Computer Vision News - May 2018

The second type of attack is known as a Targeted Attack. Again, we want to create an image that the network will label as a “1”, but in this case we don’t want the image to look like noise to the human eye, but instead look like an altogether different digit. As before, the basic code is Code 2 seen above. However, this time Adversarial(loss) is defined as: is the target image we want our image to resemble to the human eye. In this case the loss function doesn’t only measure similarity to the goal image we are trying to mimic for the DNN to get its label, but it also includes a term representing similarity to the target image we are trying to resemble to the human eye. For this example we again started from a random image as before (on the left). We chose a target image corresponding to the label “8”, and set the adversarial goal to “1” as before. On the right you see the target image produced by the network running Code 2 , which definitely looks like an 8 with some noise to our human eyes. But note, the DNN, again, labels it as a “1”. And this is just the simplest example. Today there are a number of pre-programmed toolboxes that allow the execution of such attacks on a network. Using these libraries you can gauge your network’s robustness. One such library included as part of TensorFlow is called cleverhans . However, today we’ll focus on a new software package from IBM, unveiled last week at the RSA Conference: the Adversarial Robustness Toolbox. The toolbox is 10 Tool Computer Vision News = 1 2 − ( 2 2 + − 2 2 Input image Adversarial “1” image Adversarial Attacks on Deep Learning