1710.09412. -------------------------------------------------------------------------------- /2019/Rob_GAN_Generator_Discriminator_and_Adversarial_Attacker.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Liu_2019_CVPR, 3 | author = {Liu, Xuanqing and Hsieh, Cho-Jui}, 4 | booktitle = {The IEEE Conference on Computer Vision and Pattern Recognition (CVPR)}, 5 | month = {jun}, 6 | title = {{Rob-GAN: Generator, Discriminator, and Adversarial Attacker}}, 7 | year = {2019} 8 | } 9 | ``` 10 | This paper combined adversarial training and GAN together. They gave two insights: 11 | 1. The generalization gap is large under adversarial attacks. Enforcing a small local Lipschitz value(LLV) on the underlining data distribution is desirable. But it helps little. Then the authors proposed to use GAN to learn $\mathcal(P_{data})$ and perform the adversarial training process on the learned distribution. 12 | 13 | The loss funciton is 14 | $$ 15 | \begin{array}{l}{\min _{w} \mathcal{L}_{\text {real }}\left(w, \delta_{\max }\right)+\lambda \cdot \mathcal{L}_{\text {fake }}\left(w, \delta_{\max }\right)} \\ {\mathcal{L}_{\text {real }}\left(w, \delta_{\max }\right) \triangleq \frac{1}{N_{\text {tr }}} \sum_{i=1}^{N_{t r}} \max _{\left\|\delta_{i}\right\| \leq \delta_{\text {max }}} \ell\left(f\left(x_{i}+\delta_{i} ; w\right) ; y_{i}\right)} \\ {\mathcal{L}_{\text {fake }}\left(w, \delta_{\text {max }}\right) \triangleq \operatorname{E}_{(x, y) \sim \mathcal{P}_{\text {fake }}\|\delta\| \leq \delta_{\text {max }}} \ell(f(x+\delta ; w) ; y)}\end{array} 16 | $$ 17 | 18 | Intuitively, it is a composite robust optimization on both original training data and GAN synthesized data. 19 | 20 | 2. Getting a robust discriminator will accelerate the training process. They required a small local Lipschitz value on the image manifold rather than a trict one-Lipschitz funciton globally. This can be done through adversarial training to teh discriminator. 21 | 22 | As for the architectures, they chose the discriminator with auxiliary classifier of AC-GAN and the Generator is normal one, I guess. 23 | 24 | Another thing mentioned in the original paper is that they fine-tuned the discriminator to conduct a pure multi-class classification task. 25 | 26 | :octocat: The code is [here](https://github.com/xuanqing94/RobGAN) 27 | 28 | :key: I think the idea of this paper simple, but why it can be accepted by a top conference is they did a good mathematical analysis, which I think is a key point. -------------------------------------------------------------------------------- /2019/Robust_Attribution_Regularization.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @incollection{NIPS2019_9577, 3 | author = {Chen, Jiefeng and Wu, Xi and Rastogi, Vaibhav and Liang, Yingyu and Jha, Somesh}, 4 | booktitle = {Advances in Neural Information Processing Systems 32}, 5 | pages = {14300--14310}, 6 | publisher = {Curran Associates, Inc.}, 7 | title = {{Robust Attribution Regularization}}, 8 | url = {http://papers.nips.cc/paper/9577-robust-attribution-regularization.pdf}, 9 | year = {2019} 10 | } 11 | ``` 12 | ## Summary 13 | Didn't understand. 14 | ## Motivation 15 | 16 | ## Method(s) 17 | ## Evaluation 18 | ## Conclusion 19 | ## Related work 20 | 1. Sundararajan, M., Taly, A., & Yan, Q. (2017). Axiomatic Attribution for Deep Networks. Proceedings of the 34th International Conference on Machine Learning - Volume 70, 3319–3328. JMLR.org. -------------------------------------------------------------------------------- /2019/Robustness_May_Be_at_Odds_with_Accuracy.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{tsipras2018robustness, 3 | author = {Tsipras, Dimitris and Santurkar, Shibani and Engstrom, Logan and Turner, Alexander and Madry, Aleksander}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Robustness May Be at Odds with Accuracy}}, 6 | url = {https://openreview.net/forum?id=SyxAb30cY7}, 7 | year = {2019} 8 | } 9 | ``` 10 | - Robust models learn features that align well with salient data characteristics. 11 | - robustness and standard accuracy are odd. 12 | 13 | 14 | **Very good paper.** -------------------------------------------------------------------------------- /2019/SemanticAdv_Generating_Adversarial_Examples_via_Attribute_conditional_Image_Editing.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{DBLP:journals/corr/abs-1906-07927, 3 | archivePrefix = {arXiv}, 4 | arxivId = {1906.07927}, 5 | author = {Qiu, Haonan and Xiao, Chaowei and Yang, Lei and Yan, Xinchen and Lee, Honglak and Li, Bo}, 6 | eprint = {1906.07927}, 7 | journal = {CoRR}, 8 | title = {{SemanticAdv: Generating Adversarial Examples via Attribute-conditional Image Editing}}, 9 | url = {http://arxiv.org/abs/1906.07927}, 10 | volume = {abs/1906.0}, 11 | year = {2019} 12 | } 13 | ``` 14 | Honestly, I do not think this is a good paper. It proposed to utilize the conditional GAN to generate adversarial examples by modifying the images' attributes. To put it simple, the main idea is interpolating the latent vectors of two images and feeding the modified vector into a Generator to reconstruct the images. There are two loss functions(Section 3.2): one is the loss for adversarial examples, the other is interpolation smoothness. 15 | 16 | The experiments are sufficient and the results are pretty. -------------------------------------------------------------------------------- /2019/SinGAN_Learning_a_Generative_Model_From_a_Single_Natural_Image.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Shaham_2019_ICCV, 3 | author = {Shaham, Tamar Rott and Dekel, Tali and Michaeli, Tomer}, 4 | booktitle = {The IEEE International Conference on Computer Vision (ICCV)}, 5 | month = {oct}, 6 | title = {{SinGAN: Learning a Generative Model From a Single Natural Image}}, 7 | year = {2019} 8 | } 9 | ``` 10 | [Official Documentation](http://webee.technion.ac.il/people/tomermic/SinGAN/SinGAN.htm) 11 | 12 | This paper first applys multi-scale GAN to internel learning of single image. -------------------------------------------------------------------------------- /2019/Sparse_and_Imperceivable_Adversarial_Attacks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Croce_2019_ICCV, 3 | author = {Croce, Francesco and Hein, Matthias}, 4 | booktitle = {The IEEE International Conference on Computer Vision (ICCV)}, 5 | month = {oct}, 6 | title = {{Sparse and Imperceivable Adversarial Attacks}}, 7 | year = {2019} 8 | } 9 | ``` 10 | [code](https://github.com/fra31/sparse-imperceivable-attacks). 11 | 12 | Not very clear about the algorithms. -------------------------------------------------------------------------------- /2019/The_Limitations_of_Adversarial_Training_and_the_Blind-Spot_Attack.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{zhang2018the, 3 | author = {Zhang, Huan and Chen, Hongge and Song, Zhao and Boning, Duane and Inderjit dhillon and Hsieh, Cho-Jui}, 4 | booktitle = {7th International Conference on Learning Representations, {\{}ICLR{\}} 2019, New Orleans, LA, USA, May 6-9, 2019}, 5 | title = {{The Limitations of Adversarial Training and the Blind-Spot Attack}}, 6 | url = {https://openreview.net/forum?id=HylTBhA5tQ}, 7 | year = {2019} 8 | } 9 | ``` 10 | This paper proposed a simple method to attack models with adversarial training. 11 | 12 | The authors claimed that there are blind spots that adversarial training could not cover. The distance between the test points and training data contributes to the attack. The attack success rate increases when the distance gets large. And the attack just be conducted by this formula: 13 | $$ 14 | x^{\prime}=\alpha x+\beta, \text { s.t. } x^{\prime} \in[-0.5,0.5]^{d} 15 | $$ -------------------------------------------------------------------------------- /2019/Theoretically_Principled_Trade_off_between_Robustness_and_Accuracy.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{pmlr-v97-zhang19p, 3 | address = {Long Beach, California, USA}, 4 | author = {Zhang, Hongyang and Yu, Yaodong and Jiao, Jiantao and Xing, Eric and Ghaoui, Laurent El and Jordan, Michael}, 5 | booktitle = {Proceedings of the 36th International Conference on Machine Learning}, 6 | editor = {Chaudhuri, Kamalika and Salakhutdinov, Ruslan}, 7 | pages = {7472--7482}, 8 | publisher = {PMLR}, 9 | series = {Proceedings of Machine Learning Research}, 10 | title = {{Theoretically Principled Trade-off between Robustness and Accuracy}}, 11 | url = {http://proceedings.mlr.press/v97/zhang19p.html}, 12 | volume = {97}, 13 | year = {2019} 14 | } 15 | ``` 16 | ## Summary 17 | This paper focuses on the trade-off between robustness and accuracy, and show an upper bound on the gap between robust error and optimal natural error. This paper features in decomposing the robustness and accuracy. 18 | ## Motivation 19 | The robust error can in general be bounded tightly using two terms: one corresponds to the natural error measured by a surrogate loss function, and the other corresponds to how likely the input features are close to the $\epsilon$-extension of the dicision boundary, termed as the boundary error. 20 | ## Method(s) 21 | ![](../pics/eqn3_pmlr-v97-zhang19p.png) 22 | The first term encourages the natural error to be optimized, and the second term encourages the output to be smooth as it pushes the decision boundary of classifier away from the sample instances via minimizing the difference between the prediction of natural examples and the adversarial examples. 23 | 24 | See proof in the original paper. 25 | ## Evaluation 26 | ## Conclusion 27 | ## Related work -------------------------------------------------------------------------------- /2019/Transferable_Adversarial_Attacks_for_Image_and_Video_Object_Detection.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{ijcai2019-134, 3 | author = {Wei, Xingxing and Liang, Siyuan and Chen, Ning and Cao, Xiaochun}, 4 | booktitle = {Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, {\{}IJCAI-19{\}}}, 5 | doi = {10.24963/ijcai.2019/134}, 6 | pages = {954--960}, 7 | publisher = {International Joint Conferences on Artificial Intelligence Organization}, 8 | title = {{Transferable Adversarial Attacks for Image and Video Object Detection}}, 9 | url = {https://doi.org/10.24963/ijcai.2019/134}, 10 | year = {2019} 11 | } 12 | ``` 13 | ### Motivation 14 | Existing methods have two limitations: **weak transferability** and **high computation cost**. 15 | 16 | ### Methods 17 | **Unified and Efficient Adversary (UEA)** 18 | ![Framework](./../pics/fig2_ijcai2019-134.png) 19 | 20 | - **Multi-scale attention loss** enhances the transferability and imperceptibility. 21 | - In the viewpoint of DNNs’ depth, DAG’s class loss is applied on the high-level softmax layer, and attention feature loss is performed on the low-level backend layer. 22 | - UEA incorporates an additional feature loss to get the strong transferability. 23 | 24 | ![table](./../pics/tab1_ijcai2019-134.png) 25 | 26 | #### Loss function 27 | $$ 28 | \mathcal{L}_{c G A N}(\mathcal{G}, \mathcal{D})=\mathbb{E}_{I}[\log \mathcal{D}(I)]+\mathbb{E}_{I}[\log (1-\mathcal{D}(\mathcal{G}(I))) 29 | $$ 30 | 31 | $$ 32 | \mathcal{L}_{L_{2}}(\mathcal{G})=\mathbb{E}_{I}\left[\|I-\mathcal{G}(I)\|_{2}\right] 33 | $$ 34 | 35 | $$ 36 | \mathcal{L}_{D A G}(\mathcal{G})=\mathbb{E}_{I}\left[\sum_{n=1}^{N}\left[f_{l_{n}}\left(\mathbf{X}, t_{n}\right)-f_{\hat{l}_{n}}\left(\mathbf{X}, t_{n}\right)\right]\right] 37 | $$ 38 | 39 | $$ 40 | \mathcal{L}_{F e a}(\mathcal{G})=\mathbb{E}_{I}\left[\sum_{m=1}^{M}\left\|\mathbf{A}_{m} \circ\left(\mathbf{X}_{m}-\mathbf{R}_{m}\right)\right\|_{2}\right] 41 | $$ 42 | 43 | $$ 44 | \mathcal{L}=\mathcal{L}_{c G A N}+\alpha \mathcal{L}_{L_{2}}+\beta \mathcal{L}_{D A G}+\epsilon \mathcal{L}_{F e a} 45 | $$ 46 | -------------------------------------------------------------------------------- /2019/Using_Pre_Training_Can_Improve_Model_Robustness_and_Uncertainty.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{DBLP:conf/icml/HendrycksLM19, 3 | author = {Hendrycks, Dan and Lee, Kimin and Mazeika, Mantas}, 4 | booktitle = {Proceedings of the 36th International Conference on Machine Learning, {\{}ICML{\}} 2019, 9-15 June 2019, Long Beach, California, {\{}USA{\}}}, 5 | editor = {Chaudhuri, Kamalika and Salakhutdinov, Ruslan}, 6 | pages = {2712--2721}, 7 | publisher = {PMLR}, 8 | series = {Proceedings of Machine Learning Research}, 9 | title = {{Using Pre-Training Can Improve Model Robustness and Uncertainty}}, 10 | url = {http://proceedings.mlr.press/v97/hendrycks19a.html}, 11 | volume = {97}, 12 | year = {2019} 13 | } 14 | ``` 15 | - Pre-training tremendously improve the model's adversarial robustness. 16 | - To reduce this gap, we introduce **adversarial pre-training**, where we make representations transfer across data distributions robustly. 17 | - Choosing to use targeted adversaries or no adversaries during pre-training does not provide substantial robustness. Instead, we choose to adversarially pre- train a Downsampled ImageNet model against an untargeted adversary, contra Kurakin et al. (2017); Kannan et al. (2018); Xie et al. (2018) -------------------------------------------------------------------------------- /2020/A_Closer_Look_at_Accuracy_vs_Robustness.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{2020arXiv200302460Y, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.LG/2003.02460}, 5 | author = {Yang, Yao-Yuan and Rashtchian, Cyrus and Zhang, Hongyang and Salakhutdinov, Ruslan and Chaudhuri, Kamalika}, 6 | eprint = {2003.02460}, 7 | journal = {arXiv e-prints}, 8 | keywords = {Computer Science - Cryptography and Security,Computer Science - Machine Learning,Statistics - Machine Learning}, 9 | month = {mar}, 10 | pages = {arXiv:2003.02460}, 11 | primaryClass = {cs.LG}, 12 | title = {{A Closer Look at Accuracy vs. Robustness}}, 13 | year = {2020} 14 | } 15 | ``` 16 | ## Summary 17 | I think this paper is worthy reading more times. 18 | 19 | ## Motivation 20 | A tradeoff between robustness and accuracy may be inevitable for many classification. 21 | ## Method(s) 22 | **Real data is $r-$separated where $r$ is equal to the attack radii commonly used in adversarial robustness experiments.** $r-$separation means examples from different classes are at least distance $2r$ apart in pixel space. 23 | This imply that in real image, the test iamges are far apart from training images from a different class. There perhaps are images of dogs which look like cats, but standard image datasets are quite clean, and such images mostly do not occur in either their test nor the training sets. 24 | 25 | **Theoretically if a data distribution is $r-$separated, then there exists a robust and accurate classifier that can be obtained by rounding a locally Lipschistz function.** 26 | 27 | ![](../pics/fig4_2020arXiv200302460Y.png) 28 | 29 | Figure 4 shows a pictorial example of why using a locally Lipschitz function can be just as expressive while also being robust. 30 | ## Evaluation 31 | ## Conclusion 32 | ## Related work 33 | 34 | 35 | [Presentation](https://slideslive.at/38930945/a-closer-look-at-accuracy-vs-robustness?ref=speaker-24616-latest) -------------------------------------------------------------------------------- /2020/A_Self_supervised_Approach_for_Adversarial_Robustness.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Naseer_2020_CVPR, 3 | author = {Naseer, Muzammal and Khan, Salman and Hayat, Munawar and Khan, Fahad Shahbaz and Porikli, Fatih}, 4 | booktitle = {IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)}, 5 | month = {jun}, 6 | title = {{A Self-supervised Approach for Adversarial Robustness}}, 7 | year = {2020} 8 | } 9 | ``` 10 | ## Motivation 11 | - Adversarial training that enhances robustness by modifying target model's parameters lacks generalizability of cross-task protection. 12 | - Different input processing based defenses fall short in the face of continuously evolving attacks. 13 | - Our defense aims to combine the benefits of adversarial 14 | training and input processing methods in a single frame- 15 | work that is computationally efficient, generalizable across 16 | different tasks and retains the clean image accuracy. 17 | - Combine the pre-processing and adversarial training. 18 | - build a robust denosier 19 | 20 | ## Contribution 21 | - A self-supervised way to generate adversarial perturbations, which is proved to be transferable. 22 | - using the adversarial training scheme to train the robust purifier. 23 | 24 | ![](../pics/fig2_Naseer_2020_CVPR.png) 25 | -------------------------------------------------------------------------------- /2020/Adversarial_Examples_Improve_Image_Recognition.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Xie_2020_CVPR, 3 | author = {Xie, Cihang and Tan, Mingxing and Gong, Boqing and Wang, Jiang and Yuille, Alan L and Le, Quoc V}, 4 | booktitle = {IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)}, 5 | month = {jun}, 6 | title = {{Adversarial Examples Improve Image Recognition}}, 7 | year = {2020} 8 | } 9 | ``` 10 | ## Summary 11 | This paper proposed to disentangle the distribution of adversarial examples and clean images via a auxiliary batch normalization to improve the performances on clean images. However, I did not see anything comparing adversarial robustness. 12 | 13 | ## Motivation 14 | All previous methods jointly train over clean images and adversarial images without distinction even though they should be drawn from different underlying distributions. 15 | This distribution mismatch between clean images and adversarial examples is a key factor that causes the performance degradation. 16 | ## Method(s) 17 | ### Adversarial Propagation 18 | short for AdvProp, a new training scheme that bridges the distribution mismatch with a simple yet highly effective two batchnorm approach: one for clean images and one auxiliary for adversarial examples. 19 | **The two batchnorms properly disentangle the two distributions at normalization layers for accurate statistics estimation.** 20 | This method can be seen as one type of adata augmentation: creating addtional traiing samples by injecting noises. The biggest difference is that previous attempts fail to improve accuracy on clean images. 21 | 22 | Adversarially trained models usually cannot generalize well on clean images. 23 | In this paper, such performance degradation is mainly caused by **distribution mismatch -- adversarial examples and clean images are drawn from two different domains.** 24 | To validate, this paper examine a simple strategy -- pre-trained networks with adversarial examples first, then fine-tune with clean images. 25 | And it is found that this simple fine-tuning strategy always yields much higher accuracy than Madry's adversarial training. 26 | This releases a promising signal:**adversarial examples can be benefical for model performance if harnessed properly**. 27 | 28 | ![](../pics/fig3_Xie_2020_CVPR.png) 29 | 30 | ![](../pics/algo1_Xie_2020_CVPR.png) 31 | 32 | ## Evaluation 33 | 34 | ## Conclusion 35 | ## Related work -------------------------------------------------------------------------------- /2020/Adversarially_Robust_Representations_with_Smooth_Encoders.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{cemgil2020adversarially, 3 | author = {Cemgil, Taylan and Ghaisas, Sumedh and Dvijotham, Krishnamurthy (Dj) and Kohli, Pushmeet}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Adversarially Robust Representations with Smooth Encoders}}, 6 | url = {https://openreview.net/forum?id=H1gfFaEYDS}, 7 | year = {2020} 8 | } 9 | ``` 10 | ## Motivation 11 | -------------------------------------------------------------------------------- /2020/Confidence_Calibrated_Adversarial_Training_Generalizing_to_Unseen_Attacks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{Stutz2020ICML, 3 | author = {David Stutz and Matthias Hein and Bernt Schiele}, 4 | title = {Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks}, 5 | journal = {Proceedings of the International Conference on Machine Learning {ICML}}, 6 | year = {2020} 7 | } 8 | ``` 9 | [Pre](https://slideslive.com/38930576/confidencecalibrated-adversarial-training-generalizing-to-unseen-attacks?ref=account-60259-latest) \& [code](https://github.com/davidstutz/confidence-calibrated-adversarial-training). -------------------------------------------------------------------------------- /2020/Contrastive_Representation_Distillation.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Tian2020Contrastive, 3 | author = {Tian, Yonglong and Krishnan, Dilip and Isola, Phillip}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Contrastive Representation Distillation}}, 6 | url = {https://openreview.net/forum?id=SkgpBJrtvS}, 7 | year = {2020} 8 | } 9 | ``` 10 | ## Motivation 11 | Representational knowledge is structured. The original KD objective introduced by Hinton treats all dimensions as independent, conditioned on the input. 12 | 13 | need to understand the derivation. -------------------------------------------------------------------------------- /2020/DVERGE_Diversifying_Vulnerabilities_for_Enhanced_Robust_Generation_of_Ensembles.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @misc{yang2020dverge, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.LG/2009.14720}, 5 | author = {Yang, Huanrui and Zhang, Jingyang and Dong, Hongliang and Inkawhich, Nathan and Gardner, Andrew and Touchet, Andrew and Wilkes, Wesley and Berry, Heath and Li, Hai}, 6 | eprint = {2009.14720}, 7 | title = {{DVERGE: Diversifying Vulnerabilities for Enhanced Robust Generation of Ensembles}}, 8 | year = {2020} 9 | } 10 | ``` 11 | ## Summary 12 | This paper aims to enhance the robustness under black-box attacks. It ensembles several models and forces them to learn different non-robust features. This is based on the assumption that transferability is caused by non-robust features. 13 | ## Motivation 14 | Sub-models in ensemble are vulnerable along the same axis of a transfer attack, which is the reason of high transferability of adversarial attacks. 15 | ## Method(s) 16 | without adversarial training 17 | ![](../pics/eqn4_yang2020dverge.png) 18 | 19 | with adversarial training 20 | $$ 21 | \min _{f_{i}} \mathbb{E}_{(x, y),\left(x_{s}, y_{s}\right), l}[\underbrace{\lambda \cdot \sum_{j \neq i} \mathcal{L}_{f_{i}}\left(x_{f_{j}^{l}}^{\prime}\left(x, x_{s}\right), y_{s}\right)}_{\text {DVERGE loss }}+\underbrace{\max _{\delta \in \mathcal{S}} \mathcal{L}_{f_{i}}\left(x_{s}+\delta, y_{s}\right)}_{\text {AdvT loss }}] 22 | $$ 23 | 24 | ## Evaluation 25 | ![](../pics/tab4_yang2020dverge.png) 26 | 27 | ![](../pics/tab5_yang2020dverge.png) 28 | 29 | It is worth noting that with adversarial training, the performance is worse than simply adversarial training. 30 | 31 | ## Conclusion 32 | 33 | ## Related work -------------------------------------------------------------------------------- /2020/Deflecting_Adversarial_Attacks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{2020arXiv200207405Q, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.LG/2002.07405}, 5 | author = {Qin, Yao and Frosst, Nicholas and Raffel, Colin and Cottrell, Garrison and Hinton, Geoffrey}, 6 | eprint = {2002.07405}, 7 | journal = {arXiv e-prints}, 8 | keywords = {Computer Science - Computer Vision and Pattern Rec,Computer Science - Machine Learning,Statistics - Machine Learning}, 9 | month = {feb}, 10 | pages = {arXiv:2002.07405}, 11 | primaryClass = {cs.LG}, 12 | title = {{Deflecting Adversarial Attacks}}, 13 | year = {2020} 14 | } 15 | ``` 16 | The basic idea of this paper is to use the logits or high-level features to reconstruct the images and compare the original images with reconstructed images. They used capsuled networks. 17 | 18 | It, however, is not helpful to my on-goint project. -------------------------------------------------------------------------------- /2020/Energy_based_Out_of_distribution_Detection.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @misc{liu2020energybased, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.LG/2010.03759}, 5 | author = {Liu, Weitang and Wang, Xiaoyun and Owens, John D and Li, Yixuan}, 6 | eprint = {2010.03759}, 7 | primaryClass = {cs.LG}, 8 | title = {{Energy-based Out-of-distribution Detection}}, 9 | year = {2020} 10 | } 11 | ``` 12 | ## Summary 13 | This paper proposeed a unified framework using an energy score for OOD detection. 14 | ## Motivation 15 | ## Method(s) 16 | ## Evaluation 17 | ## Conclusion 18 | ## Related work -------------------------------------------------------------------------------- /2020/Enhancing_Transformation_Based_Defenses_Against_Adversarial_Attacks_with_a_Distribution_Classifier.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{kou2020enhancing, 3 | author = {Kou, Connie and Lee, Hwee Kuan and Ng, Teck Khim and Chang, Ee-Chien}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Enhancing Transformation-Based Defenses Against Adversarial Attacks with a Distribution Classifier}}, 6 | url = {https://openreview.net/forum?id=BkgWahEFvr}, 7 | year = {2020} 8 | } 9 | ``` 10 | we propose a method that trains a distribution classifier on the distributions of the softmax outputs of transformed clean images only, but show improvements in both clean and adversarial images over majority voting. -------------------------------------------------------------------------------- /2020/Fooling_Detection_Alone_is_Not_Enough_Adversarial_Attack_against_Multiple_Object_Tracking.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{jia2020fooling, 3 | author = {Jia, Yunhan and Lu, Yantao and Shen, Junjie and Chen, Qi Alfred and Chen, Hao}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Fooling Detection Alone is Not Enough: Adversarial Attack against Multiple Object Tracking}}, 6 | url = {https://openreview.net/forum?id=rJl31TNYPr}, 7 | year = {2020} 8 | } 9 | ``` 10 | 11 | ## Motivation 12 | Multiple Object Tracking (MOT) is designed to be robust against errors in object detection. 13 | They find that a success rate of over 98% is needed for existing attack methods to actually affect the tracking results. No existing attack technique can satisfy. 14 | 15 | They claim they are the first to study adversarial machine learning attacks considering the **complete visual perception pipeline** in autonomous driving. 16 | ## Methods 17 | - Focus on track-by-detection pipeline. 18 | - Generate a patch to fool the object detector with **two adversarial goals**: 19 | - Erase the bounding box of target object from detection result 20 | - fabricate a bounding box with similar shape that is shifted a little bit towards an attacker-specified direction. 21 | - The interesting part is the fabricated bounding box is associated with the original tracker of target object in the tracking result, which is called *hijacking of the tracker*. **The tracker hijacking gives a fake velocity towards the attacker-desired direction to the tracker and lasts for only one frame. But its adversarial effects can last tens of frames, depending on the MOT parameters $R, H$.** 22 | - In practice, hijacking achieves a nearly 100% success rate when 3 consecutive frames are successfully attacked. 23 | - Two critical steps 24 | - **Finding optimal position for adversarial bounding box.** 25 | - **Generating adversarial patch against object detection.** 26 | 27 | ## Insights 28 | - Our key insight is that although it is highly difficult to directly create a tracker for fake objects or delete a tracker for existing objects, we can carefully design AEs to attack the tracking error reduction process in MOT to deviate the tracking results of existing objects a tracker for fake objects or delete a tracker for existing objects, we can carefully design AEs to attack the tracking error reduction process in MOT to deviate the tracking results of existing objects towards an attacker-desired moving direction. Such process is designed for increasing the robustness attack the tracking error reduction process in MOT to deviate the tracking results of existing objects towards an attacker-desired moving direction. 29 | -------------------------------------------------------------------------------- /2020/Heat_and_Blur_An_Effective_and_Fast_Defense_Against_Adversarial_Examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{2020arXiv200307573B, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.CV/2003.07573}, 5 | author = {Brama, Haya and Grinshpoun, Tal}, 6 | eprint = {2003.07573}, 7 | journal = {arXiv e-prints}, 8 | keywords = {Computer Science - Computer Vision and Pattern Rec,Computer Science - Machine Learning,Computer Science - Neural and Evolutionary Computi}, 9 | month = {mar}, 10 | pages = {arXiv:2003.07573}, 11 | primaryClass = {cs.CV}, 12 | title = {{Heat and Blur: An Effective and Fast Defense Against Adversarial Examples}}, 13 | year = {2020} 14 | } 15 | ``` 16 | 17 | ## Motivation 18 | Some existing methods can increase NNs' robustness, but they often require special architecture or training procedures and are irrelevant to already trained models. 19 | 20 | ## Methods 21 | It claims that the NN preservers the same info of correct labels for benign and adversarial images, illustrated as a heatmap. 22 | 23 | Basicly, it produces a heatmap to identify the primary object. It looks like a kind of attention. -------------------------------------------------------------------------------- /2020/High_Frequency_Component_Helps_Explain_the_Generalization_of_Convolutional_Neural_Networks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Wang_2020_CVPR, 3 | author = {Wang, Haohan and Wu, Xindi and Huang, Zeyi and Xing, Eric P}, 4 | booktitle = {Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)}, 5 | month = {jun}, 6 | title = {{High-Frequency Component Helps Explain the Generalization of Convolutional Neural Networks}}, 7 | year = {2020} 8 | } 9 | ``` 10 | ## Summary 11 | ## Motivation 12 | ## Method(s) 13 | ## Evaluation 14 | ## Conclusion 15 | 1. CNN may capture High Frequency Componentthat are misaligned with human visual preference, resulting in generalization mysteries such as the paradox of learning lable-shuffled data and adversarial vulnerability. 16 | 2. Heuristics that improve accuracy (Mix-up and BatchNorm) may encourage capturing HFC. 17 | 3. Adversarially robust models tend to have smooth convolutional kernels, the reverse is not always true. 18 | ## Related work -------------------------------------------------------------------------------- /2020/Improving_Adversarial_Robustness_Requires_Revisiting_Misclassified_Examples.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{wang2020improving, 3 | author = {Wang, Yisen and Zou, Difan and Yi, Jinfeng and Bailey, James and Ma, Xingjun and Gu, Quanquan}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Improving Adversarial Robustness Requires Revisiting Misclassified Examples}}, 6 | url = {https://openreview.net/forum?id=rklOg6EFwS}, 7 | year = {2020} 8 | } 9 | ``` 10 | ## Motivation 11 | the manipulation on misclassified examples has more impact on the final robustness, and the minimization techniques are more crucial than maximization ones under the min-max optimization framework. 12 | 13 | ![](../pics/fig1_wang2020improving.png) 14 | 15 | ![](../pics/eqn8_wang2020improving.png) 16 | 17 | ![](../pics/tab1_wang2020improving.png) 18 | 19 | ## Thoughts 20 | A high quality paper! -------------------------------------------------------------------------------- /2020/Jacobian_Adversarially_Regularized_Networks_for_Robustness.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{chan2020jacobian, 3 | author = {Chan, Alvin and Tay, Yi and Ong, Yew Soon and Fu, Jie}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Jacobian Adversarially Regularized Networks for Robustness}}, 6 | url = {https://openreview.net/forum?id=Hke0V1rKPS}, 7 | year = {2020} 8 | } 9 | ``` 10 | ## Motivation 11 | Previous studies have pointed out that robust models that have undergone adversarial training tend to produce **more salient and interpretable Jacobian matrices** than their non-robust counterparts. 12 | 13 | ## Methods 14 | Jacobian Adversarially Regularized Networks(JARN). The classifier learns to produce salient Jacobians with a regularization objective to fool a discriminator network into classifying them into classifying them as input images. 15 | 16 | ![](../pics/fig1_chan2020jacobian.png) 17 | ![](../pics/algo1_chan2020jacobian.png) 18 | 19 | ## Thoughts 20 | Can I use a regulization on dinoising? 21 | -------------------------------------------------------------------------------- /2020/Manifold_regularization_for_adversarial_robustness.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{jin2020manifold, 3 | author = {Jin, Charles and Rinard, Martin}, 4 | journal = {arXiv preprint arXiv:2003.04286}, 5 | title = {{Manifold regularization for adversarial robustness}}, 6 | year = {2020} 7 | } 8 | ``` 9 | ## Summary 10 | This paper uses manifold regularization to achieve the goal of local stability, and improves the adversarial robustness. 11 | 12 | ## Motivation 13 | #### Local stability 14 | The key insight is learning a function which does not vary much in small neighborhoods of natural inputs, **even if the network classifies incorrectly**. (this is a big difference from adversarial training) 15 | 16 | ## Method(s) 17 | Manifold regularization are based on the assumption that the input data is not drawn uniformly from the input domain $X$, but rather supported on a submanifold $M \subset X$. This assumption is natural for, e.g., vision tasks, where a randomly drawn image is almost certainly noise. 18 | 19 | A function $f$ is $\epsilon-stable$ at an input $x$ ifthere does not exist a perturbation $x'$ in the $\epsilon-neighborhood$ of $x$ such that $f(x) \neq f(x')$. 20 | 21 | ### Stochastic Manifold Regularization 22 | $$\|f\|_{I}^{2} \approx \frac{1}{N_{b}^{2}} \sum_{i, j=1}^{N_{b}}\left(f\left(x_{i}\right)-f\left(x_{j}\right)\right)^{2} W_{i, j},$$ 23 | where the sum is over the samples in a mini-batch. 24 | 25 | One benefit of this approach is that the regularization comes at nearly zero overhead when training via stochastic gradient descent. 26 | 27 | ### Hamming Embeddings 28 | $\epsilon$-stability clearly modifies the intrinsic geometry by expanding the input submanifold to its $\epsilon$-neighborhood; furthermore, the density of this expanded manifold should be fairly constant in every $\epsilon$-ball, since every point in the $\epsilon$-ball is equally “important” for evaluation. 29 | 30 | One obvious way to extend the previous approach for $\epsilon$-stability is to simply replace every input with a random perturbation from its $\epsilon$-ball at training time. 31 | **The intrinsic geometry is often assumed to be a much lower dimension submanifold, while the $\epsilon$-ball lifts the submanifold back to the full dimension of the ambient space, and thus may require much higher sample complexity to learn. Indeed, as our experiments show, this approach can actually hurt the robustness of the network.** 32 | 33 | $$\|H(\cdot ; \theta)\|_{I}^{2} \approx \frac{1}{N^{2}} \sum_{i=1}^{N} H\left(x_{i}^{+}, x_{i}^{-} ; \theta\right)^{2} W_{i^{+}, i^{-}}$$ 34 | 35 | ## Evaluation 36 | ![](../pics/tab1_jin2020manifold.png) 37 | ## Conclusion 38 | 1. higher adversarial and natural robustness. 39 | 2. suggesting that encouraging the netowrk to be locally stable on the intrinsic geometry of the input submanifold leads to fundamentally different optima than using adversarial examples. 40 | 3. No inner optimization loop to find strong perturbations at training time. 41 | 42 | 43 | ## Reference 44 | 1. Manifold regularization: A geometric framework for learning from labeled and unlabeled examples 45 | 2. Taehoon Lee, Minsuk Choi, and Sungroh Yoon. Manifold regularized deep neural networks using adversarial examples, 2015. -------------------------------------------------------------------------------- /2020/On_Robustness_of_Neural_Ordinary_Differential_Equations.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{YAN2020On, 3 | author = {YAN, Hanshu and DU, Jiawei and TAN, Vincent and FENG, Jiashi}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{On Robustness of Neural Ordinary Differential Equations}}, 6 | url = {https://openreview.net/forum?id=B1e9Y2NYvS}, 7 | year = {2020} 8 | } 9 | ``` 10 | ## Motivation 11 | The robustness of neural ODE is unclear. 12 | 13 | In contrast to conventional convolutional neural networks (CNNs), we find that the ODENets are more robust against both randomGaussian perturbations and adversarial attack examples. 14 | 15 | Our work suggests that, due to their intrinsic robustness, it is promising to use neural ODEs as a basic block for building robust deep network models. 16 | 17 | The non-intersecting property indicates that an integral curve starting from some point is constrained by the integral curves starting from that point's neighbourhood. Thus, in an ODENet, if a correctly classified datum is slightly perturbed, the integral curve associated to its perturbed version would not change too much from the original one. Thus, there exists intrinsic robustness regularization in ODENets, which is absent from CNNs. 18 | 19 | Motivated by this property of the neural ODE flow, we attempt to explore a more robust neural ODE architecture by introducing stronger regularization on the flow. 20 | 21 | We thus propose a Time-Invariant Steady neural ODE (TisODE). The TisODE removes the time dependence of the dynamics in an ODE and imposes a steady-state constraint on the integral curves. -------------------------------------------------------------------------------- /2020/Out_of_Distribution_Generalization_via_Risk_Extrapolation.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @misc{krueger2020outofdistribution, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.LG/2003.00688}, 5 | author = {Krueger, David and Caballero, Ethan and Jacobsen, Joern-Henrik and Zhang, Amy and Binas, Jonathan and Priol, Remi Le and Courville, Aaron}, 6 | eprint = {2003.00688}, 7 | primaryClass = {cs.LG}, 8 | title = {{Out-of-Distribution Generalization via Risk Extrapolation (REx)}}, 9 | year = {2020} 10 | } 11 | ``` 12 | This paper introduces risk extrapolation as a new method to generalize outside of the training distribution. 13 | 14 | However, it cannot be used for adversarial examples. -------------------------------------------------------------------------------- /2020/Pay_Attention_to_Features_Transfer_Learn_Faster_CNNs.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Wang2020Pay, 3 | author = {Wang, Kafeng and Gao, Xitong and Zhao, Yiren and Li, Xingjian and Dou, Dejing and Xu, Cheng-Zhong}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Pay Attention to Features, Transfer Learn Faster CNNs}}, 6 | url = {https://openreview.net/forum?id=ryxyCeHtPB}, 7 | year = {2020} 8 | } 9 | ``` 10 | In distillation, transferring only logits might be not enough. -------------------------------------------------------------------------------- /2020/Robust_And_Interpretable_Blind_Image_Denoising_Via_Bias_Free_Convolutional_Neural_Networks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{Mohan2020Robust, 3 | author = {Mohan, Sreyas and Kadkhodaie, Zahra and Simoncelli, Eero P and Fernandez-Granda, Carlos}, 4 | booktitle = {International Conference on Learning Representations}, 5 | file = {:E$\backslash$:/GoogleDrive/{\#}BAI TAO{\#} Adversarial ML/Mendeley/2020 - Robust And Interpretable Blind Image Denoising Via Bias-Free Convolutional Neural Networks.pdf:pdf}, 6 | title = {{Robust And Interpretable Blind Image Denoising Via Bias-Free Convolutional Neural Networks}}, 7 | url = {https://openreview.net/forum?id=HJlSmC4FPS}, 8 | year = {2020} 9 | } 10 | ``` 11 | Can I use this Bias-Free CNN to dinoise adversarial images? Like high level guided denoiser, it is trained on adversarial images with same constraints of noise, thus can be broken by adversarial examples with different noise maginitudes. -------------------------------------------------------------------------------- /2020/Robust_Local_Features_for_Improving_the_Generalization_of_Adversarial_Training.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{song2020robust, 3 | author = {Song, Chuanbiao and He, Kun and Lin, Jiadong and Wang, Liwei and Hopcroft, John E}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Robust Local Features for Improving the Generalization of Adversarial Training}}, 6 | url = {https://openreview.net/forum?id=H1lZJpVFvr}, 7 | year = {2020} 8 | } 9 | ``` 10 | This paper points out that adversarially trained models are more biased towards global stucture features. This paper investigate the relationship between the generalization of adversarial training and the robust local features. 11 | 12 | To learn local features, they proposed Random Block Shuffle(RBS) to break up the gloabal sturcture of the images, at the same time retaining the local features. 13 | ![](../pics/fig1_song2020robust.png) 14 | 15 | Generalized RBS adversarial training(RBSAT). 16 | ![](../pics/eqn7_song2020robust.png) 17 | 18 | 19 | For feature alignment 20 | ![](../pics/eqn9_song2020robust.png) -------------------------------------------------------------------------------- /2020/Sponge_Examples_Energy_Latency_Attacks_on_Neural_Networks.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @misc{shumailov2020sponge, 3 | title={Sponge Examples: Energy-Latency Attacks on Neural Networks}, 4 | author={Ilia Shumailov and Yiren Zhao and Daniel Bates and Nicolas Papernot and Robert Mullins and Ross Anderson}, 5 | year={2020}, 6 | eprint={2006.03463}, 7 | archivePrefix={arXiv}, 8 | primaryClass={cs.LG} 9 | } 10 | ``` -------------------------------------------------------------------------------- /2020/Supervised_Contrastive_Learning.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{2020arXiv200411362K, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.LG/2004.11362}, 5 | author = {Khosla, Prannay and Teterwak, Piotr and Wang, Chen and Sarna, Aaron and Tian, Yonglong and Isola, Phillip and Maschinot, Aaron and Liu, Ce and Krishnan, Dilip}, 6 | eprint = {2004.11362}, 7 | journal = {arXiv e-prints}, 8 | keywords = {Computer Science - Computer Vision and Pattern Rec,Computer Science - Machine Learning,Statistics - Machine Learning}, 9 | month = {apr}, 10 | pages = {arXiv:2004.11362}, 11 | primaryClass = {cs.LG}, 12 | title = {{Supervised Contrastive Learning}}, 13 | year = {2020} 14 | } 15 | ``` 16 | consider about the hard positives and hard negatives. 17 | 18 | ![](../pics/eqn3_2020arXiv200411362K.png) 19 | -------------------------------------------------------------------------------- /2020/Triple_Wins_Boosting_Accuracy_Robustness_and_Efficiency_Together_by_Enabling_Input_Adaptive_Inference.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @inproceedings{huang2018multiscale, 3 | author = {Huang, Gao and Chen, Danlu and Li, Tianhong and Wu, Felix and van der Maaten, Laurens and Weinberger, Kilian}, 4 | booktitle = {International Conference on Learning Representations}, 5 | title = {{Multi-Scale Dense Networks for Resource Efficient Image Classification}}, 6 | url = {https://openreview.net/forum?id=Hk2aImxAb}, 7 | year = {2018} 8 | } 9 | ``` 10 | - We assume that the final prediction will be one chosen (NOT fused) from [ ˆy1, ..., yˆN ] via some deterministic strategy. (**Is it better than fused?**. I found answers in latter paper: The goal of this paper is to keep efficiency, so fused prediction can be better than chosen one.) 11 | 12 | I wanted to propose a similar method like this, but I don't care about efficiency. -------------------------------------------------------------------------------- /2020/Wavelet_Integrated_CNNs_for_Noise_Robust_Image_Classification.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @misc{li2020wavelet, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.CV/2005.03337}, 5 | author = {Li, Qiufu and Shen, Linlin and Guo, Sheng and Lai, Zhihui}, 6 | eprint = {2005.03337}, 7 | primaryClass = {cs.CV}, 8 | title = {{Wavelet Integrated CNNs for Noise-Robust Image Classification}}, 9 | year = {2020} 10 | } 11 | ``` 12 | 13 | Our method is trying to apply wavelet transforms to improve the down-sampling operations in deep networks. 14 | 15 | ![](../pics/fig5_li2020wavelet.png) -------------------------------------------------------------------------------- /2020/What_it_Thinks_is_Important_is_Important_Robustness_Transfers_through_Input_Gradients.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{2019arXiv191205699C, 3 | archivePrefix = {arXiv}, 4 | arxivId = {cs.LG/1912.05699}, 5 | author = {Chan, Alvin and Tay, Yi and Ong, Yew-Soon}, 6 | eprint = {1912.05699}, 7 | journal = {arXiv e-prints}, 8 | month = {dec}, 9 | pages = {arXiv:1912.05699}, 10 | primaryClass = {cs.LG}, 11 | title = {{What it Thinks is Important is Important: Robustness Transfers through Input Gradients}}, 12 | year = {2019} 13 | } 14 | ``` 15 | 16 | ## Motivation 17 | Learned weights of models robust to adversarial perturbations are previously found to be transferable across different tasks but this applies only if the model architecture for the source and target tasks is the same. 18 | 19 | Input gradients characterize how small changes at each input pixel affect the model output. 20 | 21 | ## Methods 22 | Input gradient adversarial matching (IGAM). 23 | The core idea behind our approach is to train a student 24 | model with an adversarial objective to fool a discriminator into perceiving the student’s input gradients as those from a robust teacher model. To transfer across different tasks, the teacher model’s logit layer is first briefly finetuned on the target task’s data. 25 | 26 | ![](./../pics/algo1_2019arXiv191205699C.png) 27 | 28 | ![](./../pics/fig2_2019arXiv191205699C.png) 29 | 30 | ## Thoughts 31 | I think it is similar to distillation in some ways. Can I adopt it to distillation? -------------------------------------------------------------------------------- /2021/On_the_Limitations_of_Denoising_Strategies_as_Adversarial_Defenses.md: -------------------------------------------------------------------------------- 1 | ``` 2 | @article{niu2020limitations, 3 | author = {Niu, Zhonghan and Chen, Zhaoxi and Li, Linyi and Yang, Yubin and Li, Bo and Yi, Jinfeng}, 4 | journal = {arXiv preprint arXiv:2012.09384}, 5 | title = {{On the Limitations of Denoising Strategies as Adversarial Defenses}}, 6 | year = {2020} 7 | } 8 | ``` 9 | 10 | ## Denoising in the spatial domain 11 | For most defense methods, it is very difficult to remove all perturbations precisely without sacrifice benign accuracy, especially for complex images like ImageNet. 12 | ## Denoising in the frequency domain 13 | As many works purify their adversarial examples only by filtering out high-frequency components, we suggest that to achieve an approving defense efficiency, the defense should be carried out simultaneously on multiple frequency bands. 14 | ## Denoising in latent space 15 | The main idea is to deal with the vulnerability of individual convolutional filters in DNNs, which reveals the significant impact of adversarial noise in the latent space. 16 | 17 | ## Questions 18 | 1. Section 2.2 states that denoising on multiple frequecy bands is useful. However, the experiments are done in spatial domain, rather feature space. Is it equivalent? 19 | 2. Cannot understand Fig. 11. 20 | 3. Will double denosing work? -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 taobai 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![Maintenance](https://img.shields.io/maintenance/yes/2021.svg?color=red&style=plastic) 2 | ![GitHub last commit](https://img.shields.io/github/last-commit/tao-bai/attack-and-defense-methods.svg?style=plastic) 3 | [![Awesome](https://awesome.re/badge.svg?style=flat-square)](https://awesome.re) 4 | 5 | 6 | # About 7 | Inspired by [this repo](https://github.com/aleju/papers) and [ML Writing Month](https://docs.google.com/document/d/15o6m0I8g6O607mk5YPTh33Lu_aQYo7SpHhNSbLPQpWQ/mobilebasic?from=groupmessage#?utm_source=wechat_session&utm_medium=social&utm_oi=624560843380101120). Questions and discussions are most welcome! 8 | 9 | [Lil-log](https://lilianweng.github.io/lil-log/) is the best blog I have ever read! 10 | # Papers 11 | 12 | ## Survey 13 | 1. `TNNLS 2019` [Adversarial Examples: Attacks and Defenses for Deep Learning](https://ieeexplore.ieee.org/document/8611298) 14 | 2. `IEEE ACCESS 2018` [Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey](https://ieeexplore.ieee.org/document/8294186) 15 | 3. `2019` [Adversarial Attacks and Defenses in Images, Graphs and Text: A Review](https://arxiv.org/pdf/1909.08072) 16 | 4. `2019` [A Study of Black Box Adversarial Attacks in Computer Vision](https://arxiv.org/pdf/1912.01667) 17 | 5. `2019` [Adversarial Examples in Modern Machine Learning: A Review](https://arxiv.org/pdf/1911.05268) 18 | 6. `2020` [Opportunities and Challenges in Deep Learning Adversarial Robustness: A Survey](https://arxiv.org/abs/2007.00753) 19 | 7. `TPAMI 2021` [Knowledge Distillation and Student-Teacher Learning for Visual Intelligence: A Review and New Outlooks](https://arxiv.org/pdf/2004.05937) 20 | 8. `2019` [Adversarial attack and defense in reinforcement learning-from AI security view](https://arxiv.org/pdf/1901.06796) 21 | 9. `2020` [A Survey of Privacy Attacks in Machine Learning](https://arxiv.org/abs/2007.07646) 22 | 10. `2020` [Learning from Noisy Labels with Deep Neural Networks: A Survey](https://arxiv.org/abs/2007.08199) 23 | 11. `2020` [Optimization for Deep Learning: An Overview](https://link.springer.com/epdf/10.1007/s40305-020-00309-6?sharing_token=Xv0f6yBzgc1QnNAUbQ9pufe4RwlQNchNByi7wbcMAY56wZ54Vxigc8CL-kHvhiYpSthXAu14ZSiMmkrVuqUSJUCRoWymQqZbEnVDQvz2sEBOiX8dkkGxS7bI7irClme0cEKnUtpyPIJONJQQDAiWTskwNws64eAd2xKnqi3nYOY%3D) 24 | 12. `2020` [Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review](https://arxiv.org/abs/2007.10760) 25 | 13. `2020` [Learning from Noisy Labels with Deep Neural Networks: A Survey](https://arxiv.org/pdf/2007.08199) 26 | 14. `2020` [Adversarial Machine Learning in Image Classification: A Survey Towards the Defender's Perspective](https://arxiv.org/pdf/2009.03728) 27 | 15. `2020` [Efficient Transformers: A Survey](https://arxiv.org/abs/2009.06732) 28 | 16. `2019` [A Survey of Black-Box Adversarial Attacks on Computer Vision Models](https://arxiv.org/abs/1912.01667) 29 | 17. `2020` [Backdoor Learning: A Survey](https://arxiv.org/abs/2007.08745) 30 | 18. `2020` [Transformers in Vision: A Survey](https://arxiv.org/abs/2101.01169) 31 | 19. `2020` [A Survey on Neural Network Interpretability](https://arxiv.org/abs/2012.14261) 32 | 20. `2020`[A Survey of Privacy Attacks in Machine Learning](https://arxiv.org/abs/2007.07646) 33 | 21. `2020` [Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses](https://arxiv.org/pdf/2012.10544) 34 | 22. `2021` [**Recent Advances in Adversarial Training for Adversarial Robustness**](https://arxiv.org/abs/2102.01356) (**Our work, accepted by IJCAI 2021**) 35 | 23. `2021` [Explainable Artificial Intelligence Approaches: A Survey](https://arxiv.org/abs/2101.09429) 36 | 24. `2021` [A Survey on Understanding, Visualizations, and Explanation of Deep Neural Networks](https://arxiv.org/abs/2102.01792) 37 | 25. `2020` [A survey on Semi-, Self- and Unsupervised Learning for Image Classification](https://arxiv.org/abs/2002.08721) 38 | 26. `2021` [Model Complexity of Deep Learning: A Survey](https://arxiv.org/abs/2103.05127) 39 | 27. `2021` [Deep Generative Modelling: A Comparative Review of VAEs, GANs, Normalizing Flows, Energy-Based and Autoregressive Models](https://arxiv.org/abs/2103.04922) 40 | 28. `2021` [Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses](https://arxiv.org/abs/2012.10544) 41 | 29. `2019` [Advances and Open Problems in Federated Learning](https://arxiv.org/pdf/1912.04977.pdf) 42 | 30. `2021` [Countering Malicious DeepFakes: Survey, Battleground, and Horizon](https://arxiv.org/pdf/2103.00218.pdf) 43 | 44 | ## Attack 45 | ### 2013 46 | 1. `ICLR` [Evasion Attacks against Machine Learning at Test Time](./2013/Evasion_attacks_against_machine_learning_at_test_time.md) 47 | 48 | 49 | ### 2014 50 | 1. `ICLR` [Intriguing properties of neural networks](./2014/Intriguing_properties_of_neural_networks.md) 51 | 2. `ARXIV` [Identifying and attacking the saddle point problem in 52 | high-dimensional non-convex optimization] 53 | 54 | 55 | ### 2015 56 | 1. `ICLR` [Explaining and Harnessing Adversarial Examples](./2015/Explaining_and_Harnessing_Adversarial_Examples.md) 57 | 58 | 59 | ### 2016 60 | 1. `EuroS&P` [The limitations of deep learning in adversarial settings](./2016/The_limitations_of_deep_learning_in_adversarial_settings.md) 61 | 2. `CVPR` [Deepfool](./2016/DeepFool.md) 62 | 3. `SP` [C&W Towards evaluating the robustness of neural networks](./2016/Toward_evaluating_the_robustness_of_neural_networks.md) 63 | 4. `Arxiv` [Transferability in machine learning: from phenomena to black-box attacks using adversarial samples](./2016/Transferability_in_machine_learning.md) 64 | 5. `NIPS` [Adversarial Images for Variational Autoencoders] 65 | 6. `ARXIV` [A boundary tilting persepective on the phenomenon of adversarial examples] 66 | 7. `ARXIV` [Adversarial examples in the physical world] 67 | 68 | 69 | ### 2017 70 | 1. `ICLR` [Delving into Transferable Adversarial Examples and Black-box Attacks](./2017/Delving_into_Transferable_Adversarial_Examples_and_Black-box_Attacks.md) 71 | 2. `CVPR` [Universal Adversarial Perturbations](./2017/Universal_Adversarial_Perturbations.md) 72 | 3. `ICCV` [Adversarial Examples for Semantic Segmentation and Object Detection](./2017/Adversarial_Examples_for_Semantic_Segmentation_and_Object_Detection.md) 73 | 4. `ARXIV` [Adversarial Examples that Fool Detectors](./2017/Adversarial_Examples_that_Fool_Detectors.md) 74 | 5. `CVPR` [A-Fast-RCNN: Hard Positive Generation via Adversary for Object Detection](./2017/A-Fast-RCNN_Hard_Positive_Generation_via_Adversary_for_Object_Detection.md) 75 | 6. `ICCV` [Adversarial Examples Detection in Deep Networks with Convolutional Filter Statistics](./2017/Adversarial_Examples_Detection_in_Deep_Networks_with_Convolutional_Filter_Statistics.md) 76 | 7. `AIS` [Adversarial examples are not easily detected: Bypassing ten detection methods] 77 | 8. `ICCV` `UNIVERSAL` [Universal Adversarial Perturbations Against Semantic Image Segmentation] 78 | 9. `ICLR` [Adversarial Machine Learning at Scale] 79 | 10. `ARXIV` [The space of transferable adversarial examples] 80 | 11. `ARXIV` [Adversarial attacks on neural network policies] 81 | 82 | 83 | ### 2018 84 | 1. `ICLR` [Generating Natural Adversarial Examples](./2018/Generating_Natural_Adversarial_Examples.md) 85 | 2. `NeurlPS` [Constructing Unrestricted Adversarial Examples with Generative Models](./2018/Constructing_Unrestricted_Adversarial_Examples_with_Generative_Models.md) 86 | 3. `IJCAI` [Generating Adversarial Examples with Adversarial Networks](./2018/Generating_Adversarial_Examples_with_Adversarial_Networks.md) 87 | 4. `CVPR` [Generative Adversarial Perturbations](./2018/Generative_Adversarial_Perturbations.md) 88 | 5. `AAAI` [Learning to Attack: Adversarial transformation networks](./2017/Adversarial_transformation_networks_Learning_to_generate_adversarial_examples.md) 89 | 6. `S&P` [Learning Universal Adversarial Perturbations with Generative Models](./2018/Learning_Universal_Adversarial_Perturbations_with_Generative_Models.md) 90 | 7. `CVPR` [Robust physical-world attacks on deep learning visual classification](./2018/Robust_physical_world_attacks_on_deep_learning_visual_classification.md) 91 | 8. `ICLR` [Spatially Transformed Adversarial Examples](./2018/SPATIALLY_TRANSFORMED_ADVERSARIAL_EXAMPLES.md) 92 | 9. `CVPR`[Boosting Adversarial Attacks With Momentum](./2018/Boosting_Adversarial_Attacks_With_Momentum.md) 93 | 10. `ICML` [Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples](./2018/Obfuscated_Gradients_Give_a_False_Sense_of_Security_Circumventing_Defenses_to_Adversarial_Examples.md) :thumbsup: 94 | 11. `CVPR` `UNIVERSAL` [Art of Singular Vectors and Universal Adversarial Perturbations] 95 | 12. `ARXIV` [Adversarial Spheres] 96 | 13. `ECCV` [Characterizing adversarial examples based on spatial consistency information for semantic segmentation] 97 | 14. `ARXIV` [Generating natural language adversarial examples] 98 | 15. `SP` [Audio adversarial examples: Targeted attacks on speech-to-text] 99 | 16. `ARXIV` [Adversarial attack on graph structured data] 100 | 17. `ARXIV` [Maximal Jacobian-based Saliency Map Attack (Variants of JAMA)] 101 | 18. `SP` [Exploiting Unintended Feature Leakage in Collaborative Learning] 102 | 103 | 104 | ### 2019 105 | 1. `CVPR` [Feature Space Perturbations Yield More Transferable Adversarial Examples](./2019/Feature_Space_Perturbations_Yield_More_Transferable_Adversarial_Examples.md) 106 | 2. `ICLR` [The Limitations of Adversarial Training and the Blind-Spot Attack](./2019/The_Limitations_of_Adversarial_Training_and_the_Blind-Spot_Attack.md) 107 | 3. `ICLR` [Are adversarial examples inevitable?](./2019/Are_adversarial_examples_inevitable.md) :thought_balloon: 108 | 4. `IEEE TEC` [One pixel attack for fooling deep neural networks](./2019/One_pixel_attack_for_fooling_deep_neural_networks.md) 109 | 5. `ARXIV` [Generalizable Adversarial Attacks Using Generative Models](./2019/Generalizable_Adversarial_Attacks_Using_Generative_Models.md) 110 | 6. `ICML` [NATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks](./2019/NATTACK_Learning_the_Distributions_of_Adversarial_Examples_for_an_Improved_Black_Box_Attack_on_Deep_Neural_Networks.md):thought_balloon: 111 | 7. `ARXIV` [SemanticAdv: Generating Adversarial Examples via Attribute-conditional Image Editing](./2019/SemanticAdv_Generating_Adversarial_Examples_via_Attribute_conditional_Image_Editing.md) 112 | 8. `CVPR` [Rob-GAN: Generator, Discriminator, and Adversarial Attacker](./2019/Rob_GAN_Generator_Discriminator_and_Adversarial_Attacker.md) 113 | 9. `ARXIV` [Cycle-Consistent Adversarial {GAN:} the integration of adversarial attack and defense](./2019/Cycle_Consistent_Adversarial_{GAN}_the_integration_of_adversarial_attack_and_defense.md) 114 | 10. `ARXIV` [Generating Realistic Unrestricted Adversarial Inputs using Dual-Objective {GAN} Training](./2019/Generating_Realistic_Unrestricted_Adversarial_Inputs_using_Dual_Objective_{GAN}_Training.md) :thought_balloon: 115 | 11. `ICCV` [Sparse and Imperceivable Adversarial Attacks](./2019/Sparse_and_Imperceivable_Adversarial_Attacks.md):thought_balloon: 116 | 12. `ARXIV` [Perturbations are not Enough: Generating Adversarial Examples with Spatial Distortions](2019/Perturbations_are_not_Enough_Generating_Adversarial_Examples_with_Spatial_Distortions.md) 117 | 13. `ARXIV` [Joint Adversarial Training: Incorporating both Spatial and Pixel Attacks](2019/Joint_Adversarial_Training_Incorporating_both_Spatial_and_Pixel_Attacks.md) 118 | 14. `IJCAI` [Transferable Adversarial Attacks for Image and Video Object Detection](./2019/Transferable_Adversarial_Attacks_for_Image_and_Video_Object_Detection.md) 119 | 15. `TPAMI` [Generalizable Data-Free Objective for Crafting Universal Adversarial Perturbations](./2019/Generalizable_Adversarial_Attacks_Using_Generative_Models.md) 120 | 16. `CVPR` [Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses](./2019/Decoupling_Direction_and_Norm_for_Efficient_Gradient_Based_L2_Adversarial_Attacks_and_Defenses.md) 121 | 17. `CVPR` [FDA: Feature Disruptive Attack] 122 | 18. `ARXIV` [SmoothFool: An Efficient Framework for Computing Smooth Adversarial Perturbations] 123 | 19. `CVPR` [SparseFool: a few pixels make a big difference] 124 | 20. `ICLR` [Adversarial Attacks on Graph Neural Networks via Meta Learning] 125 | 21. `NeurIPS` [Deep Leakage from Gradients] 126 | 22. `CCS` [Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning] 127 | 23. `ICCV` [Universal Perturbation Attack Against Image Retrieval] 128 | 24. `ICCV` [Enhancing Adversarial Example Transferability with an Intermediate Level Attack] 129 | 25. `CVPR` [Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks] 130 | 26. `ICLR` [ADef: an Iterative Algorithm to Construct Adversarial Deformations] 131 | 27. `Neurips` [iDLG: Improved deep leakage from gradients.] 132 | 28. `ARXIV` [Reversible Adversarial Attack based on Reversible Image Transformation] 133 | 29. `CCS` [Seeing isn’t Believing: Towards More Robust Adversarial Attack Against Real World Object Detectors] 134 | 30. `NeurIPS` [Learning to Confuse: Generating Training Time Adversarial Data with Auto-Encoder] 135 | 136 | ### 2020 137 | 1. `ICLR` [Fooling Detection Alone is Not Enough: Adversarial Attack against Multiple Object Tracking](./2020/Fooling_Detection_Alone_is_Not_Enough_Adversarial_Attack_against_Multiple_Object_Tracking.md):thought_balloon: 138 | 2. `ARXIV` [Sponge Examples: Energy-Latency Attacks on Neural Networks] 139 | 3. `ICML` [Minimally distorted Adversarial Examples with a Fast Adaptive Boundary Attack] 140 | 4. `ICML` [Stronger and Faster Wasserstein Adversarial Attacks] 141 | 5. `CVPR` [QEBA: Query-Efficient Boundary-Based Blackbox Attack] 142 | 6. `ECCV` [New Threats Against Object Detector with Non-local Block] 143 | 7. `ARXIV` [Towards Imperceptible Universal Attacks on Texture Recognition] 144 | 8. `ECCV` [Frequency-Tuned Universal Adversarial Attacks] 145 | 9. `AAAI` [Learning Transferable Adversarial Examples via Ghost Networks] 146 | 10. `ECCV` [SPARK: Spatial-aware Online Incremental Attack Against Visual Tracking] 147 | 11. `Neurips` [Inverting Gradients - How easy is it to break privacy in federated learning?] 148 | 12. `ICLR` [Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks] 149 | 13. `NeurIPS` [On Adaptive Attacks to Adversarial Example Defenses] 150 | 14. `AAAI` [Beyond Digital Domain: Fooling Deep Learning Based Recognition System in Physical World] 151 | 15. `ARXIV` [Adversarial Color Enhancement: Generating Unrestricted Adversarial Images by Optimizing a Color Filter] 152 | 16. `CVPR` [Adversarial Camouflage: Hiding Physical-World Attacks With Natural Styles] 153 | 17. `CVPR` [Universal Physical Camouflage Attacks on Object Detectors] [code](https://github.com/mesunhlf/UPC-tf) 154 | 18. `ARXIV` [Understanding Object Detection Through An Adversarial Lens] 155 | 19. `CIKM` [Can Adversarial Weight Perturbations Inject Neural Backdoors?] 156 | 20. `ICCV` [Semantic Adversarial Attacks: Parametric Transformations That Fool Deep Classifiers] 157 | 158 | ### 2021 159 | 1. `ARXIV` [On Generating Transferable Targeted Perturbations] 160 | 2. `CVPR` [See through Gradients: Image Batch Recovery via GradInversion] :thumbsup: 161 | 3. `ARXIV` [Admix: Enhancing the Transferability of Adversarial Attacks] 162 | 4. `ARXIV` [Deep Image Destruction: A Comprehensive Study on Vulnerability of Deep Image-to-Image Models against Adversarial Attacks] 163 | 5. `ARXIV` [Poisoning the Unlabeled Dataset of Semi-Supervised Learning] **Carlini** 164 | 6. `ARXIV` [AdvHaze: Adversarial Haze Attack] 165 | 7. `CVPR` [LAFEAT : Piercing Through Adversarial Defenses with Latent Features](https://zhuanlan.zhihu.com/p/370521833) 166 | 8. `ARXIV` [IMPERCEPTIBLE ADVERSARIAL EXAMPLES FOR FAKE IMAGE DETECTION] 167 | 9. `ICME` [TRANSFERABLE ADVERSARIAL EXAMPLES FOR ANCHOR FREE OBJECT DETECTION] 168 | 10. `ICLR` [Unlearnable Examples: Making Personal Data Unexploitable] 169 | 11. `ICMLW` [Detecting Adversarial Examples Is (Nearly) As Hard As Classifying Them] 170 | 12. `ARXIV` [Mischief: A Simple Black-Box Attack Against Transformer Architectures] 171 | 13. `ECCV` [Patch-wise Attack for Fooling Deep Neural Network] 172 | 14. `ICCV` [Naturalistic Physical Adversarial Patch for Object Detectors] 173 | 15. `CVPR` [Natural Adversarial Examples] 174 | 16. `ICLR` [WaNet - Imperceptible Warping-based Backdoor Attack] 175 | 176 | ### 2022 177 | 1. `ICLR` [ON IMPROVING ADVERSARIAL TRANSFERABILITY OF VISION TRANSFORMERS] 178 | 2. `TIFS` [Decision-based Adversarial Attack with Frequency Mixup] 179 | 180 | 181 | ## Defence 182 | ### 2014 183 | 1. `ARXIV` [Towards deep neural network architectures robust to adversarial examples](2014/Towards_deep_neural_network_architectures_robust_to_adversarial_examples.md) 184 | 185 | ### 2015 186 | 1. [Learning with a strong adversary] 187 | 2. [IMPROVING BACK-PROPAGATION BY ADDING AN ADVERSARIAL GRADIENT] 188 | 3. [Distributional Smoothing with Virtual Adversarial Training] 189 | 190 | 191 | ### 2016 192 | 1. `NIPS` [Robustness of classifiers: from adversarial to random noise](./2016/Robustness_of_classifiers_from_adversarial_to_random_noise.md) :thought_balloon: 193 | 194 | ### 2017 195 | 1. `ARXIV` [Countering Adversarial Images using Input Transformations](./2017/Countering_Adversarial_Images_using_Input_Transformations.md) 196 | 2. `ICCV` [SafetyNet: Detecting and Rejecting Adversarial Examples Robustly] 197 | 3. `Arxiv` [Detecting adversarial samples from artifacts](./2017/Detecting_Adversarial_Samples_from_Artifacts.md) 198 | 4. `ICLR` [On Detecting Adversarial Perturbations](./2017/On_Detecting_Adversarial_Perturbations.md) :thought_balloon: 199 | 5. `ASIA CCS` [Practical black-box attacks against machine learning] 200 | 6. `ARXIV` [The space of transferable adversarial examples] 201 | 7. `ICCV` [Adversarial Examples for Semantic Segmentation and Object Detection] 202 | 203 | ### 2018 204 | 1. `ICLR` [Defense-{GAN}: Protecting Classifiers Against Adversarial Attacks Using Generative Models](./2018/Defense-{GAN}_Protecting_Classifiers_Against_Adversarial_Attacks_Using_Generative_Models.md) 205 | 2. . `ICLR` [Ensemble Adversarial Training: Attacks and Defences](./2018/Ensemble_Adversarial_Training_Attacks_and_Defenses.md) 206 | 3. `CVPR` [Defense Against Universal Adversarial Perturbations](./2018/Defense_Against_Universal_Adversarial_Perturbations.md) 207 | 4. `CVPR` [Deflecting Adversarial Attacks With Pixel Deflection](./2018/Deflecting_Adversarial_Attacks_With_Pixel_Deflection.md) 208 | 5. `TPAMI` [Virtual adversarial training: a regularization method for supervised and semi-supervised learning](./2018/Virtual_adversarial_training_a_regularization_method_for_supervised_and_semi_supervised_learning.md) :thought_balloon: 209 | 6. `ARXIV` [Adversarial Logit Pairing](./2018/Adversarial_Logit_Pairing.md) 210 | 7. `CVPR` [Defense Against Adversarial Attacks Using High-Level Representation Guided Denoiser](./2018/Defense_Against_Adversarial_Attacks_Using_High_Level_Representation_Guided_Denoiser.md) 211 | 8. `ARXIV` [Evaluating and understanding the robustness of adversarial logit pairing](./2018/Evaluating_and_understanding_the_robustness_of_adversarial_logit_pairing.md) 212 | 9. `CCS` [Machine Learning with Membership Privacy Using Adversarial Regularization](./2018/Machine_Learning_with_Membership_Privacy_Using_Adversarial_Regularization.md) 213 | 10. `ARXIV` [On the robustness of the cvpr 2018 white-box adversarial example defenses] 214 | 11. `ICLR` [Thermometer Encoding: One Hot Way To Resist Adversarial Examples] 215 | 12. `IJCAI` [Curriculum Adversarial Training] 216 | 13. `ICLR` [Countering Adversarial Images using Input Transformations] 217 | 14. `CVPR` [Defense Against Adversarial Attacks Using High-Level Representation Guided Denoiser] 218 | 15. `ICLR` [Towards Deep Learning Models Resistant to Adversarial Attacks] 219 | 16. `AAAI` [Improving the Adversarial Robustness and Interpretability of Deep Neural Networks by Regularizing Their Input Gradients] 220 | 17. `NIPS` [Adversarially robust generalization requires more data] 221 | 18. `ARXIV` [Is robustness the cost of accuracy? - {A} comprehensive study on the robustness of 18 deep image classification models.] 222 | 19. `ARXIV` [Robustness may be at odds with accuracy] 223 | 20. `ICLR` [PIXELDEFEND: LEVERAGING GENERATIVE MODELS TO UNDERSTAND AND DEFEND AGAINST ADVERSARIAL EXAMPLES] 224 | 225 | ### 2019 226 | 1. `NIPS` [Adversarial Training and Robustness for Multiple Perturbations](./2019/Adversarial_Training_and_Robustness_for_Multiple_Perturbations.md) 227 | 2. `NIPS` [Adversarial Robustness through Local Linearization](./2019/Adversarial_Robustness_through_Local_Linearization.md) 228 | 3. `CVPR` [Retrieval-Augmented Convolutional Neural Networks against Adversarial Examples](./2019/Retrieval_Augmented_Convolutional_Neural_Networks_against_Adversarial_Examples.md) 229 | 4. `CVPR` [Feature Denoising for Improving Adversarial Robustness](./2019/Feature_Denoising_for_Improving_Adversarial_Robustness.md) 230 | 5. `NEURIPS` [A New Defense Against Adversarial Images: Turning a Weakness into a Strength](./2019/A_New_Defense_Against_Adversarial_Images_Turning_a_Weakness_into_a_Strength.md) 231 | 6. `ICML` [Interpreting Adversarially Trained Convolutional Neural Networks](./2019/Interpreting_Adversarially_Trained_Convolutional_Neural_Networks.md) 232 | 7. `ICLR` [Robustness May Be at Odds with Accuracy](./2019/Robustness_May_Be_at_Odds_with_Accuracy.md):thought_balloon: 233 | 8. `IJCAI` [Improving the Robustness of Deep Neural Networks via Adversarial Training with Triplet Loss](./2019/Improving_the_Robustness_of_Deep_Neural_Networks_via_Adversarial_Training_with_Triplet_Loss.md) 234 | 9. `ICML` [Adversarial Examples Are a Natural Consequence of Test Error in Noise](./2019/Adversarial_Examples_Are_a_Natural_Consequence_of_Test_Error_in_Noise.md):thought_balloon: 235 | 10. `ICML` [On the Connection Between Adversarial Robustness and Saliency Map Interpretability](./2019/On_the_Connection_Between_Adversarial_Robustness_and_Saliency_Map_Interpretability.md) 236 | 11. `NeurIPS` [Metric Learning for Adversarial Robustness](./2019/Metric_Learning_for_Adversarial_Robustness.md) 237 | 12. `ARXIV` [Defending Adversarial Attacks by Correcting logits](./2019/Defending_Adversarial_Attacks_by_Correcting_logits.md) 238 | 13. `ICCV` [Adversarial Learning With Margin-Based Triplet Embedding Regularization](./2019/Adversarial_Learning_With_Margin_Based_Triplet_Embedding_Regularization.md) 239 | 14. `ICCV` [CIIDefence: Defeating Adversarial Attacks by Fusing Class-Specific Image Inpainting and Image Denoising](./2019/CIIDefence_Defeating_Adversarial_Attacks_by_Fusing_Class_Specific_Image_Inpainting_and_Image_Denoising.md) 240 | 15. `NIPS` [Adversarial Examples Are Not Bugs, They Are Features](./2019/Adversarial_Examples_Are_Not_Bugs_They_Are_Features.md) 241 | 16. `ICML` [Using Pre-Training Can Improve Model Robustness and Uncertainty](./2019/Using_Pre_Training_Can_Improve_Model_Robustness_and_Uncertainty.md) 242 | 17. `NIPS` [Defense Against Adversarial Attacks Using Feature Scattering-based Adversarial Training](./2019/Defense_Against_Adversarial_Attacks_Using_Feature_Scattering_based_Adversarial_Training.md):thought_balloon: 243 | 18. `ICCV` [Improving Adversarial Robustness via Guided Complement Entropy](/2019/Improving_Adversarial_Robustness_via_Guided_Complement_Entropy.md) 244 | 19. `NIPS` [Robust Attribution Regularization](./2019/Robust_Attribution_Regularization.md) :thought_balloon: 245 | 20. `NIPS` [Are Labels Required for Improving Adversarial Robustness?](./2019/Are_Labels_Required_for_Improving_Adversarial_Robustness.md) 246 | 21. `ICLR` [Theoretically Principled Trade-off between Robustness and Accuracy](./2019/Theoretically_Principled_Trade_off_between_Robustness_and_Accuracy.md) 247 | 22. `CVPR` [Adversarial defense by stratified convolutional sparse coding] 248 | 23. `ICML` [On the Convergence and Robustness of Adversarial Training] 249 | 24. `CVPR` [Robustness via Curvature Regularization, and Vice Versa] 250 | 25. `CVPR` [ComDefend: An Efficient Image Compression Model to Defend Adversarial Examples] 251 | 26. `ICML` [Improving Adversarial Robustness via Promoting Ensemble Diversity] 252 | 27. `ICML` [Towards the first adversarially robust neural network model on {MNIST}] 253 | 28. `NIPS` [Unlabeled Data Improves Adversarial Robustness] 254 | 29. `ICCV` [Evaluating Robustness of Deep Image Super-Resolution Against Adversarial Attacks] 255 | 30. `ICML` [Using Pre-Training Can Improve Model Robustness and Uncertainty] 256 | 31. `ARXIV` [Improving adversarial robustness of ensembles with diversity training] 257 | 32. `ICML` [Adversarial Robustness Against the Union of Multiple Perturbation Models] 258 | 33. `CVPR` [Robustness via Curvature Regularization, and Vice Versa] 259 | 34. `NIPS` [Robustness to Adversarial Perturbations in Learning from Incomplete Data] 260 | 35. `ICML` [Improving Adversarial Robustness via Promoting Ensemble Diversity] 261 | 36. `NIPS` [Adversarial Robustness through Local Linearization] 262 | 37. `ARXIV` [Adversarial training can hurt generalization] 263 | 38. `NIPS` [Adversarial training for free!] 264 | 39. `ICLR` [Improving the generalization of adversarial training with domain adaptation] 265 | 40. `CVPR` [Disentangling Adversarial Robustness and Generalization] 266 | 41. `NIPS` [Adversarial Training and Robustness for Multiple Perturbations] 267 | 42. `ICCV` [Bilateral Adversarial Training: Towards Fast Training of More Robust Models Against Adversarial Attacks] 268 | 43. `ICML` [On the Convergence and Robustness of Adversarial Training] 269 | 44. `ICML` [Rademacher Complexity for Adversarially Robust Generalization] 270 | 45. `ARXIV` [Adversarially Robust Generalization Just Requires More Unlabeled Data] 271 | 46. `ARXIV` [You only propagate once: Accelerating adversarial training via maximal principle] 272 | 47. `NIPS` [Cross-Domain Transferability of Adversarial Perturbations](./2019/Cross_Domain_Transferability_of_Adversarial_Perturbations.md) 273 | 48. `ARXIV` [Adversarial Robustness as a Prior for Learned Representations] 274 | 49. `ICLR` [Structured Adversarial Attack: Towards General Implementation and Better Interpretability] 275 | 50. `ICLR` [Defensive Quantization: When Efficiency Meets Robustness] 276 | 51. `NeurIPS` [A New Defense Against Adversarial Images: Turning a Weakness into a Strength] 277 | 278 | ### 2020 279 | 1. `ICLR` [Jacobian Adversarially Regularized Networks for Robustness](./2020/Jacobian_Adversarially_Regularized_Networks_for_Robustness.md) 280 | 2. `CVPR` [What it Thinks is Important is Important: Robustness Transfers through Input Gradients](./2020/What_it_Thinks_is_Important_is_Important_Robustness_Transfers_through_Input_Gradients.md) 281 | 3. `ICLR` [Adversarially Robust Representations with Smooth Encoders](2020/Adversarially_Robust_Representations_with_Smooth_Encoders.md) :thought_balloon: 282 | 4. `ARXIV` [Heat and Blur: An Effective and Fast Defense Against Adversarial Examples](./2020/Heat_and_Blur_An_Effective_and_Fast_Defense_Against_Adversarial_Examples.md) 283 | 5. `ICML` [Triple Wins: Boosting Accuracy, Robustness and Efficiency Together by Enabling Input-Adaptive Inference](./2020/Triple_Wins_Boosting_Accuracy_Robustness_and_Efficiency_Together_by_Enabling_Input_Adaptive_Inference.md) 284 | 6. `CVPR` [Wavelet Integrated CNNs for Noise-Robust Image Classification](./2020/Wavelet_Integrated_CNNs_for_Noise_Robust_Image_Classification.md) 285 | 7. `ARXIV` [Deflecting Adversarial Attacks](./2020/Deflecting_Adversarial_Attacks.md) 286 | 8. `ICLR` [Robust Local Features for Improving the Generalization of Adversarial Training](./2020/Robust_Local_Features_for_Improving_the_Generalization_of_Adversarial_Training.md) 287 | 9. `ICLR` [Enhancing Transformation-Based Defenses Against Adversarial Attacks with a Distribution Classifier](./2020/Enhancing_Transformation_Based_Defenses_Against_Adversarial_Attacks_with_a_Distribution_Classifier.md) 288 | 10. `CVPR` [A Self-supervised Approach for Adversarial Robustness](./2020/A_Self_supervised_Approach_for_Adversarial_Robustness.md) 289 | 11. `ICLR` [Improving Adversarial Robustness Requires Revisiting Misclassified Examples](./2019/Improving_the_Robustness_of_Deep_Neural_Networks_via_Adversarial_Training_with_Triplet_Loss.md) :thumbsup: 290 | 12. `ARXIV` [Manifold regularization for adversarial robustness](2020/Manifold_regularization_for_adversarial_robustness.md) 291 | 13. `NeurIPS` [DVERGE: Diversifying Vulnerabilities for Enhanced Robust Generation of Ensembles](./2020/DVERGE_Diversifying_Vulnerabilities_for_Enhanced_Robust_Generation_of_Ensembles.md) 292 | 14. `ARXIV` [A Closer Look at Accuracy vs. Robustness](./2020/A_Closer_Look_at_Accuracy_vs_Robustness.md) 293 | 15. `NeurIPS` [Energy-based Out-of-distribution Detection](./2020/Energy_based_Out_of_distribution_Detection.md) 294 | 16. `ARXIV` [Out-of-Distribution Generalization via Risk Extrapolation (REx)](./2020/Out_of_Distribution_Generalization_via_Risk_Extrapolation.md) 295 | 17. `CVPR` [Adversarial Examples Improve Image Recognition](./2020/Adversarial_Examples_Improve_Image_Recognition.md) 296 | 18. `ICML` [Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks] :thumbsup: 297 | 19. `ICML` [Efficiently Learning Adversarially Robust Halfspaces with Noise] 298 | 20. `ICML` [Implicit Euler Skip Connections: Enhancing Adversarial Robustness via Numerical Stability] 299 | 21. `ICML` [Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger] 300 | 22. `ICML` [Learning Adversarially Robust Representations via Worst-Case Mutual Information Maximization] :thumbsup: 301 | 23. `ICML` [Overfitting in adversarially robust deep learning] :thumbsup: 302 | 24. `ICML` [Proper Network Interpretability Helps Adversarial Robustness in Classification] 303 | 25. `ICML` [Randomization matters How to defend against strong adversarial attacks] 304 | 26. `ICML` [Reliable Evaluation of Adversarial Robustness with an Ensemble of Diverse Parameter-free Attacks] 305 | 27. `ICML` [Towards Understanding the Regularization of Adversarial Robustness on Neural Networks] 306 | 28. `CVPR` [Defending Against Universal Attacks Through Selective Feature Regeneration] 307 | 29. `ARXIV` [Understanding and improving fast adversarial training] 308 | 30. `ARXIV` [Cat: Customized adversarial training for improved robustness] 309 | 31. `ICLR` [MMA Training: Direct Input Space Margin Maximization through Adversarial Training] 310 | 32. `ARXIV` [Bridging the performance gap between fgsm and pgd adversarial training] 311 | 33. `CVPR` [Adversarial Vertex Mixup: Toward Better Adversarially Robust Generalization] 312 | 34. `ARXIV` [Towards understanding fast adversarial training] 313 | 35. `ARXIV` [Overfitting in adversarially robust deep learning] 314 | 36. `ICLR` [Robust local features for improving the generalization of adversarial training] 315 | 37. `ICML` [Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks] 316 | 38. `ARXIV` [Regularizers for single-step adversarial training] 317 | 39. `CVPR` [Single-step adversarial training with dropout scheduling] 318 | 40. `ICLR` [Improving Adversarial Robustness Requires Revisiting Misclassified Examples] 319 | 41. `ARXIV` [Fast is better than free: Revisiting adversarial training.] 320 | 42. `ARXIV` [On the Generalization Properties of Adversarial Training] 321 | 43. `ARXIV` [A closer look at accuracy vs. robustness] 322 | 44. `ICLR` [Adversarially robust transfer learning] 323 | 45. `ARXIV` [On Saliency Maps and Adversarial Robustness] 324 | 46. `ARXIV` [On Detecting Adversarial Inputs with Entropy of Saliency Maps] 325 | 47. `ARXIV` [Detecting Adversarial Perturbations with Saliency] 326 | 48. `ARXIV` [Detection Defense Against Adversarial Attacks with Saliency Map] 327 | 49. `ARXIV` [Model-based Saliency for the Detection of Adversarial Examples] 328 | 50. `CVPR` [Auxiliary Training: Towards Accurate and Robust Models] 329 | 51. `CVPR` [Single-step Adversarial training with Dropout Scheduling] 330 | 52. `CVPR` [Achieving Robustness in the Wild via Adversarial Mixing With Disentangled Representations] 331 | 53. `ICML` [Test-Time Training with Self-Supervision for Generalization under Distribution Shifts](https://yueatsprograms.github.io/ttt/home.html) 332 | 54. `NeurIPS` [Improving robustness against common corruptions by covariate shift adaptation] 333 | 55. `CCS` [Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks] 334 | 56. `ECCV` [A simple way to make neural networks robust against diverse image corruptions] 335 | 57. `CVPRW` [Role of Spatial Context in Adversarial Robustness for Object Detection] 336 | 58. `WACV` [Local Gradients Smoothing: Defense against localized adversarial attacks] 337 | 59. `NeurIPS` [Adversarial Weight Perturbation Helps Robust Generalization] 338 | 60. `MM` [DIPDefend: Deep Image Prior Driven Defense against Adversarial Examples] 339 | 61. `ECCV` [Adversarial Data Augmentation via `De`formation Statistics] 340 | 341 | 342 | ### 2021 343 | 1. `ARXIV` [On the Limitations of Denoising Strategies as Adversarial Defenses](./2021/On_the_Limitations_of_Denoising_Strategies_as_Adversarial_Defenses.md) 344 | 2. `AAAI` [Understanding catastrophic overfitting in single-step adversarial training] 345 | 3. `ICLR` [Bag of tricks for adversarial training] 346 | 4. `ARXIV` [Bridging the Gap Between Adversarial Robustness and Optimization Bias] 347 | 5. `ICLR` [Perceptual Adversarial Robustness: Defense Against Unseen Threat Models] 348 | 6. `AAAI` [Adversarial Robustness through Disentangled Representations] 349 | 7. `ARXIV` [Understanding Robustness of Transformers for Image Classification] 350 | 8. `CVPR` [Adversarial Robustness under Long-Tailed Distribution] 351 | 9. `ARXIV` [Adversarial Attacks are Reversible with Natural Supervision] 352 | 10. `AAAI` [Attribute-Guided Adversarial Training for Robustness to Natural Perturbations] 353 | 11. `ICLR` [LEARNING PERTURBATION SETS FOR ROBUST MACHINE LEARNING] 354 | 12. `ICLR` [Improving Adversarial Robustness via Channel-wise Activation Suppressing] 355 | 13. `AAAI` [Efficient Certification of Spatial Robustness] 356 | 14. `ARXIV` [Domain Invariant Adversarial Learning] 357 | 15. `ARXIV` [Learning Defense Transformers for Counterattacking Adversarial Examples] 358 | 16. `ICLR` [ONLINE ADVERSARIAL PURIFICATION BASED ON SELF-SUPERVISED LEARNING] 359 | 17. `ARXIV` [Removing Adversarial Noise in Class Activation Feature Space] 360 | 18. `ARXIV` [Improving Adversarial Robustness Using Proxy Distributions] 361 | 19. `ARXIV` [Decoder-free Robustness Disentanglement without (Additional) Supervision] 362 | 20. `ARXIV` [Fighting Gradients with Gradients: Dynamic Defenses against Adversarial Attacks] 363 | 21. `ARXIV` [Reversible Adversarial Attack based on Reversible Image Transformation] 364 | 22. `ICLR` [ONLINE ADVERSARIAL PURIFICATION BASED ON SELF-SUPERVISED LEARNING] 365 | 23. `ARXIV` [Towards Corruption-Agnostic Robust Domain Adaptation] 366 | 24. `ARXIV` [Adversarially Trained Models with Test-Time Covariate Shift Adaptation] 367 | 25. `ICLR workshop` [COVARIATE SHIFT ADAPTATION FOR ADVERSARIALLY ROBUST CLASSIFIER] 368 | 26. `ARXIV` [Self-Supervised Adversarial Example Detection by Disentangled Representation] 369 | 27. `AAAI` [Adversarial Defence by Diversified Simultaneous Training of Deep Ensembles] 370 | 28. `ARXIV` [Understanding Catastrophic Overfitting in Adversarial Training] 371 | 29. `ACM Trans. Multimedia Comput. Commun. Appl` [Towards Corruption-Agnostic Robust Domain Adaptation] 372 | 30. `ICLR` [TENT: FULLY TEST-TIME ADAPTATION BY ENTROPY MINIMIZATION] 373 | 31. `ARXIV` [Attacking Adversarial Attacks as A Defense] 374 | 32. `ICML` [Adversarial purification with Score-based generative models] 375 | 33. `ARXIV` [Adversarial Visual Robustness by Causal Intervention] 376 | 34. `CVPR` [MaxUp: Lightweight Adversarial Training With Data Augmentation Improves Neural Network Training] 377 | 35. `MM` [AdvFilter: Predictive Perturbation-aware Filtering against Adversarial Attack via Multi-domain Learning] 378 | 36. `CVPR` [Robust and Accurate Object Detection via Adversarial Learning] 379 | 37. `ARXIV` [Markpainting: Adversarial Machine Learning meets Inpainting] 380 | 38. `ICLR` [EFFICIENT CERTIFIED DEFENSES AGAINST PATCH ATTACKS ON IMAGE CLASSIFIERS] 381 | 39. `ARXIV` [Learning Defense Transformers for Counterattacking Adversarial Examples] 382 | 40. `ARXIV` [Towards Robust Vision Transformer] 383 | 41. `ARXIV` [Reveal of Vision Transformers Robustness against Adversarial Attacks] 384 | 42. `ARXIV` [Intriguing Properties of Vision Transformers] 385 | 43. `ARXIV` [Vision transformers are robust learners] 386 | 44. `ARXIV` [On Improving Adversarial Transferability of Vision Transformers] 387 | 45. `ARXIV` [On the adversarial robustness of visual transformers] 388 | 46. `ARXIV` [On the robustness of vision transformers to adversarial examples] 389 | 47. `ARXIV` [Understanding Robustness of Transformers for Image Classification] 390 | 48. `ARXIV` [Regional Adversarial Training for Better Robust Generalization] 391 | 49. `CCS` [DetectorGuard: Provably Securing Object Detectors against Localized Patch Hiding Attacks] 392 | 50. `ARXIV` [MODELLING ADVERSARIAL NOISE FOR ADVERSARIAL DEFENSE] 393 | 51. `ICCV` [Adversarial Example Detection Using Latent Neighborhood Graph] 394 | 52. `ARXIV` [Identification of Attack-Specific Signatures in Adversarial Examples] 395 | 53. `Neurips` [How Should Pre-Trained Language Models Be Fine-Tuned Towards Adversarial Robustness?] 396 | 54. `ARXIV` [Adversarial Robustness Comparison of Vision Transformer and MLP-Mixer to CNNs] 397 | 55. `ARXIV` [Learning Defense Transformers for Counterattacking Adversarial Examples] 398 | 56. `ADVM` [Detecting Adversarial Patch Attacks through Global-local Consistency] 399 | 57. `ICCV` [Can Shape Structure Features Improve Model Robustness under Diverse Adversarial Settings?] 400 | 58. `ICLR` [Undistillable: Making A Nasty Teacher That CANNOT teach students] 401 | 59. `ICCV` [Revisiting Adversarial Robustness Distillation: Robust Soft Labels Make Student Better] 402 | 60. `ARXIV` [Two Coupled Rejection Metrics Can Tell Adversarial Examples Apart] 403 | 61. `ARXIV` [Consistency Regularization for Adversarial Robustness] 404 | 62. `ICML` [CIFS: Improving Adversarial Robustness of CNNs via Channel-wise Importance-based Feature Selection] 405 | 63. `NeurIPS` [Adversarial Neuron Pruning Purifies Backdoored Deep Models] 406 | 64. `ICCV` [Towards Understanding the Generative Capability of Adversarially Robust Classifiers] 407 | 65. `NeurIPS` [Better Safe Than Sorry: Preventing Delusive Adversaries with Adversarial Training] 408 | 66. `NeurIPS` [Data Augmentation Can Improve Robustness] 409 | 67. `NeurIPS` [When does Contrastive Learning Preserve Adversarial Robustness from Pretraining to Finetuning?] 410 | 411 | ### 2022 412 | 1. `ARXIV` [$\alpha$ Weighted Federated Adversarial Training] 413 | 2. `AAAI` [Safe Distillation Box] 414 | 3. `USENIX` [Transferring Adversarial Robustness Through Robust Representation Matching] 415 | 4. `ARXIV` [Robustness and Accuracy Could Be Reconcilable by (Proper) Definition] 416 | 5. `ARXIV` [IMPROVING ADVERSARIAL DEFENSE WITH SELF SUPERVISED TEST-TIME FINE-TUNING] 417 | 6. `ARXIV` [Exploring Memorization in Adversarial Training] 418 | 7. `IJCV` [Open-Set Adversarial Defense with Clean-Adversarial Mutual Learning] 419 | 8. `ARXIV` [Adversarial Detection and Correction by Matching Prediction Distribution] 420 | 9. `ARXIV` [Enhancing Adversarial Training with Feature Separability] 421 | 10. `ARXIV` [An Eye for an Eye: Defending against Gradient-based Attacks with Gradients] 422 | 423 | ## 4th-Class 424 | 1. `ICCV 2017` [CVAE-GAN: Fine-Grained Image Generation Through Asymmetric Training](./2017/CVAE-GAN_Fine-Grained_Image_Generation_Through_Asymmetric_Training.md) 425 | 2. `ICML 2016` [Autoencoding beyond pixels using a learned similarity metric](./2016/Autoencoding_beyond_pixels_using_a_learned_similarity_metric.md) 426 | 3. `ARXIV 2019` [Natural Adversarial Examples](./2019/Natural_Adversarial_Examples.md) 427 | 4. `ICML 2017` [Conditional Image Synthesis with Auxiliary Classifier {GAN}s](./2017/Conditional_Image_Synthesis_with_Auxiliary_Classifier_GANs.md) 428 | 5. `ICCV 2019` [SinGAN: Learning a Generative Model From a Single Natural Image](./2019/SinGAN_Learning_a_Generative_Model_From_a_Single_Natural_Image.md) 429 | 6. `ICLR 2020` [Robust And Interpretable Blind Image Denoising Via Bias-Free Convolutional Neural Networks](./2020/Robust_And_Interpretable_Blind_Image_Denoising_Via_Bias_Free_Convolutional_Neural_Networks.md) 430 | 7. `ICLR 2020` [Pay Attention to Features, Transfer Learn Faster CNNs](./2020/Pay_Attention_to_Features_Transfer_Learn_Faster_CNNs.md) 431 | 8. `ICLR 2020` [On Robustness of Neural Ordinary Differential Equations](./2020/On_Robustness_of_Neural_Ordinary_Differential_Equations.md) 432 | 9. `ICCV 2019` [Real Image Denoising With Feature Attention](./2019/Real_Image_Denoising_With_Feature_Attention.md) 433 | 10. `ICLR 2018` [Multi-Scale Dense Networks for Resource Efficient Image Classification](./2018/Multi_Scale_Dense_Networks_for_Resource_Efficient_Image_Classification.md) 434 | 11. `ARXIV 2019` [Rethinking Data Augmentation: Self-Supervision and Self-Distillation](2019/Rethinking_Data_Augmentation_Self_Supervision_and_Self_Distillation.md) 435 | 12. `ICCV 2019` [Be Your Own Teacher: Improve the Performance of Convolutional Neural Networks via Self Distillation](./2019/Be_Your_Own_Teacher_Improve%20the_Performance_of_Convolutional_Neural_Networks_via_Self_Distillation.md) 436 | 13. `ARXIV 2019` [Adversarially Robust Distillation](./2019/Adversarially_Robust_Distillation.md) 437 | 14. `ARXIV 2019` [Knowledge Distillation from Internal Representations](./2019/Knowledge_Distillation_from_Internal_Representations.md) 438 | 15. `ICLR 2020` [Contrastive Representation Distillation](./2020/Contrastive_Representation_Distillation.md) :thought_balloon: 439 | 16. `NIPS 2018` [Faster Neural Networks Straight from JPEG](./2018/Faster_Neural_Networks_Straight_from_JPEG.md) 440 | 17. `ARXIV 2019` [A Closer Look at Double Backpropagation](./2019/A_Closer_Look_at_Double_Backpropagation.md):thought_balloon: 441 | 18. `CVPR 2016` [Learning Deep Features for Discriminative Localization](./2016/Learning_Deep_Features_for_Discriminative_Localization.md) 442 | 19. `ICML 2019` [Noise2Self: Blind Denoising by Self-Supervision](./2019/Noise2Self_Blind_Denoising_by_Self_Supervision.md) 443 | 20. `ARXIV 2020` [Supervised Contrastive Learning](./2020/Supervised_Contrastive_Learning.md) 444 | 21. `CVPR 2020` [High-Frequency Component Helps Explain the Generalization of Convolutional Neural Networks](./2020/High_Frequency_Component_Helps_Explain_the_Generalization_of_Convolutional_Neural_Networks.md) 445 | 22. `NIPS 2017` [Counterfactual Fairness] 446 | 23. `ARXIV 2020` [An Adversarial Approach for Explaining the Predictions of Deep Neural Networks] 447 | 24. `CVPR 2014` [Rich feature hierarchies for accurate object detection and semantic segmentation] 448 | 25. `ICLR 2018` [Spectral Normalization for Generative Adversarial Networks] 449 | 26. `NIPS 2018` [MetaGAN: An Adversarial Approach to Few-Shot Learning] 450 | 27. `ARXIV 2019` [Breaking the cycle -- Colleagues are all you need] 451 | 28. `ARXIV 2019` [LOGAN: Latent Optimisation for Generative Adversarial Networks] 452 | 29. `ICML 2020` [Margin-aware Adversarial Domain Adaptation with Optimal Transport] 453 | 30. `ICML 2020` [Representation Learning Using Adversarially-Contrastive Optimal Transport] 454 | 31. `ICLR 2021` [Free Lunch for Few-shot Learning: Distribution Calibration] 455 | 32. `CVPR 2019` [Unprocessing Images for Learned Raw Denoising] 456 | 33. `TPAMI 2020` [Image Quality Assessment: Unifying Structure and Texture Similarity] 457 | 34. `CVPR 2020` [Dreaming to Distill: Data-free Knowledge Transfer via DeepInversion] 458 | 35. `ICLR 2021` [WHAT SHOULD NOT BE CONTRASTIVE IN CONTRASTIVE LEARNING] 459 | 36. `ARXIV` [MT3: Meta Test-Time Training for Self-Supervised Test-Time Adaption] 460 | 37. `ARXIV` [UNSUPERVISED DOMAIN ADAPTATION THROUGH SELF-SUPERVISION] 461 | 38. `ARXIV` [Estimating Example Difficulty using Variance of Gradients] 462 | 39. `ICML 2020` [Transfer Learning without Knowing: Reprogramming Black-box Machine Learning Models with Scarce Data and Limited Resources] 463 | 40. `ARXIV` [DATASET DISTILLATION] 464 | 41. `ARXIV 2022` [Debugging Differential Privacy: A Case Study for Privacy Auditing] 465 | 41. `ARXIV` [Adversarial Robustness and Catastrophic Forgetting] 466 | 467 | 468 | ## Links 469 | - [Adversarial Machine Learning Reading List](https://nicholas.carlini.com/writing/2018/adversarial-machine-learning-reading-list.html) by [Nicholas Carlini](https://nicholas.carlini.com) 470 | - [A Complete List of All (arXiv) Adversarial Example Papers](https://nicholas.carlini.com/writing/2019/all-adversarial-example-papers.html) by [Nicholas Carlini](https://nicholas.carlini.com) **Stay Tuned** 471 | -------------------------------------------------------------------------------- /asset/template.md: -------------------------------------------------------------------------------- 1 | 2 | ## Summary 3 | ## Motivation 4 | ## Method(s) 5 | ## Evaluation 6 | ## Conclusion 7 | ## Related work 8 | 9 | ``` 10 | # Title 11 | 文章标题 12 | ## Summary 13 | 写完笔记之后最后填,概述文章的内容,以后查阅笔记的时候先看这一段。注:写文章summary切记需要通过自己的思考,用自己的语言描述。忌讳直接Ctrl + c原文。 14 | ## Research Objective(optional) 15 | 作者的研究目标。 16 | ## Problem Statement 17 | 问题陈述,需要解决的问题是什么? 18 | ## Method(s) 19 | 作者解决问题的方法/算法是什么?是否基于前人的方法? 20 | ## Evaluation 21 | 作者如何评估自己的方法,实验的setup是什么样的,有没有问题或者可以借鉴的地方。 22 | ## Conclusion 23 | 作者给了哪些结论,哪些是strong conclusions, 哪些又是weak的conclusions?## Notes(optional) 不符合此框架,但需要额外记录的笔记。 24 | ## Reference(optional) 25 | 列出相关性高的文献,以便之后可以继续track下去。 26 | ``` 27 | 28 | ## Example 29 | ![](https://pic4.zhimg.com/80/v2-656b65c906c28f9f6ea6fa9ed7521933_720w.jpg) -------------------------------------------------------------------------------- /pics/algo1_2019arXiv191205699C.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/algo1_2019arXiv191205699C.png -------------------------------------------------------------------------------- /pics/algo1_DongLPS0HL18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/algo1_DongLPS0HL18.png -------------------------------------------------------------------------------- /pics/algo1_PrakashMGDS18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/algo1_PrakashMGDS18.png -------------------------------------------------------------------------------- /pics/algo1_Rony_2019_CVPR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/algo1_Rony_2019_CVPR.png -------------------------------------------------------------------------------- /pics/algo1_Xie_2020_CVPR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/algo1_Xie_2020_CVPR.png -------------------------------------------------------------------------------- /pics/algo1_ZhangSGCBM19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/algo1_ZhangSGCBM19.png -------------------------------------------------------------------------------- /pics/algo1_Zhong_2019_ICCV.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/algo1_Zhong_2019_ICCV.png -------------------------------------------------------------------------------- /pics/algo1_chan2020jacobian.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/algo1_chan2020jacobian.png -------------------------------------------------------------------------------- /pics/eqn10_Zhong_2019_ICCV.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn10_Zhong_2019_ICCV.png -------------------------------------------------------------------------------- /pics/eqn1_NIPS2019_8339.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn1_NIPS2019_8339.png -------------------------------------------------------------------------------- /pics/eqn3_2020arXiv200411362K.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn3_2020arXiv200411362K.png -------------------------------------------------------------------------------- /pics/eqn3_Zhong_2019_ICCV.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn3_Zhong_2019_ICCV.png -------------------------------------------------------------------------------- /pics/eqn3_pmlr-v97-zhang19p.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn3_pmlr-v97-zhang19p.png -------------------------------------------------------------------------------- /pics/eqn4_yang2020dverge.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn4_yang2020dverge.png -------------------------------------------------------------------------------- /pics/eqn5_gu2014towards.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn5_gu2014towards.png -------------------------------------------------------------------------------- /pics/eqn6_abs-1711-00117.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn6_abs-1711-00117.png -------------------------------------------------------------------------------- /pics/eqn6_gu2014towards.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn6_gu2014towards.png -------------------------------------------------------------------------------- /pics/eqn7_song2020robust.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn7_song2020robust.png -------------------------------------------------------------------------------- /pics/eqn8_wang2020improving.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn8_wang2020improving.png -------------------------------------------------------------------------------- /pics/eqn9_song2020robust.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/eqn9_song2020robust.png -------------------------------------------------------------------------------- /pics/fig1_Gupta_2019_ICCV.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig1_Gupta_2019_ICCV.png -------------------------------------------------------------------------------- /pics/fig1_MetzenGFB17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig1_MetzenGFB17.png -------------------------------------------------------------------------------- /pics/fig1_NIPS2019_8339.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig1_NIPS2019_8339.png -------------------------------------------------------------------------------- /pics/fig1_abs-1910-03723.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig1_abs-1910-03723.png -------------------------------------------------------------------------------- /pics/fig1_chan2020jacobian.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig1_chan2020jacobian.png -------------------------------------------------------------------------------- /pics/fig1_song2020robust.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig1_song2020robust.png -------------------------------------------------------------------------------- /pics/fig1_wang2020improving.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig1_wang2020improving.png -------------------------------------------------------------------------------- /pics/fig2_2019arXiv191205699C.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig2_2019arXiv191205699C.png -------------------------------------------------------------------------------- /pics/fig2_AkhtarLM18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig2_AkhtarLM18.png -------------------------------------------------------------------------------- /pics/fig2_NIPS2019_8339.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig2_NIPS2019_8339.png -------------------------------------------------------------------------------- /pics/fig2_Naseer_2020_CVPR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig2_Naseer_2020_CVPR.png -------------------------------------------------------------------------------- /pics/fig2_ZhangSGCBM19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig2_ZhangSGCBM19.png -------------------------------------------------------------------------------- /pics/fig2_abs-1711-00117.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig2_abs-1711-00117.png -------------------------------------------------------------------------------- /pics/fig2_anwar_2009_iccv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig2_anwar_2009_iccv.png -------------------------------------------------------------------------------- /pics/fig2_ijcai2019-134.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig2_ijcai2019-134.png -------------------------------------------------------------------------------- /pics/fig3_Xie_2020_CVPR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig3_Xie_2020_CVPR.png -------------------------------------------------------------------------------- /pics/fig4_2020arXiv200302460Y.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig4_2020arXiv200302460Y.png -------------------------------------------------------------------------------- /pics/fig4_onepixel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig4_onepixel.png -------------------------------------------------------------------------------- /pics/fig5_li2020wavelet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig5_li2020wavelet.png -------------------------------------------------------------------------------- /pics/fig9_8423654.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/fig9_8423654.png -------------------------------------------------------------------------------- /pics/tab1_ijcai2019-134.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/tab1_ijcai2019-134.png -------------------------------------------------------------------------------- /pics/tab1_jin2020manifold.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/tab1_jin2020manifold.png -------------------------------------------------------------------------------- /pics/tab1_wang2020improving.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/tab1_wang2020improving.png -------------------------------------------------------------------------------- /pics/tab2_10114532437343243855.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/tab2_10114532437343243855.png -------------------------------------------------------------------------------- /pics/tab4_yang2020dverge.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/tab4_yang2020dverge.png -------------------------------------------------------------------------------- /pics/tab5_yang2020dverge.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/tab5_yang2020dverge.png -------------------------------------------------------------------------------- /pics/text_DongLPS0HL18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/text_DongLPS0HL18.png -------------------------------------------------------------------------------- /pics/xiewzzxy17_algo1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tao-bai/attack-and-defense-methods/b7e174896b46de9b3740198c712cc8e6169e759b/pics/xiewzzxy17_algo1.png --------------------------------------------------------------------------------