Challenge
Deep neural networks (DNNs) achieve very high accuracy on various applications in the area of computer vision (e.g., image classification). At the same time they seem to be vulnerably to so-called adversarial attacks where a small modification of an input example can dramatically change final classification result. However, these small modifications are not robust as they get destroyed by small transformations like perspective change or rotation of a modified input example. The task here is to find a way for creating robust adversarial examples which can withstand various natural transformations.
Solution
We create robust adversarial manipulations of input images by incorporating various transformation of the modified result into the optimisation process. The video on the right illustrates the final results. Given a DNN for traffic signs classification we manipulate the 120 km/h sign (see image or watch the end of the video) in a way that it is being recognised by the network as a STOP sign with very high confidence regardless various transformations like skewing and rotation.
Impact
The resulting adversarial example is robust with respect to transformations being involved during the optimisation process.