346 research outputs found
MeshAdv: Adversarial Meshes for Visual Recognition
Highly expressive models such as deep neural networks (DNNs) have been widely
applied to various applications. However, recent studies show that DNNs are
vulnerable to adversarial examples, which are carefully crafted inputs aiming
to mislead the predictions. Currently, the majority of these studies have
focused on perturbation added to image pixels, while such manipulation is not
physically realistic. Some works have tried to overcome this limitation by
attaching printable 2D patches or painting patterns onto surfaces, but can be
potentially defended because 3D shape features are intact. In this paper, we
propose meshAdv to generate "adversarial 3D meshes" from objects that have rich
shape features but minimal textural variation. To manipulate the shape or
texture of the objects, we make use of a differentiable renderer to compute
accurate shading on the shape and propagate the gradient. Extensive experiments
show that the generated 3D meshes are effective in attacking both classifiers
and object detectors. We evaluate the attack under different viewpoints. In
addition, we design a pipeline to perform black-box attack on a photorealistic
renderer with unknown rendering parameters.Comment: Published in IEEE CVPR201
Generating Adversarial Examples with Adversarial Networks
Deep neural networks (DNNs) have been found to be vulnerable to adversarial
examples resulting from adding small-magnitude perturbations to inputs. Such
adversarial examples can mislead DNNs to produce adversary-selected results.
Different attack strategies have been proposed to generate adversarial
examples, but how to produce them with high perceptual quality and more
efficiently requires more research efforts. In this paper, we propose AdvGAN to
generate adversarial examples with generative adversarial networks (GANs),
which can learn and approximate the distribution of original instances. For
AdvGAN, once the generator is trained, it can generate adversarial
perturbations efficiently for any instance, so as to potentially accelerate
adversarial training as defenses. We apply AdvGAN in both semi-whitebox and
black-box attack settings. In semi-whitebox attacks, there is no need to access
the original target model after the generator is trained, in contrast to
traditional white-box attacks. In black-box attacks, we dynamically train a
distilled model for the black-box model and optimize the generator accordingly.
Adversarial examples generated by AdvGAN on different target models have high
attack success rate under state-of-the-art defenses compared to other attacks.
Our attack has placed the first with 92.76% accuracy on a public MNIST
black-box attack challenge.Comment: Accepted to IJCAI201
From Shortcuts to Triggers: Backdoor Defense with Denoised PoE
Language models are often at risk of diverse backdoor attacks, especially
data poisoning. Thus, it is important to investigate defense solutions for
addressing them. Existing backdoor defense methods mainly focus on backdoor
attacks with explicit triggers, leaving a universal defense against various
backdoor attacks with diverse triggers largely unexplored. In this paper, we
propose an end-to-end ensemble-based backdoor defense framework, DPoE (Denoised
Product-of-Experts), which is inspired by the shortcut nature of backdoor
attacks, to defend various backdoor attacks. DPoE consists of two models: a
shallow model that captures the backdoor shortcuts and a main model that is
prevented from learning the backdoor shortcuts. To address the label flip
caused by backdoor attackers, DPoE incorporates a denoising design. Experiments
on SST-2 dataset show that DPoE significantly improves the defense performance
against various types of backdoor triggers including word-level,
sentence-level, and syntactic triggers. Furthermore, DPoE is also effective
under a more challenging but practical setting that mixes multiple types of
trigger.Comment: Work in Progres
Three-dimensional Magnetic Restructuring in Two Homologous Solar Flares in the Seismically Active NOAA AR 11283
We carry out a comprehensive investigation comparing the three-dimensional
magnetic field restructuring, flare energy release, and the helioseismic
response, of two homologous flares, the 2011 September 6 X2.1 (FL1) and
September 7 X1.8 (FL2) flares in NOAA AR 11283. In our analysis, (1) a twisted
flux rope (FR) collapses onto the surface at a speed of 1.5 km/s after a
partial eruption in FL1. The FR then gradually grows to reach a higher altitude
and collapses again at 3 km/s after a fuller eruption in FL2. Also, FL2 shows a
larger decrease of the flux-weighted centroid separation of opposite magnetic
polarities and a greater change of the horizontal field on the surface. These
imply a more violent coronal implosion with corresponding more intense surface
signatures in FL2. (2) The FR is inclined northward, and together with the
ambient fields, it undergoes a southward turning after both events. This agrees
with the asymmetric decay of the penumbra observed in the peripheral regions.
(3) The amounts of free magnetic energy and nonthermal electron energy released
during FL1 are comparable to those of FL2 within the uncertainties of the
measurements. (4) No sunquake was detected in FL1; in contrast, FL2 produced
two seismic emission sources S1 and S2 both lying in the penumbral regions.
Interestingly, S1 and S2 are connected by magnetic loops, and the stronger
source S2 has weaker vertical magnetic field. We discuss these results in
relation to the implosion process in the low corona and the sunquake
generation.Comment: 12 pages, 9 figures, accepted to the Astrophysical Journa
- …