With the impressive success and extensive use of machine learning models in various security-sensitive applications, it has become crucial to study vulnerabilities in these systems. Dalvi et al. (2004)
show that adversarial manipulations of input data often result in incorrect predictions from classifiers. This raises serious concerns regarding the security and integrity of existing machine learning algorithms, especially when even state-of-the-art models including deep neural networks have been shown to be highly vulnerable to adversarial attacks with intentionally worst-case perturbations to the input(Szegedy et al., 2014; Goodfellow et al., 2015; Kurakin et al., 2016; Papernot et al., 2016b; Kurakin et al., 2017). These adversaries are generated effectively with access to the gradients of target models, resulting in much higher successful attack rates than data perturbed by random noise of even larger magnitude. Further, training models by including such adversaries can provide machine learning models with additional regularization benefits (Goodfellow et al., 2015).
Although these adversarial examples expose “blind spots” in machine learning models, they are unnatural, i.e. these worst-case perturbed instances are not ones the classifier is likely to face when deployed. Due to this, it is difficult to gain helpful insights into the fundamental decision behavior inside the black-box classifier: why is the decision different for the adversary, what can we change in order to prevent this behavior, and is the classifier robust to natural variations in the data when not in an adversarial scenario? Moreover, there is often a mismatch between the input space and the semantic space that we can understand. Changes to the input we may not think meaningful, like slight rotation or translation in images, often lead to substantial differences in the input instance. For example, Pei et al. (2017) show that minimal changes in the lighting conditions can fool automated-driving systems, a behavior adversarial examples are unable to discover. Due to the unnatural perturbations, these approaches cannot be applied to complex domains such as language, in which enforcing grammar and semantic similarity is difficult when perturbing instances. Therefore, existing approaches that find adversarial examples for text often result in ungrammatical sentences, as in the examples generated by Li et al. (2016), or require manual intervention, as in Jia & Liang (2017).
In this paper, we introduce a framework to generate natural adversarial examples, i.e. instances that are meaningfully similar, valid/legible, and helpful for interpretation. The primary intuition behind our proposed approach is to perform the search for adversaries in a dense and continuous representation of the data instead of searching in the input data space directly. We use generative adversarial networks (GANs) (Goodfellow et al., 2014)
to learn a projection to map normally distributed fixed-length vectors to data instances. Given an input instance, we search for adversaries in the neighborhood of its corresponding representation in latent space by sampling within a range that is recursively tightened. Figure1
provides an example of adversaries for digit recognition. Given a multi-layer perceptron (MLP) for MNIST and an image from test data (Figure0(a)), our approach generates a natural adversarial example (Figure 0(e)) which is classified incorrectly as “2” by the classifier. Compared to the adversary generated by the existing Fast Gradient Sign Method (FGSM) (Goodfellow et al., 2015) that adds gradient-based noise (Figures 0(c) and 0(b)), our adversary (Figure 0(e)) looks like a hand-written digit similar to the original input. Further, the difference (Figure 0(d)) provides some insight into the classifier’s behavior, such as the fact that slightly thickening (blue) the bottom stroke and thinning (red) the one above it, fools the classifier.
We apply our approach to both image and text domains, and generate adversaries that are more natural and grammatical, semantically close to the input, and helpful to interpret the local behavior of black-box models. We present examples of natural adversaries for image classification, textual entailment, and machine translation. Experiments and human evaluation also demonstrate that our approach can help evaluate the robustness of black-box classifiers, even without labeled training data.
2 Framework for Generating Natural Adversaries
In this section, we describe the problem setup and details of our framework for generating natural adversarial examples of both continuous images and discrete text data. Given a black-box classifier and a corpus of unlabeled data , the goal here is to generate adversarial example for a given data instance that results in a different prediction, i.e. . In general, the instance may not be in , but comes from the same underlying distribution , which is the distribution we want to generate from as well. We want to be the nearest such instance to in terms of the manifold that defines the data distribution , instead of in the original data representation.
Unlike other existing approaches that search directly in the input space for adversaries, we propose to search in a corresponding dense representation of space. In other words, instead of finding the adversarial directly, we find the adversarial in an underlying dense vector space which defines the distribution , and then map it back to with the help of a generative model. By searching for samples in the latent low-dimensional space and mapping them to space to identify the adversaries, we encourage these adversaries to be valid (legible for images, and grammatical for sentences) and semantically close to the original input.
Background: Generative Adversarial Networks To tackle the problem described above, we need powerful generative models to learn a mapping from the latent low-dimensional representation to the distribution
, which we estimate using samples in. GANs are a class of such generative models that can be trained via procedures of minimax game between two competing networks (Goodfellow et al., 2014): given a large amount of unlabeled instances as training data, the generator learns to map some noise with distribution to synthetic data that is as close to the training data as possible; on the other hand, the critic is trained to discriminate the output of the generator from real data samples from . The original objective function of GANs has been found to be hard to optimize in practice, for reasons theoretically investigated in Arjovsky & Bottou (2017). Arjovsky et al. (2017) refine the objective with Wasserstein-1 distance as:
Wasserstein GAN achieves improvement in the stability of learning and provides useful learning curves. A number of further improvements to the GAN framework have been introduced (Salimans et al., 2016; Arjovsky & Bottou, 2017; Gulrajani et al., 2017; Rosca et al., 2017) that we discuss in Section 6. We incorporate the structure of WGAN and relevant improvements as a part of our framework for generating natural examples close to the training data distribution, as we describe next.
Natural Adversaries In order to represent natural instances of the domain, we first train a WGAN on corpus , which provides a generator that maps random dense vectors to samples from the domain of . We separately train a matching inverter to map data instances to corresponding dense representations. As in Figure 2, we minimize the reconstruction error of , and the divergence between sampled and to encourage the latent space to be normally distributed:
Using these learned functions, we define the natural adversarial example as the following:
Instead of , we perturb its dense representation , and use the generator to test whether a perturbation fools the classifier by querying with . Figure 3 shows our generation process. A synthetic example is included for further intuition in Appendix A. As for the divergence , we use distance with for images and Jensen-Shannon distance with for text data.
Search Algorithms We propose two approaches to identify the adversary (pseudocode in Appendix B), both of which utilize the inverter to obtain the latent vector of , and feed perturbations in the neighborhood of to the generator to generate natural samples . In iterative stochastic search (Algorithm 1), we incrementally increase the search range (by ) within which the perturbations are randomly sampled ( samples for each iteration), until we have generated samples that change the prediction. Among these samples , we choose the one which has the closest to the original as an adversarial example . To improve the efficiency beyond this naive search, we propose a coarse-to-fine strategy we call hybrid shrinking search (Algorithm 2). We first search for adversaries in a wide search range, and recursively tighten the upper bound of the search range with denser sampling in bisections. Extra iterative search steps are taken to further tighten the upper bound of the optimal . With the hybrid shrinking search in Algorithm 2, we observe a 4 speedup while achieving similar results as Algorithm 1. Both these search algorithms are sample-based and applicable to black-box classifiers with no need of access to their gradients. Further, they are guaranteed to find an adversary, i.e. one that upper bounds the optimal adversary.
3 Illustrative Examples
We demonstrate the potential of our approach (Algorithm 1) in generating informative, legible, and natural adversaries by applying it to a number of classifiers for both visual and textual domains.
3.1 Generating Image Adversaries
Image classification has been a focus for adversarial example generation due to the recent successes in computer vision. We apply our approach to two standard datasets, MNIST and LSUN, and present generated natural adversaries. We useand with model details in Appendix C.
Handwritten Digits Scans of human-written text provide an intuitive definition of what is natural, i.e. do the generated images look like something a person would write? In other words, how would a human change a digit in order to fool a classifier? We train a WGAN with on 60,000 MNIST images following similar procedures as in Gulrajani et al. (2017), with the generator consisting of transposed convolutional layers and the critic consisting of convolutional layers. We include the inverter with fully connected layers on top of the critic’s last hidden layer. We train two target classifiers to generate adversaries against: Random Forests (RF) with 5 trees (test accuracy 90.45%), and LeNet, as trained in LeCun et al. (1998) (test accuracy 98.71%). We treat both these classifiers as black-boxes, and present the generated adversaries in Table 1 with examples of each digit (from test instances that the GAN or classifiers never observed). Adversaries generated by FGSM look like the original digits eroded by uninterpretable noise (these may not be representative of the approach, as changing for the method results in substantially different results). Our natural adversaries against both classifiers are quite similar to the original inputs in overall style and shape, yet provide informative insights into classifiers’ decision behavior around the input. Take the digit “5” as an example: dimming the vertical stroke can fool LeNet into predicting “3”. Further we observe that adversaries against RF often look closer to the original images in overall shape than those against LeNet. Although generating as impressive natural adversaries against more accurate LeNet is difficult, it implies that compared to RF, LeNet requires more substantial changes to the inputs to be fooled; in other words, RF is less robust than LeNet in classification. We will return to this observation later.
Church vs Tower We apply our approach to outdoor, color images of higher resolution. We choose the category of “Church Outdoor” in LSUN dataset (Yu et al., 2015), randomly sample the same amount of 126,227 images from the category of “Tower”, and resize them to resolution of 6464. The training procedure is similar to MNIST, except that the generator and critic in WGAN are deep residual networks (He et al., 2016) and . We train an MLP classifier on these two classes with test accuracy of 71.3%. Table 2 presents original images for both classes and corresponding adversarial examples. From looking at these pairs, we can observe that the generated adversaries make changes that are natural for this domain. For example, to change the classifier’s prediction from “Church” to “Tower”, the adversaries sharpen the roof, narrow the buildings, or change a tree into a tower. We can observe similar behavior in the other direction: the image with the Eiffel Tower is changed to a “church” by converting a woman into a building, and narrowing the tower.
3.2 Generating Text Adversaries
Generating grammatical and linguistically coherent adversarial sentences is a challenging task due to the discrete nature of text: adding imperceptible noise is impossible, and most actual changes to may not result in grammatical text. Prior approaches on generating textual adversaries (Li et al., 2016; Alvarez-Melis & Jaakkola, 2017; Jia & Liang, 2017) perform word erasures and replacements directly on text input space
, using domain-specific rule based or heuristic based approaches, or require manual intervention. Our approach, on the other hand, performs perturbations in the continuous space, that has been trained to produce semantically and syntactically coherent sentences automatically.
We use the adversarially regularized autoencoder (ARAE)(Zhao et al., 2017) for encoding discrete text into continuous codes. ARAE model encodes a sentence with an LSTM encoder into continuous code and then performs adversarial training on these codes to capture the data distribution. We introduce an inverter that maps these continuous codes into the Gaussian space of
. We use a 4-layer strided CNN for the encoder as it yields more coherent sentences than LSTMs from the ARAE model, however LSTM works well as the decoder. We train two MLP models for the generator and the inverter, to learn mappings between noise and continuous codes. We train our framework on the Stanford Natural Language Inference (SNLI)(Bowman et al., 2015) data of 570k labeled human-written English sentence pairs with the same preprocessing as Zhao et al. (2017), using = 0.01 and = 100. We present details of the architecture and sample perturbations in Appendix D.
|Original||The man wearing blue jean shorts is grilling.||Contradiction|
|The man is walking his dog.|
|Embedding||The man is walking by the dog.||Contradiction Entailment|
|LSTM||The person is walking a dog.||Contradiction Entailment|
|TreeLSTM||A man is winning a race.||Contradiction Neutral|
Textual Entailment Textual Entailment (TE) is a task designed to evaluate common-sense reasoning for language, requiring both natural language understanding and logical inferences for text snippets. In this task, we classify a pair of sentences, a premise and a hypothesis, into three categories depending on whether the hypothesis is entailed by the premise, contradicts the premise, or is neutral to it. For instance, the sentence “There are children present” is entailed by the sentence “Children smiling and waving at camera”, while the sentence “The kids are frowning” contradicts it. We use our approach to generate adversaries by perturbing the hypothesis to deceive classifiers, keeping the premise unchanged. We train three classifiers of varying complexity, namely, an embedding classifier that is a single layer on top of the average word embeddings, an LSTM based model consisting of a single layer on top of the sentence representations, and TreeLSTM (Chen et al., 2017) that uses a hierarchical LSTM on the parses and is a top-performing classifier for this task. A few examples comparing the three classifiers are shown in Table 3 (more examples in Appendix D.1). Although all classifiers correctly predict the label, as the classifiers get more accurate (from embedding to LSTM to TreeLSTM), they require much more substantial changes to the sentences to be fooled.
Machine translation We consider machine translation not only because it is one of the most successful applications of neural approaches to NLP, but also since most practical translation systems lie behind black-box access APIs. The notion of adversary, however, is not so clear here as the output of a translation system is not a class. Instead, we define adversary for machine translation relative to a probing function that tests the translation for certain properties, ones that may lead to linguistic insights into the languages, or detect potential vulnerabilities. We use the same generator and inverter as in entailment, and find such “adversaries” via API access to the currently deployed Google Translate model (as of October 15, 2017) from English to German.
First, let us consider the scenario in which we want to generate adversarial English sentences such that a specific German word is introduced into the German translation. The probing function here would test the translation for the presence of that word, and we would have found an adversary (an English sentence) if the probing function passes for a translation. We provide an example of such a probing function that introduces the word “stehen” (“stand” in English) to the translation in Table 4 (more examples in Appendix D.2). Since the translation system is quite strong, such adversaries are not surfacing the vulnerabilities of the model, but instead can be used as a tool to understand or learn different languages (in this example, help a German speaker learn English).
|Source Sentence (English)||Generated Translation (German)|
|A man and woman sitting on the sidewalk.||Ein Mann und eine Frau, die auf dem Bürgersteig sitzen.|
|A man and woman stand on the bench.||Ein Mann und eine Frau stehen auf der Bank.|
We can design more complex probing functions as well, especially ones that target specific vulnerabilities of the translation system. Let us consider translations of English sentences that contain two active verbs, e.g. “People sitting in a restaurant eating”, and see that the German translation has the two verbs as well, “essen” and “sitzen”, respectively. We now define a probing function that passes only if the perturbed English sentence contains both the verbs, but the translation only has one of them. An adversary for such a probing function will be an English sentence () that is similar to the original sentence (), but for some reason, its translation is missing one of the verbs. Table 5 presents examples of generated adversaries using such a probing function (with more in Appendix D.2). For example, one that tests whether “essen” is dropped from the translation when its English counterpart “eating” appears in the source sentence (“People sitting in a living room eating.”). These adversaries thus suggest a vulnerability in Google’s English to German translation system: a word acting as a gerund in English often gets dropped from the translation.
|Source Sentence (English)||Generated Translation (German)|
|People sitting in a dim restaurant eating.||Leute, die in einem dim Restaurant essen sitzen.|
|People sitting in a living room eating.||Leute, die in einem Wohnzimmeressen sitzen.|
|(People sitting in a living room.)|
|Elderly people walking down a city street.||Ältere Menschen, die eine Stadtstraße hinuntergehen.|
|A man walking down a street playing.||Ein Mann, der eine Straße entlang spielt.|
|(A man playing along a street.)|
In this section, we demonstrate that our approach can be utilized to compare and evaluate the robustness of black-box models even without labeled data. We present experimental results on images and text data with evaluations from both statistical analysis and pilot user studies.
Robustness of Black-box Classifiers We apply our framework to various black-box classifiers for both images and text, and observe that it is useful for evaluating and interpreting these models via comparisons. The primary intuition behind this analysis is that more accurate classifiers often require more substantial changes to the instance to change their predictions, as noted in the previous section. In the following experiments, we apply the more efficient hybrid shrinking search (Algorithm 2).
|Average||P(largest )||Test accuracy (%)|
In order to quantify the extent of change for an adversary, the change in the original representation may not be meaningful, such as RMSE of the pixels or string edit distances, for the same reason we are generating natural adversaries: they do not correspond to the semantic distance underlying the data manifold. Instead we use the distance of the adversary in the latent space, i.e. , in order to measure how much each adversary is modified to change the classifier prediction. We also consider the set of adversaries generated for each instance against a group of classifiers, and count how many times the adversary of each classifier has the highest . We present these statistics in Table 6 for both MNIST (over 100 test images, 10 per digit) and Textual Entailment (over 1260 test sentences), against the classifiers we described in Section 3. For both the tasks, we observe that more accurate classifiers require larger changes to the inputs (by both measures), indicating that generating such adversaries, even for unlabeled data, can evaluate the accuracy of black-box classifiers.
We now consider evaluation on a broader set of classifiers, and study the effect of changing hyper-parameters of models on the results (focusing on MNIST). We train a set of neural networks with one hidden layer by varying the number of neurons exponentially from 2 to 1024. In Figure 3(a), we observe that the average of adversaries against these models has a similar trend as their test accuracy. The generated adversaries for a single digit “3” in Figure 3(d) verify this observation: the adversaries become increasingly different from the original input as classifiers become more complex. We provide similar analysis by fixing the model structure but varying the dropout rates from 0.9 to 0.0 in Figure 3(b), and observe a similar trend. To confirm that this correlation holds generally, we train total classifiers that differ in the layer sizes, regularization, and amount of training data, and plot their test set accuracy against the average magnitude of change in their adversaries in Figure 3(c). Given this strong correlation, we are confident that our framework for generating natural adversaries can be useful for automatically evaluating black-box classifiers, even in the absence of labeled data.
Human Evaluation We carry out a pilot study with human subjects to evaluate how natural the generated adversaries are, and whether the adversaries they think are similar to the original ones correspond with the less accurate classifiers (as in the evaluation above). For both image classification and textual entailment, we select a number of instances randomly, generate adversaries for each against two classifiers, and present a questionnaire to the subjects that evaluates: (1) how natural or legible each generated adversary is; (2) which of the two adversaries is closer to the original instance.
For hand-written digits from MNIST, we pick 20 images (2 for each digit), generate adversaries against RF and LeNet (two adversaries for each image), and obtain responses for each of the questions. In Table 8, we see that the subjects agree that our generated adversaries are quite natural, and also, they find RF adversaries to be much closer to the original image than LeNet (i.e. more accurate classifiers, as per test accuracy on their provided labels, have more distant adversaries). We also compare adversaries against LeNet generated by FGSM and our approach, and find that of the time the subjects agree that our adversaries make changes to the original images that are more natural (it is worth noting that FGSM is not applicable to RF for comparison). We carry out a similar pilot study for the textual entailment task to evaluate the quality of the perturbed sentences. We present a set of 20 pairs of sentences (premise and hypothesis), and adversarial hypotheses against both LSTM and TreeLSTM classifiers, and receive responses for each of the questions above. The results in Table 8 also validate our previous results: the generated sentences are found to be grammatical and legible, and classifiers that need more substantial changes to the hypothesis tend to be more accurate. We leave a more detailed user study for future work.
|Which closer to original?||0.87||0.13|
|Is adversary grammatical?||0.86||0.78|
|Is it similar to the original?||0.81||0.58|
5 Related Work
The fast gradient sign method (FGSM) has been proposed in Goodfellow et al. (2015) to generate adversarial examples fast rather than optimally. Intuitively, the method shifts the input by in the direction of minimizing the cost function. Kurakin et al. (2016) propose a simple extension of FGSM by applying it multiple times, which generates adversarial examples with a higher attack rate, but the underlying idea is the same. Another method known as the Jacobian-based saliency map attack (JSMA) has been introduced by Papernot et al. (2016b). Unlike FGSM, JSMA generates adversaries by greedily modifying the input instance feature-wise. A saliency map is computed with gradients to indicate how important each feature is for the prediction, and the most important one is modified repeatedly until the instance changes the resulting classification. Moreover, it has been observed in practice that adversarial examples designed against a model are often likely to successfully attack another model for the same task that has not been given access to. This transferability property of adversarial examples makes it more practical to attack and evaluate deployed machine learning systems in realistic scenarios (Papernot et al., 2016a, 2017).
All these attacks above are based on gradients with access to the parameters of differentiable classifiers. Moosavi-Dezfooli et al. (2017) try to find a single noise vector which can cause imperceptible changes in most of data points, and meanwhile reduce the classifier accuracy significantly. Our method is capable of generating adversaries against black-box classifiers, even those without gradients such as Random Forests. Also, the noise added by these methods is uninterpretable, while the natural adversaries generated by our approach provide informative insights into classifiers’ decision behavior.
Due to the discrete domains involved in text, adversaries for text have received less attention. Jia & Liang (2017) generate adversarial examples for evaluating reading comprehension systems with predefined rules and candidate words for substitution after analyzing and rephrasing the input sentences. Li et al. (2016) introduce a framework to understand neural network through different levels of representation erasure. However, erasure of words or phrases directly often harms text integrity, resulting in semantically or grammatically incorrect sentences. Ribeiro et al. (2018)
replace tokens by random words of the same POS tag with probability proportional to embedding similarity.Belinkov & Bisk (2018)
explore approaches to increase the robustness of character-based machine translation models on text corrupted with character-level noise. With the help of expressive generative models, our approach instead perturbs the latent coding of sentences, resulting in legible generated sentences that are grammatical and semantically similar to the original input. These merits make our framework suitable for text applications such as sentiment analysis, textual entailment, and machine translation.
6 Discussion and Future Work
Our framework builds upon GANs as the generative models, and thus the capabilities of GANs directly effects the quality of generated examples. In visual domains, although there have been lots of appealing results produced by GANs, the training is well known to be brittle. Many recent approaches address how to improve the training stability and the objective function of GANs (Salimans et al., 2016; Arjovsky et al., 2017). Gulrajani et al. (2017)
further improve the training of WGAN with regularization of gradient penalty instead of weight clipping. In our practice, we observe that we need to carefully balance the capacities of the generator, the critic, and the inverter that we introduced, to avoid situations such as model collapse. For natural languages, because of the discrete nature and non-differentiability, applications related to text generation have been relatively less studied.Zhao et al. (2017) propose to incorporate a discrete structure autoencoder with continuous code space regularized by WGAN for text generation. Given that there are some concerns about whether GANs actually learn the distribution (Arora & Zhang, 2017), it is worth noting that we can also incorporate other generative models such as Variational Auto-Encoders (VAEs) (Kingma & Welling, 2014) into our framework, as used in Hu et al. (2017) to generate text with controllable attributes, which we will explore in the future. We focus on GANs because adversarial training often results in higher quality images, while VAEs tend to produce blurrier ones (Goodfellow, 2016). We also plan to apply the fusion and variant of VAEs and GANs such as -GAN in Rosca et al. (2017) and Wasserstein Auto-Encoders in Tolstikhin et al. (2018). Note that as more advanced GANs are introduced to address these issues, they can be directly incorporated into our framework.
Our iterative stochastic search algorithm for identifying adversaries is computationally expensive since it is based on naive sampling and local-search. Search based on gradients such as FGSM are not applicable to our setup because of black-box classifiers and discrete domain applications. We improve the efficiency with hybrid shrinking search by using a coarse-to-fine strategy that finds the upper-bounds by using fewer samples, and then performs finer search in the restricted range. We observe around 4 speedup with this search while achieving similar results as the iterative search. The accuracy of our inverter mapping the input to its corresponding dense vector in latent space is also important for searching adversaries in the right neighborhood. In our experiments, we find that fine-tuning the latent vector produced by the inverter with a fixed GAN can further refine the generated adversarial examples, and we will investigate other such extensions of the search in future. There is an implicit assumption in this work that the generated samples are within the same class if the added perturbations are small enough, and the generated samples look as if they belong to different classes when the perturbations are large. However, note that it is also the case for FGSM and other such approaches: when their is small, the noise is imperceptible; but with a large , one often finds noisy instances that might be in a different class (see Table 1, digit 8 for an example). While we do observe this behavior in some cases, the corresponding classifiers require much more substantial changes to the input, which is why we can utilize our approach to evaluate black-box classifiers.
In this paper, we propose a framework for generating natural adversaries against black-box classifiers, and apply the same approach to both visual and textual domains. We obtain adversaries that are legible, grammatical, and meaningfully similar to the input. We show that these natural adversaries can help in interpreting the decision behavior and evaluating the accuracy of black-box classifiers even in absence of labeled training data. We use our approach, built upon recent work in GANs, to generate adversaries for a wide range of applications including image classification, textual entailment, and machine translation (via the Google Translate API). Code used to generate such natural adversaries is available at https://github.com/zhengliz/natural-adversary.
We would like to thank Ananya, Casey Graff, Eric Nalisnick, Pouya Pezeshkpour, Robert Logan, and the anonymous reviewers for the discussions and feedback on earlier versions. We would also like to thank Ishaan Gulrajani and Junbo Jake Zhao for making their code available. This work is supported in part by Adobe Research and in part by FICO. The views expressed are those of the authors and do not reflect the official policy or position of the funding agencies.
Alvarez-Melis & Jaakkola (2017)
David Alvarez-Melis and Tommi S. Jaakkola.
A causal framework for explaining the predictions of black-box
Empirical Methods in Natural Language Processing (EMNLP), 2017.
- Arjovsky & Bottou (2017) Martin Arjovsky and Léon Bottou. Towards principled methods for training generative adversarial networks. In International Conference on Learning Representations (ICLR), 2017.
- Arjovsky et al. (2017) Martin Arjovsky, Soumith Chintala, and Léon Bottou. Wasserstein generative adversarial networks. In International Conference on Machine Learning (ICML), 2017.
- Arora & Zhang (2017) Sanjeev Arora and Yi Zhang. Do gans actually learn the distribution? an empirical study. arXiv preprint 1706.08224, 2017.
Belinkov & Bisk (2018)
Yonatan Belinkov and Yonatan Bisk.
Synthetic and natural noise both break neural machine translation.In International Conference on Learning Representations (ICLR), 2018.
- Bowman et al. (2015) Samuel R. Bowman, Gabor Angeli, Christopher Potts, and Christopher D. Manning. A large annotated corpus for learning natural language inference. In Empirical Methods in Natural Language Processing (EMNLP), 2015.
- Chen et al. (2017) Qian Chen, Xiaodan Zhu, Zhen-Hua Ling, Si Wei, Hui Jiang, and Diana Inkpen. Enhanced lstm for natural language inference. In Association for Computational Linguistics (ACL), 2017.
- Dalvi et al. (2004) Nilesh Dalvi, Pedro Domingos, Sumit Sanghai, and Deepak Verma. Adversarial classification. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2004.
- Goodfellow (2016) Ian Goodfellow. NIPS 2016 Tutorial: Generative Adversarial Networks. arXiv preprint 1701.00160, 2016.
- Goodfellow et al. (2014) Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. Generative adversarial nets. In Advances in Neural Information Processing Systems (NIPS), 2014.
- Goodfellow et al. (2015) Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. In International Conference on Learning Representations (ICLR), 2015.
- Gulrajani et al. (2017) Ishaan Gulrajani, Faruk Ahmed, Martin Arjovsky, Vincent Dumoulin, and Aaron Courville. Improved training of wasserstein gans. In Advances in Neural Information Processing Systems (NIPS), 2017.
He et al. (2016)
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun.
Deep residual learning for image recognition.
IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016.
- Hu et al. (2017) Zhiting Hu, Zichao Yang, Xiaodan Liang, Ruslan Salakhutdinov, and Eric P. Xing. Toward controlled generation of text. In International Conference on Machine Learning (ICML), 2017.
- Jia & Liang (2017) Robin Jia and Percy Liang. Adversarial examples for evaluating reading comprehension systems. In Empirical Methods in Natural Language Processing (EMNLP), 2017.
- Kingma & Welling (2014) Diederik P. Kingma and Max Welling. Stochastic gradient vb and the variational auto-encoder. In International Conference on Learning Representations (ICLR), 2014.
- Kurakin et al. (2016) Alexey Kurakin, Ian Goodfellow, and Samy Bengio. Adversarial examples in the physical world. arXiv preprint 1607.02533, 2016.
- Kurakin et al. (2017) Alexey Kurakin, Ian Goodfellow, and Samy Bengio. Adversarial machine learning at scale. In International Conference on Learning Representations (ICLR), 2017.
- LeCun et al. (1998) Yann LeCun, Léon Bottou, Yoshua Bengio, and Patrick Haffner. Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11):2278–2324, 1998.
- Li et al. (2016) Jiwei Li, Will Monroe, and Dan Jurafsky. Understanding neural networks through representation erasure. arXiv preprint 1612.08220, 2016.
- Moosavi-Dezfooli et al. (2017) Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. Universal adversarial perturbations. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2017.
- Papernot et al. (2016a) Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint 1605.07277, 2016a.
Papernot et al. (2016b)
Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay
Celik, and Ananthram Swami.
The limitations of deep learning in adversarial settings.In IEEE European Symposium on Security and Privacy, 2016b.
- Papernot et al. (2017) Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. Practical black-box attacks against machine learning. In Proceedings of the ACM on Asia Conference on Computer and Communications Security, 2017.
- Pei et al. (2017) Kexin Pei, Yinzhi Cao, Junfeng Yang, and Suman Jana. Deepxplore: Automated whitebox testing of deep learning systems. In the ACM Symposium on Operating Systems Principles, 2017.
Ribeiro et al. (2018)
Marco Tulio Ribeiro, Sameer Singh, and Carlos Guestrin.
Anchors: High-precision model-agnostic explanations.
AAAI Conference on Artificial Intelligence, 2018.
- Rosca et al. (2017) Mihaela Rosca, Balaji Lakshminarayanan, David Warde-Farley, and Shakir Mohamed. Variational approaches for auto-encoding generative adversarial networks. arXiv preprint 1706.04987, 2017.
- Salimans et al. (2016) Tim Salimans, Ian Goodfellow, Wojciech Zaremba, Vicki Cheung, Alec Radford, and Xi Chen. Improved techniques for training gans. In Advances in Neural Information Processing Systems (NIPS), 2016.
- Szegedy et al. (2014) Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. In International Conference on Learning Representations (ICLR), 2014.
- Tolstikhin et al. (2018) Ilya Tolstikhin, Olivier Bousquet, Sylvain Gelly, and Bernhard Schoelkopf. Wasserstein auto-encoders. In International Conference on Learning Representations (ICLR), 2018.
- Yu et al. (2015) Fisher Yu, Yinda Zhang, Shuran Song, Ari Seff, and Jianxiong Xiao. Lsun: Construction of a large-scale image dataset using deep learning with humans in the loop. arXiv preprint 1506.03365, 2015.
- Zhao et al. (2017) Junbo Jake Zhao, Yoon Kim, Kelly Zhang, Alexander M. Rush, and Yann LeCun. Adversarially regularized autoencoders. arXiv preprint 1706.04223, 2017.
Appendix A Illustration with Synthetic Data
As shown in Figure 5 with a toy example of synthetic data, we can effectively map data instance to its corresponding latent dense vector with the help of the inverter via , and then reconstruct with the help of the generator via . For a naive classifier with the horizontal line as decision boundary, adversarial examples should be points above the line given input data in Figure 4(c). By searching in corresponding latent space, our approach finds on the left as a adversary because it is the closest one in semantic space (along the curve trace) and it exists within the data manifold. However, the gradient-based approaches may find the right above as adversarial in input space regardless of the actual data distribution.
Appendix B Algorithms
Algorithm 1 shows the pseudocode of the iterative search of our framework. Starting from the corresponding of the input instance , we iteratively move the search range outward in latent space until we have generated samples that change the prediction of the classifier . We improve the efficiency with Algorithm 2 by using a coarse-to-fine strategy and combining recursive and iterative search. We first search for adversaries in a wide search range, and recursively tighten the upper bound of the search range with denser sampling in bisections. Extra iterative search steps are taken to further tighten the upper bound of the optimal . This hybrid shrinking search approach, shown in detail in Algorithm 2, is four times faster to achieve similar adversaries as the iterative search.
Appendix C Architecture for Continuous Images
Figure 3 shows the architecture of our framework for continuous images. We adopt WGAN (Arjovsky et al., 2017) with the objective function in Equation 1, and apply gradient penalty as proposed in Gulrajani et al. (2017). On top of the generator obtained from WGAN, we train an inverter by optimizing Equation 2. For handwritten digits from MNIST dataset, we train a WGAN of latent
, with a generator consisting of 3 transposed convolutional layers and ReLU activation, and a critic consisting of 3 convolutional layers with filter sizes (64, 128, 256) and strides (2, 2, 2). We include an inverter with 2 fully connected layers of dimensions (4096, 1024) on top of the critic’s last hidden layer. For “Church Outdoor” and “Tower” images from LSUN dataset, we follow similar procedures as inGulrajani et al. (2017) training a WGAN of latent . The generator and critic are both residual networks. We use pre-activation residual blocks with two convolutional layers each and ReLU activation. The critic of 4 residual blocks performs downsampling using mean pooling after the second convolution, while the generator contains 4 residual blocks performing nearest-neighbor upsampling before the second convolution. We include an inverter with 3 fully connected layers of dimensions (8192, 2048, 512) on top of the critic’s last hidden layer.
Appendix D Architecture for Discrete Text
We use the adversarially regularized autoencoder (ARAE) (Zhao et al., 2017) for encoding discrete text into continuous codes as shown in Figure 6. ARAE model encodes a sentence with an LSTM encoder into continuous code and performs adversarial training on the codes generated from noise and data to approximate the data distribution. We introduce an inverter that maps these continuous codes into the Gaussian space of . We use 4 layers of CNN with varying filter sizes (300, 500, 700, and 1000), strides (2, 2, 2) and context windows (5, 5, 3) for encoding text , into continuous space
. For the decoder, we use a single-layer LSTM with hidden dimension of 300. We also train two MLPs, one each for the generator and the inverter, to learn mappings from noise to continuous codes and continuous codes to noise respectively. The loss functions for different components of the ARAE model, which are autoencoder reconstruction loss and WGAN loss functions for generator and critic, are described in Equations (4), (5), (6) respectively. We first train the ARAE components of encoder, decoder and generator using WGAN strategy, followed by the inverter on top of these with loss function in (7), by minimizing the Jensen-Shannon divergence between the inverted continuous codes and noise samples.
We train our framework on the sentences up to length 10 from Stanford Natural Language Inference (SNLI) (Bowman et al., 2015) dataset, with hyper-parameters of = 0.01 and = 100. Table 9 shows some examples of the perturbations generated automatically by our approach, which are grammatical and semantically close to the original sentences.
d.1 Textual Entailment Examples
d.2 Machine Translation Examples
|Original||Some dogs are running on a deserted beach.||A man playing an electric guitar on stage.|
|Perturbation||Some dogs are running on a grassy field.||A man is playing an electric guitar.|
|Some dogs are walking along a path.||A man is playing an acoustic guitar.|
|Some dogs are running down a hill.||A man is playing an accordion.|
|A dog is running on a grassy field.||A man is playing with an electronic device.|
|A dog is running down a trail.||A man is playing with an elephant.|
|Original||The man walks among the large trees.||Neutral|
|The man is lost in the woods.|
|Embedding||The man is lost at the woods.||Contradiction Neutral|
|LSTM||The man is crying in the woods.||Neutral Contradiction|
|TreeLSTM||The man is lost in a bed.||Neutral Contradiction|
|Source Sentence (English)||Generated Translation (German)|
|Asian women are sitting in a Restraunt.||Asiatische Frauen sitzen in einem Restaurant.|
|Asian kids are standing in a Restraunt.||Asiatische Kinder stehen in einem Restaurant.|
|People sitting on the floor.||Leute sitzen auf dem Boden.|
|People standing on the field.||Leute, die auf dem Feld stehen.|
|Source Sentence (English)||Generated Translation (German)|
|A man looks back while laughing and walking.||Ein Mann schaut beim Lachen und Gehen zurück.|
|A man is laughing walking down the ground.||Ein Mann lacht auf dem Boden.|
|(A man laughs on the floor.)|
|She is cooking food while wearing a dress.||Sie kocht Essen, während sie ein Kleid trägt.|
|She is cooking dressed for a wedding.||Sie kocht für eine Hochzeit.|
|(She cooks for a wedding.)|