Synthesizing Robust Adversarial Examples
This work addresses the vulnerability of neural network classifiers in physical systems, showing that adversarial attacks can be robust to natural transformations, which is a critical security concern for real-world AI applications.
The authors tackled the problem of generating adversarial examples that remain effective under real-world transformations like viewpoint shifts and noise, and they demonstrated the existence of robust 3D adversarial objects by synthesizing and 3D-printing physical examples.
Standard methods for generating adversarial examples for neural networks do not consistently fool neural network classifiers in the physical world due to a combination of viewpoint shifts, camera noise, and other natural transformations, limiting their relevance to real-world systems. We demonstrate the existence of robust 3D adversarial objects, and we present the first algorithm for synthesizing examples that are adversarial over a chosen distribution of transformations. We synthesize two-dimensional adversarial images that are robust to noise, distortion, and affine transformation. We apply our algorithm to complex three-dimensional objects, using 3D-printing to manufacture the first physical adversarial objects. Our results demonstrate the existence of 3D adversarial objects in the physical world.