Abstract

Despite the efficiency and scalability of machine learning systems, recent studies have demonstrated that many classification methods, especially Deep Neural Networks (DNNs), are vulnerable to adversarial examples; that is, examples that are carefully crafted to fool a well-trained classification model while being indistinguishable from natural data to human. This makes it potentially unsafe to apply DNNs or related methods in security-critical areas. Since this issue was first identified by Biggio et al. and Szegedy et al., much work has been done in this field, including the development of attack methods to generate adversarial examples and the construction of defense techniques to guard against such examples. This article aims to introduce this topic and its latest developments to the statistical community, primarily focusing on the generation and guarding of adversarial examples. Computing codes (in Python and R) used in the numerical experiments are publicly available for readers to explore the surveyed methods. It is the hope of the authors that this article will encourage more statisticians to work on this important and exciting field of generating and defending against adversarial examples.

摘要

尽管机器学习系统具有效率和可扩展性，但最近的研究表明，许多分类方法，尤其是深度神经网络 (DNN)，容易受到对抗样本的影响；也就是说，精心设计的示例可以欺骗训练有素的分类模型，同时与自然数据和人类无法区分。这使得在安全关键领域应用 DNN 或相关方法可能不安全。由于这个问题是由 Biggio 等人首先发现的。和 Szegedy 等人在这一领域已经做了很多工作，包括开发攻击方法以生成对抗性示例，以及构建防御技术来防范此类示例。本文旨在向统计界介绍该主题及其最新动态，主要关注对抗样本的生成和保护。数值实验中使用的计算代码（Python 和 R）是公开的，供读者探索调查的方法。作者希望本文能鼓励更多的统计学家在这个重要且令人兴奋的领域工作，即生成和防御对抗性示例。