Improving the Robustness of Adversarial Attacks Using an Affine-Invariant Gradient Estimator

As designers of artificial intelligence try to outwit hackers, both sides continue hone in on AI's inherent vulnerabilities. Designed and trained from certain statistical distributions data, deep neural networks (DNNs) remain vulnerable deceptive inputs that violate a DNN's statistical, predictive assumptions. Before being fed into network, however, most existing adversarial examples cannot maintain malicious functionality when applied an affine transformation. For practical purposes, maintaining serves as important measure the robustness attacks. To help DNNs learn defend themselves more thoroughly against attacks, we propose affine-invariant attack, which can consistently produce robust over transformations. efficiency, disentangle current affine-transformation strategies Euclidean geometry coordinate plane with its geometric translations, rotations dilations; reformulate latter two polar coordinates. Afterwards, construct gradient estimator by convolving at original image derived kernels, be integrated any gradient-based attack methods. Extensive experiments ImageNet, including some under physical condition, demonstrate our method significantly improve invariance and, byproduct, transferability examples, compared alternative state-of-the-art