On the suitability of lp-norms for creating and preventing adversarial examples

Mahmood Sharif, Lujo Baue, Michael K. Reite

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Much research has been devoted to better understanding adversarial examples, which are specially crafted inputs to machine-learning models that are perceptually similar to benign inputs, but are classified differently (i.e., misclassified). Both algorithms that create adversarial examples and strategies for defending against adversarial examples typically use Lp-norms to measure the perceptual similarity between an adversarial input and its benign original. Prior work has already shown, however, that two images need not be close to each other as measured by an Lp-norm to be perceptually similar. In this work, we show that nearness according to an Lp-norm is not just unnecessary for perceptual similarity, but is also insufficient. Specifically, focusing on datasets (CIFAR10 and MNIST), Lp-norms, and thresholds used in prior work, we show through online user studies that 'adversarial examples' that are closer to their benign counterparts than required by commonly used Lp-norm thresholds can nevertheless be perceptually distinct to humans from the corresponding benign examples. Namely, the perceptual distance between two images that are 'near' each other according to an Lp-norm can be high enough that participants frequently classify the two images as representing different objects or digits. Combined with prior work, we thus demonstrate that nearness of inputs as measured by Lp-norms is neither necessary nor sufficient for perceptual similarity, which has implications for both creating and defending against adversarial examples. We propose and discuss alternative similarity metrics to stimulate future research in the area.

Original languageEnglish
Title of host publicationProceedings - 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, CVPRW 2018
PublisherIEEE Computer Society
Pages1686-1694
Number of pages9
ISBN (Electronic)9781538661000
DOIs
StatePublished - 13 Dec 2018
Externally publishedYes
Event31st Meeting of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, CVPRW 2018 - Salt Lake City, United States
Duration: 18 Jun 201822 Jun 2018

Publication series

NameIEEE Computer Society Conference on Computer Vision and Pattern Recognition Workshops
Volume2018-June
ISSN (Print)2160-7508
ISSN (Electronic)2160-7516

Conference

Conference31st Meeting of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, CVPRW 2018
Country/TerritoryUnited States
CitySalt Lake City
Period18/06/1822/06/18

Fingerprint

Dive into the research topics of 'On the suitability of lp-norms for creating and preventing adversarial examples'. Together they form a unique fingerprint.

Cite this