Youtube: https://www.youtube.com/watch?v=BIpz4n0RWO4 State-of-the-art deep neural network classifiers are highly vulnerable to adversarial examples which are designed to mislead classifiers with a very small perturbation. However, the performance of black-box attacks (without knowledge of the model parameters) against deployed models always degrades significantly. In this paper, We propose a novel way of perturbations for adversarial examples to enable black-box transfer. We first show that maximizing distance between natural images and their adversarial examples in the intermediate feature maps can improve both white-box attacks (with knowledge of the model parameters) and black-box attacks. We also show that smooth regularization on adversarial perturbations enables transferring across models. Extensive experimental results show that our approach outperforms state-of-the-art methods both in white-box and black-box attacks. Tencent Blade Team was founded by Tencent Security Platform Department, focusing in security researches of AI, mobile Internet, IoT, wireless devices and other cutting-edge technologies. So far, Tencent Blade Team has reported many security vulnerabilities to a large number of international manufacturers, including Google and Apple. In the future, Tencent Blade Team will continue to make the Internet a safer place for everyone.

2. Transferable
Adversarial Perturbations
Bruce HOU 1
Wen ZHOU 1
Yongjun CHEN
Mengyun TANG

3. Bruce HOU Wen ZHOU
Yongjun CHEN Mengyun TANG

4. Team Honors
NIPS 2017 Competition：
Non-targeted Adversarial Attack ranking: 6/91
Defense Against Adversarial Attack ranking: 8/108
Publication:
Transferable Adversarial Perturbations: European
Conference on Computer Vision (ECCV 2018)

5. Transferable Perturbations
Transferability:
Maximizing the distance in the intermediate feature
maps
Robustness:
Introducing smooth regularization on adversarial
perturbations

7. Non-targeted Adversarial Attack
)),~(
||)),~((),((||
),~((maxarg),,,~(maxarg~
2
||~||||~||







i
si
Dd
xx
s
xx
wxxabsR
dxLTdxLT
txlwtxxJx
pp




|),~(|)),~(()),~(( dxLdxLsigndxLT 
3,5.0,16  s

8. )),~(
||)),~((),((||
),~((maxarg),,,~(maxarg~
2
||~||||~||







i
si
Dd
xx
s
xx
wxxabsR
dxLTdxLT
txlwtxxJx
pp



and

9. Optimization
initialize:
while i < k do:
end while
return
,0,/,~
0  ikxx 
)11)~((~ ,,-xx-signxclipx k 
)11))~((~(~
1 ,,, x, t,wxJsignεxclipx sixii 

10. VGG16 InceptionV3 InceptionV4
Inception
ResNet-V2
ResNet-V2 Ensemble
No perturbation 86.8% 96.4% 97.6% 100% 89.6% 99.8%
Random noise 81.3% 91.7% 94.6% 97.8% 84.5% 98.1%
VGG16-TAP
VGG16-FGSM
VGG16-IFGSM
VGG16-UAP
3.2%
3.7%
4.0%
12.4%
23.9%
34.9%
24.2%
31.2%
28.1%
44.0%
24.5%
32.8%
32.3%
50.0%
28.5%
46.9%
23.9%
34.7%
23.9%
33.2%
26.7%
46.4%
22.7%
43.7%
Inception-V3-TAP
Inception-V3-FGSM
Inception-V3-IFGSM
Inception-V3-UAP
Inception-V3-MI-FGSM
Inception-V3-CW
29.4%
57.7%
66.0%
39.8%
45.9%
84.9%
0.00%
26.9%
0.01%
52.2%
0.1%
24.5%
22.1%
70.2%
67.7%
56.4%
47.3%
93.5%
24.7%
72.9%
70.2%
63.1%
50.7%
98.6%
46.9%
65.7%
76.8%
50.5%
61.8%
86.9%
30.8%
75.4%
73.6%
64.6%
62.5%
96.9%
Transferability in terms of recognition accuracies
Test dataset can be download at
https://github.com/tensorflow/cleverhans/tree/master/examples/nips17 adversarial competition/dataset

11. VGG16 InceptionV3 InceptionV4
Inception
ResNet-V2
ResNet-V2 Ensemble
No perturbation 86.8% 96.4% 97.6% 100% 89.6% 99.8%
Inc-ResV2-TAP
Inc-ResV2-FGSM
Inc-ResV2-IFGSM
Inc-ResV2-MI-FGSM
Inc-ResV2-CW
37.0%
59.4%
48.9%
38.8%
83.4%
25.9%
69.0%
41.5%
25.3%
91.7%
33.2%
76.5%
51.5%
33.2%
92.4%
4.8%
57.2%
1.2%
0.1%
49.0%
53.3%
71.7%
60.4%
51.6%
85.6%
48.2%
78.7%
54.5%
46.3%
93.5%
ResNet-V2-TAP
ResNet-V2-FGSM
ResNet-V2-IFGSM
ResNet-V2-MI-FGSM
ResNet-V2-CW
31.8%
37.3%
44.8%
46.3%
84.0%
48.2%
56.3%
53.2%
45.2%
94.5%
55.7%
64.8%
62.0%
51.6%
96.4%
55.5%
66.8%
63.8%
55.2%
99.5%
7.6%
14.6%
4.4%
24.1%
37.7%
47.4%
63.3%
54.3%
56.2%
98.5%
ResNet-V1-TAP
ResNet-V1-UAP
ResNet-V1-MI-FGSM
ResNet-V1-CW
20.2%
35.3%
65.3%
86.9%
38.1%
41.6%
74.3%
96.0%
48.7%
50.2%
78.7%
97.5%
49.1%
57.8%
82.0%
99.9%
25.3%
40.3%
71.3%
89.4 %
44.4%
56.8%
86.8%
99.6%
Transferability in terms of recognition accuracies

12. Robustness to adversarially trained models
adv-v3 adv-res-v2 ens3-inc-v3 ens4-inc-v3
VGG16-TAP
VGG16-FGSM
VGG16-IFGSM
VGG16-UAP
38.8%
50.9%
57.3%
39.4%
63.8%
71.1%
73.6%
57.3%
41.9%
56.1%
53.5%
47.4%
47.3%
58.5%
55.4%
43.9%
Inc-V3-TAP
Inc-V3-FGSM
Inc-V3-IFGSM
Inc-V3-UAP
Inc-V3-MI-FGSM
Inc-V3-CW
52.8%
72.1%
82.4%
65.5%
74.3%
93.0%
68.8%
93.6%
93.9%
82.4%
90.6%
96.4%
60.9%
85.1%
88.2%
77.0%
80.7%
92.3%
59.8%
86.4%
88.5%
76.9%
82.0%
90.0 %

13. Robustness to adversarially trained models
adv-v3 adv-res-v2 ens3-inc-v3 ens4-inc-v3
Inc-ResV2-TAP
Inc-ResV2-FGSM
Inc-ResV2-IFGSM
Inc-ResV2-MI-FGSM
Inc-ResV2-CW
60.5%
73.9%
70.8%
66.9%
91.8%
87.8%
92.7%
92.9%
83.6%
94.9%
79.1%
86.9%
84.8%
71.8%
91.9%
82.1%
87.3%
86.9%
73.4%
89.3%
ResNet-V2-TAP
ResNet-V2-FGSM
ResNet-V2-IFGSM
ResNet-V2-MI-FGSM
ResNet-V2-CW
49.2%
62.1%
64.7%
71.1%
94.0%
64.1%
85.7%
82.6%
86.6%
96.3%
57.8%
77.4%
72.3%
76.9%
92.8%
56.0%
77.8%
74.7%
77.9%
90.5%
ResNet-V1-TAP
ResNet-V1-UAP
ResNet-V1-MI-FGSM
ResNet-V1-CW
50.2%
60.4%
84.5%
95.0%
64.4%
77.9%
93.4%
97.5%
55.5%
68.8%
90.3%
94.2%
57.7%
66.1%
90.2 %
91.8%

14. Defense Against Adversarial Attack
),~(),(||),~(),(|| 2
yxlyxldxLdxLLoss
Dd
 

conv
conv
fn
conv
conv
conv
fnconv


Dd
adv dxLdxL 2
||),(),(||
l(x,y)l(xadv,y)
Loss

15. Takeaways
ATTACK
Maximizing the distance of feature maps.
Adding a smooth regularization.
DEFENSE
Minimizing the distance of feature maps.

16. THANK YOU

17. References
FGSM:
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples.
International conference on learning representations (2015)
IFGSM:
Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial machine learning at scale. arXiv:
Computer Vision and Pattern Recognition (2016)
UAP:
Moosavi-Dezfooli, S.M., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial
perturbations. arXiv preprint arXiv:1610.08401 (2016)
C&W:
Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. arXiv
preprint arXiv:1608.04644 (2016)
MI-FGSM:
Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., Li, J.: Boosting adversarial attacks
with momentum. In: The IEEE Conference on Computer Vision and Pattern Recognition
(CVPR). (June 2018)