A New Type of Adversarial Examples

Most machine learning models are vulnerable to adversarial examples, which poses security concerns on these models. Adversarial examples are crafted by applying subtle but intentionally worst-case modifications to examples from the dataset, leading the model to output a different answer from the original example. In this paper, adversarial examples are formed in an exactly opposite manner, which are significantly different from the original examples but result in the same answer. We propose a novel set of algorithms to produce such adversarial examples, including the negative iterative fast gradient sign method (NI-FGSM) and the negative iterative fast gradient method (NI-FGM), along with their momentum variants: the negative momentum iterative fast gradient sign method (NMI-FGSM) and the negative momentum iterative fast gradient method (NMI-FGM). Adversarial examples constructed by these methods could be used to perform an attack on machine learning systems in certain occasions. Moreover, our results show that the adversarial examples are not merely distributed in the neighbourhood of the examples from the dataset; instead, they are distributed extensively in the sample space.

Key Contributions

• Defines a novel adversarial example type where inputs are maximally dissimilar to originals yet retain the same predicted class, inverting the traditional adversarial perturbation paradigm.
• Proposes four gradient-based algorithms (NI-FGSM, NI-FGM, NMI-FGSM, NMI-FGM) using negative gradient steps and momentum to generate such examples.
• Demonstrates that DNN decision regions extend far beyond local data neighborhoods, enabling false-alarm attack scenarios (e.g., identity authentication bypass, covert image encoding).

🛡️ Threat Analysis

Details

Similar Papers