近年来，一项大量的研究努力集中在对抗图像上的对抗攻击，而对抗性视频攻击很少被探索。我们提出了对叫做Deepsava的竞争对手攻击战略。我们的模型包括通过统一优化框架的添加剂扰动和空间转换，其中采用结构相似性指数（SSIM）测量来测量对抗距离。我们设计一种有效和新的优化方案，可替代地利用贝叶斯优化来识别视频和随机梯度下降（SGD）优化中最有影响力的帧，以产生添加剂和空间变换的扰动。这样做使DeepSava能够对视频进行非常稀疏的攻击，以维持人类难以察觉，同时在攻击成功率和对抗转移性方面仍然实现最先进的性能。我们对各种类型的深神经网络和视频数据集的密集实验证实了Deepsava的优越性。

最近的研究表明，在一个白盒模型上手工制作的对抗性示例可用于攻击其他黑箱型号。这种跨模型可转换性使得执行黑匣子攻击可行，这对现实世界的DNN应用程序提出了安全性问题。尽管如此，现有的作品主要专注于调查跨不同深层模型的对抗性可转移，该模型共享相同的输入数据模型。从未探索过对抗扰动的跨莫代尔转移性。本文研究了不同方式的对抗性扰动的可转移性，即利用在白盒图像模型上产生的对抗扰动，以攻击黑盒视频模型。具体而言，通过观察到图像和视频帧之间的低级特征空间是相似的，我们提出了一种简单但有效的跨模型攻击方法，名称为图像到视频（I2V）攻击。通过最小化来自对手和良性示例的预先接受的图像模型的特征之间的特征之间的余弦相似性来生成对抗性帧，然后组合生成的对抗性帧以对视频识别模型进行黑盒攻击。广泛的实验表明，I2V可以在不同的黑匣子视频识别模型上实现高攻击成功率。在动力学-400和UCF-101上，I2V分别实现了77.88％和65.68％的平均攻击成功率，阐明了跨越模态对抗攻击的可行性。

Video classification systems are vulnerable to adversarial attacks, which can create severe security problems in video verification. Current black-box attacks need a large number of queries to succeed, resulting in high computational overhead in the process of attack. On the other hand, attacks with restricted perturbations are ineffective against defenses such as denoising or adversarial training. In this paper, we focus on unrestricted perturbations and propose StyleFool, a black-box video adversarial attack via style transfer to fool the video classification system. StyleFool first utilizes color theme proximity to select the best style image, which helps avoid unnatural details in the stylized videos. Meanwhile, the target class confidence is additionally considered in targeted attacks to influence the output distribution of the classifier by moving the stylized video closer to or even across the decision boundary. A gradient-free method is then employed to further optimize the adversarial perturbations. We carry out extensive experiments to evaluate StyleFool on two standard datasets, UCF-101 and HMDB-51. The experimental results demonstrate that StyleFool outperforms the state-of-the-art adversarial attacks in terms of both the number of queries and the robustness against existing defenses. Moreover, 50% of the stylized videos in untargeted attacks do not need any query since they can already fool the video classification model. Furthermore, we evaluate the indistinguishability through a user study to show that the adversarial samples of StyleFool look imperceptible to human eyes, despite unrestricted perturbations.

最近的研究表明，深神经网络（DNN）易受对抗的对抗性斑块，这引入了对输入的可察觉而且局部化的变化。尽管如此，现有的方法都集中在图像上产生对抗性补丁，视频中的对应于视频的探索。与图像相比，攻击视频更具挑战性，因为它不仅需要考虑空间线索，而且需要考虑时间线索。为了缩短这种差距，我们在本文中介绍了一种新的对抗性攻击，子弹屏幕评论（BSC）攻击，攻击了BSC的视频识别模型。具体地，通过增强学习（RL）框架产生对抗性BSC，其中环境被设置为目标模型，并且代理商扮演选择每个BSC的位置和透明度的作用。通过不断查询目标模型和接收反馈，代理程序逐渐调整其选择策略，以实现具有非重叠BSC的高鬼速。由于BSC可以被视为一种有意义的补丁，将它添加到清洁视频不会影响人们对视频内容的理解，也不会引起人们的怀疑。我们进行广泛的实验，以验证所提出的方法的有效性。在UCF-101和HMDB-51数据集中，我们的BSC攻击方法可以在攻击三个主流视频识别模型时达到约90 \％的愚蠢速率，同时仅在视频中封闭\无文无线8 \％区域。我们的代码可在https://github.com/kay -ck/bsc-attack获得。

Adversarial robustness assessment for video recognition models has raised concerns owing to their wide applications on safety-critical tasks. Compared with images, videos have much high dimension, which brings huge computational costs when generating adversarial videos. This is especially serious for the query-based black-box attacks where gradient estimation for the threat models is usually utilized, and high dimensions will lead to a large number of queries. To mitigate this issue, we propose to simultaneously eliminate the temporal and spatial redundancy within the video to achieve an effective and efficient gradient estimation on the reduced searching space, and thus query number could decrease. To implement this idea, we design the novel Adversarial spatial-temporal Focus (AstFocus) attack on videos, which performs attacks on the simultaneously focused key frames and key regions from the inter-frames and intra-frames in the video. AstFocus attack is based on the cooperative Multi-Agent Reinforcement Learning (MARL) framework. One agent is responsible for selecting key frames, and another agent is responsible for selecting key regions. These two agents are jointly trained by the common rewards received from the black-box threat models to perform a cooperative prediction. By continuously querying, the reduced searching space composed of key frames and key regions is becoming precise, and the whole query number becomes less than that on the original video. Extensive experiments on four mainstream video recognition models and three widely used action recognition datasets demonstrate that the proposed AstFocus attack outperforms the SOTA methods, which is prevenient in fooling rate, query number, time, and perturbation magnitude at the same.

The authors thank Nicholas Carlini (UC Berkeley) and Dimitris Tsipras (MIT) for feedback to improve the survey quality. We also acknowledge X. Huang (Uni. Liverpool), K. R. Reddy (IISC), E. Valle (UNICAMP), Y. Yoo (CLAIR) and others for providing pointers to make the survey more comprehensive.

Deep neural networks (DNNs) are one of the most prominent technologies of our time, as they achieve state-of-the-art performance in many machine learning tasks, including but not limited to image classification, text mining, and speech processing. However, recent research on DNNs has indicated ever-increasing concern on the robustness to adversarial examples, especially for security-critical tasks such as traffic sign identification for autonomous driving. Studies have unveiled the vulnerability of a well-trained DNN by demonstrating the ability of generating barely noticeable (to both human and machines) adversarial images that lead to misclassification. Furthermore, researchers have shown that these adversarial images are highly transferable by simply training and attacking a substitute model built upon the target model, known as a black-box attack to DNNs.Similar to the setting of training substitute models, in this paper we propose an effective black-box attack that also only has access to the input (images) and the output (confidence scores) of a targeted DNN. However, different from leveraging attack transferability from substitute models, we propose zeroth order optimization (ZOO) based attacks to directly estimate the gradients of the targeted DNN for generating adversarial examples. We use zeroth order stochastic coordinate descent along with dimension reduction, hierarchical attack and importance sampling techniques to * Pin-Yu Chen and Huan Zhang contribute equally to this work.

Although deep learning has made remarkable progress in processing various types of data such as images, text and speech, they are known to be susceptible to adversarial perturbations: perturbations specifically designed and added to the input to make the target model produce erroneous output. Most of the existing studies on generating adversarial perturbations attempt to perturb the entire input indiscriminately. In this paper, we propose ExploreADV, a general and flexible adversarial attack system that is capable of modeling regional and imperceptible attacks, allowing users to explore various kinds of adversarial examples as needed. We adapt and combine two existing boundary attack methods, DeepFool and Brendel\&Bethge Attack, and propose a mask-constrained adversarial attack system, which generates minimal adversarial perturbations under the pixel-level constraints, namely ``mask-constraints''. We study different ways of generating such mask-constraints considering the variance and importance of the input features, and show that our adversarial attack system offers users good flexibility to focus on sub-regions of inputs, explore imperceptible perturbations and understand the vulnerability of pixels/regions to adversarial attacks. We demonstrate our system to be effective based on extensive experiments and user study.

Adding perturbations via utilizing auxiliary gradient information or discarding existing details of the benign images are two common approaches for generating adversarial examples. Though visual imperceptibility is the desired property of adversarial examples, conventional adversarial attacks still generate traceable adversarial perturbations. In this paper, we introduce a novel Adversarial Attack via Invertible Neural Networks (AdvINN) method to produce robust and imperceptible adversarial examples. Specifically, AdvINN fully takes advantage of the information preservation property of Invertible Neural Networks and thereby generates adversarial examples by simultaneously adding class-specific semantic information of the target class and dropping discriminant information of the original class. Extensive experiments on CIFAR-10, CIFAR-100, and ImageNet-1K demonstrate that the proposed AdvINN method can produce less imperceptible adversarial images than the state-of-the-art methods and AdvINN yields more robust adversarial examples with high confidence compared to other adversarial attacks.

With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks have been recently found vulnerable to well-designed input samples, called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool deep neural networks in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying deep neural networks in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for deep neural networks, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

Deep neural networks are vulnerable to adversarial examples, which poses security concerns on these algorithms due to the potentially severe consequences. Adversarial attacks serve as an important surrogate to evaluate the robustness of deep learning models before they are deployed. However, most of existing adversarial attacks can only fool a black-box model with a low success rate. To address this issue, we propose a broad class of momentum-based iterative algorithms to boost adversarial attacks. By integrating the momentum term into the iterative process for attacks, our methods can stabilize update directions and escape from poor local maxima during the iterations, resulting in more transferable adversarial examples. To further improve the success rates for black-box attacks, we apply momentum iterative algorithms to an ensemble of models, and show that the adversarially trained models with a strong defense ability are also vulnerable to our black-box attacks. We hope that the proposed methods will serve as a benchmark for evaluating the robustness of various deep models and defense methods. With this method, we won the first places in NIPS 2017 Non-targeted Adversarial Attack and Targeted Adversarial Attack competitions.

愚弄深度神经网络（DNN）与黑匣子优化已成为一种流行的对抗攻击方式，因为DNN的结构先验知识始终是未知的。尽管如此，最近的黑匣子对抗性攻击可能会努力平衡其在解决高分辨率图像中产生的对抗性示例（AES）的攻击能力和视觉质量。在本文中，我们基于大规模的多目标进化优化，提出了一种关注引导的黑盒逆势攻击，称为LMOA。通过考虑图像的空间语义信息，我们首先利用注意图来确定扰动像素。而不是攻击整个图像，减少了具有注意机制的扰动像素可以有助于避免维度的臭名臭氧，从而提高攻击性能。其次，采用大规模的多目标进化算法在突出区域中遍历降低的像素。从其特征中受益，所产生的AES有可能在人类视力不可知的同时愚弄目标DNN。广泛的实验结果已经验证了所提出的LMOA在ImageNet数据集中的有效性。更重要的是，与现有的黑匣子对抗性攻击相比，产生具有更好的视觉质量的高分辨率AE更具竞争力。

虽然基于深度学习的视频识别模型取得了显着的成功，但它们易于通过在清洁视频样本上添加人难以扰动而产生的对抗性示例。如最近的研究所述，对抗性示例是可转换的，这使得对现实世界应用中的黑匣子攻击是可行的。然而，当攻击其他视频模型和基于转移的视频模型的转移攻击时，大多数现有的对抗性攻击方法具有差的可转移性仍未开发。为此，我们建议促进对视频识别模型的黑匣子攻击的视频逆势示例的可转移性。通过广泛的分析，我们发现不同的视频识别模型依赖于不同的鉴别性时间模式，导致视频逆势示例的可转移性差。这使我们引入了延时翻译攻击方法，该方法优化了一组时间翻译视频剪辑上的对抗扰动。通过在翻译视频中产生对抗性示例，所得到的对手示例对白盒模型中存在的时间模式不太敏感，因此可以更好地转移。在动力学-400数据集和UCF-101数据集上的广泛实验表明，我们的方法可以显着提高视频逆势示例的可转移性。对于对视频识别模型的基于转移的攻击，在UCF-101上实现了动力学-400和48.60％的61.56％的平均攻击成功率。代码可在https://github.com/zhipeng-wei/tt上获得。

Convolutional neural networks have demonstrated high accuracy on various tasks in recent years. However, they are extremely vulnerable to adversarial examples. For example, imperceptible perturbations added to clean images can cause convolutional neural networks to fail. In this paper, we propose to utilize randomization at inference time to mitigate adversarial effects. Specifically, we use two randomization operations: random resizing, which resizes the input images to a random size, and random padding, which pads zeros around the input images in a random manner. Extensive experiments demonstrate that the proposed randomization method is very effective at defending against both single-step and iterative attacks. Our method provides the following advantages: 1) no additional training or fine-tuning, 2) very few additional computations, 3) compatible with other adversarial defense methods. By combining the proposed randomization method with an adversarially trained model, it achieves a normalized score of 0.924 (ranked No.2 among 107 defense teams) in the NIPS 2017 adversarial examples defense challenge, which is far better than using adversarial training alone with a normalized score of 0.773 (ranked No.56). The code is public available at https: //github.com/cihangxie/NIPS2017_adv_challenge_defense.

Though CNNs have achieved the state-of-the-art performance on various vision tasks, they are vulnerable to adversarial examples -crafted by adding human-imperceptible perturbations to clean images. However, most of the existing adversarial attacks only achieve relatively low success rates under the challenging black-box setting, where the attackers have no knowledge of the model structure and parameters. To this end, we propose to improve the transferability of adversarial examples by creating diverse input patterns. Instead of only using the original images to generate adversarial examples, our method applies random transformations to the input images at each iteration. Extensive experiments on ImageNet show that the proposed attack method can generate adversarial examples that transfer much better to different networks than existing baselines. By evaluating our method against top defense solutions and official baselines from NIPS 2017 adversarial competition, the enhanced attack reaches an average success rate of 73.0%, which outperforms the top-1 attack submission in the NIPS competition by a large margin of 6.6%. We hope that our proposed attack strategy can serve as a strong benchmark baseline for evaluating the robustness of networks to adversaries and the effectiveness of different defense methods in the future. Code is available at https: //github.com/cihangxie/DI-2-FGSM .

时间序列数据在许多现实世界中（例如，移动健康）和深神经网络（DNNS）中产生，在解决它们方面已取得了巨大的成功。尽管他们成功了，但对他们对对抗性攻击的稳健性知之甚少。在本文中，我们提出了一个通过统计特征（TSA-STAT）}称为时间序列攻击的新型对抗框架}。为了解决时间序列域的独特挑战，TSA-STAT对时间序列数据的统计特征采取限制来构建对抗性示例。优化的多项式转换用于创建比基于加性扰动的攻击（就成功欺骗DNN而言）更有效的攻击。我们还提供有关构建对抗性示例的统计功能规范的认证界限。我们对各种现实世界基准数据集的实验表明，TSA-STAT在欺骗DNN的时间序列域和改善其稳健性方面的有效性。 TSA-STAT算法的源代码可在https://github.com/tahabelkhouja/time-series-series-attacks-via-statity-features上获得

积极调查深度神经网络的对抗鲁棒性。然而，大多数现有的防御方法限于特定类型的对抗扰动。具体而言，它们通常不能同时为多次攻击类型提供抵抗力，即，它们缺乏多扰动鲁棒性。此外，与图像识别问题相比，视频识别模型的对抗鲁棒性相对未开发。虽然有几项研究提出了如何产生对抗性视频，但在文献中只发表了关于防御策略的少数关于防御策略的方法。在本文中，我们提出了用于视频识别的多种抗逆视频的第一战略之一。所提出的方法称为Multibn，使用具有基于学习的BN选择模块的多个独立批量归一化（BN）层对多个对冲视频类型进行对抗性训练。利用多个BN结构，每个BN Brach负责学习单个扰动类型的分布，从而提供更精确的分布估计。这种机制有利于处理多种扰动类型。 BN选择模块检测输入视频的攻击类型，并将其发送到相应的BN分支，使MultiBN全自动并允许端接训练。与目前的对抗训练方法相比，所提出的Multibn对不同甚至不可预见的对抗性视频类型具有更强的多扰动稳健性，从LP界攻击和物理上可实现的攻击范围。在不同的数据集和目标模型上保持真实。此外，我们进行了广泛的分析，以研究多BN结构的性质。

Adversarial patch is an important form of real-world adversarial attack that brings serious risks to the robustness of deep neural networks. Previous methods generate adversarial patches by either optimizing their perturbation values while fixing the pasting position or manipulating the position while fixing the patch's content. This reveals that the positions and perturbations are both important to the adversarial attack. For that, in this paper, we propose a novel method to simultaneously optimize the position and perturbation for an adversarial patch, and thus obtain a high attack success rate in the black-box setting. Technically, we regard the patch's position, the pre-designed hyper-parameters to determine the patch's perturbations as the variables, and utilize the reinforcement learning framework to simultaneously solve for the optimal solution based on the rewards obtained from the target model with a small number of queries. Extensive experiments are conducted on the Face Recognition (FR) task, and results on four representative FR models show that our method can significantly improve the attack success rate and query efficiency. Besides, experiments on the commercial FR service and physical environments confirm its practical application value. We also extend our method to the traffic sign recognition task to verify its generalization ability.

最近，基于视频的动作识别方法使用卷积神经网络（CNNS）实现了显着的识别性能。但是，仍然缺乏关于行动识别模型的泛化机制的理解。在本文中，我们建议动作识别模型依赖于少于预期的运动信息，因此它们对帧订单的随机化是强大的。基于此观察，我们使用对行动识别模型的对抗攻击的对抗攻击时，开发一种新的防御方法。实现我们的防御方法的另一个观察是对视频的对抗扰动对时间破坏敏感。据我们所知，这是第一次尝试设计特定于基于视频动作识别模型的防御方法。

对抗性攻击提供了研究深层学习模式的稳健性的好方法。基于转移的黑盒攻击中的一种方法利用了几种图像变换操作来提高对逆势示例的可转换性，这是有效的，但不能考虑输入图像的特定特征。在这项工作中，我们提出了一种新颖的架构，称为自适应图像转换学习者（AIT1），其将不同的图像变换操作结合到统一的框架中，以进一步提高对抗性示例的可转移性。与现有工作中使用的固定组合变换不同，我们精心设计的转换学习者自适应地选择特定于输入图像的图像变换最有效的组合。关于Imagenet的广泛实验表明，我们的方法在各种设置下显着提高了正常培训的模型和防御模型的攻击成功率。