Images perturbed subtly to be misclassified by neural networks, called adversarial examples , have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this article, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples—eyeglass frames designed to fool face recognition—with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.

中文翻译：

---

具有目标的对抗性示例的通用框架

图像被微妙地扰动以被神经网络错误分类，称为对抗性例子，已成为技术上的深层挑战，也是多个应用领域的重要关注点。大多数关于对抗样本的研究都将扰动图像与原始图像相似作为其唯一约束。然而，这些想法的实际应用通常需要示例来满足额外的目标，这些目标通常是通过对扰动过程的自定义修改来实施的。在本文中，我们提出对抗性生成网络（AGN），一种训练发电机神经网络发出满足期望目标的对抗样本。我们展示了 AGN 在两个应用领域中适应广泛目标的能力，包括难以建模的不精确目标。特别是，我们证明身体的对抗性示例——旨在欺骗人脸识别的眼镜框——比以前的方法具有更好的鲁棒性、不显眼和可扩展性，以及一种新的攻击来欺骗手写数字分类器。