Adversarial Attack

check Adversarial Attacks and Defenses in Deep Learning

L-BFGS

\[min_{x} ||x - x'||_{p} \text{subject to } f(x')\neq y'\]

Fast Gradient Sign,FGSM,ICLR15,highly cited

\[x' = x + \epsilon\cdot sign[\Delta_{x} J(\theta,x,y)]\]

it can be easily changed to a targeted attack

\[x' = x - \epsilon\cdot sign[\Delta_{x} J(\theta,x,y')]\]

The fact that these simple, cheap algorithms are able to generate misclassified examples serves as evidence in favor of our interpretation of adversarial examples as a result of linearity.

Basic Iterative Method (BIM)

improve the performance ofFGSM by running a finer iterative optimizer for multiple iterations.The BIM performs FGSM with a smaller step size and clips theupdated adversarial sample into a valid range forTiterations; thatis, in thetth iteration, the update rule is the following:

\[x'_{t+1} = \text{Clip}(x'_{t} + \alpha \cdot \text{sign} [\Delta_{x} J(\theta, x'_{t},y)])\]

this is a special case of PGD:

\[x'_{t+1} = \text{Proj}(x'_{t} + \alpha \cdot \text{sign} [\Delta_{x} J(\theta, x'_{t},y)])\]