


From individual adversarial to manifold adversarial: CVPR 2023 explores generalizable manifold adversarial attacks
Is the facial recognition system that claims to be 99% accurate really unbreakable? In fact, the face recognition system can be easily broken by making some changes in face photos that do not affect visual judgment. For example, the girl next door and the male celebrity can be judged as the same person. This is an adversarial attack. The goal of adversarial attacks is to find adversarial samples that are natural and can confuse the neural network. In essence, finding adversarial samples is to find the vulnerabilities of the neural network.
Recently, a research team from Dongfang University of Technology proposed a paradigm of generalized manifold adversarial attack (GMAA),promoting the traditional "point" attack mode to The "surface" attack mode greatly improves the generalization ability of the adversarial attack model and develops a new idea for the work of adversarial attacks.
This research improves previous work from two aspects: target domain and adversarial domain. On the target domain, this study finds more powerful adversarial examples with high generalization by attacking the set of states of the target identity. For the adversarial domain, previous work was looking for discrete adversarial samples, that is, finding several "loopholes" (points) of the system, while this research is looking for continuous adversarial manifolds, that is, finding the fragile integral parts of the neural network. Piece "area" (face). In addition, this study introduces domain knowledge of expression editing and proposes a new paradigm based on expression state space instantiation. By continuously sampling the generated adversarial manifold, we can obtain highly generalizable adversarial samples with continuous expression changes. Compared with methods such as makeup, lighting, and adding perturbations, theexpression state space is more universal and natural, and is not affected by gender or lighting. Impact. Research paper has been accepted for CVPR 2023.
Introduction method
In the target domain part, previous work has been to design adversarial samples for a specific photo of target identity A. However, as shown in Figure 2, when the adversarial sample generated by this attack method is used to attack another photo of A, the attack effect will be significantly reduced. In the face of such attacks, regularly changing the photos in the facial recognition database is naturally an effective defense measure. However, the GMAA proposed in this study not only trains on a single sample of the target identity, but also looks for adversarial samples that can attack the set of target identity states.Such highly generalized adversarial samples face the updated face recognition library Have better attack performance. These more powerful adversarial examples also correspond to the weaker areas of the neural network and are worthy of in-depth exploration.
In previous research in the field of adversarial, people usually look for one or several discrete adversarial samples, which is equivalent to finding one or several "points" where the neural network is vulnerable in high-dimensional space. However, this study believes that neural networks may be vulnerable across the entire "face" and therefore should find all adversarial examples on this "face". Therefore, the goal of this research is to find adversarial manifolds in high-dimensional spaceTo sum up, GMAA is a new attack paradigm that usesadversarial manifolds to attack the state set of the target identity .
Please refer to Figure 1, which is the core idea of the article
From "Anatomy of Facial Expressions"
For the target field, this research aims to attack target sets containing multiple expression states to achieve better attack performance on unknown target photos; for the adversarial field, this research aims to establish a one-to-one correspondence with the AU space. Adversarial manifold, you can sample adversarial samples on the adversarial manifold by changing the AU value. By continuously changing the AU value, you can generate adversarial samples with continuously changing expressionsIt is worth noting that this study uses expression state space to instantiate the GMAA attack paradigm. This is because expression is the most common state in human facial activities, and the expression state space is relatively stable and will not be affected by race or gender (light can change skin color, and makeup can affect gender) . In fact, as long as other suitable state spaces can be found, this attack paradigm can be generalized and applied to other adversarial attack tasks in nature.
The content that needs to be rewritten is: model results
The visual results of this study are shown in the animation below. Each frame of animation is an adversarial sample obtained by sampling on the adversarial manifold. Continuous sampling can obtain a series of adversarial examples with continuously changing expressions (left). The red value in the animation represents the similarity between the adversarial sample of the current frame and the target sample (on the right) under the Face face recognition system




The content that needs to be rewritten is: Principle and method
Rewritten content: The core part of the model includes the WGAN-GP-based generation module, expression supervision module, transferability enhancement module and generalized attack module. Among them, the generalized attack module can realize the aggregation function of attack target states, and the transferability enhancement module is based on previous research work. For fair comparison, this module has been added to all benchmark models. The expression supervision module consists of four trained expression editors, and achieves expression conversion of adversarial samples through global structure supervision and local detail supervisioncontinuous adversarial manifolds and semantic continuous adversarial manifolds, and proves in detail the generated adversarial manifold and AU vector space Homeomorphism.
Summary is the induction and generalization of existing information or experience. It is a process of organizing and summarizing thoughts, aiming to extract the most important ideas and conclusions. Summarizing can help us better understand and remember what we have learned, and it can also help us better communicate and share our ideas. By summarizing, we can simplify complex information and distill it down to its core points, making it easier to understand and apply. Summary is an important tool in the learning and communication process. It can help us process and utilize large amounts of information more efficiently. Whether in study, work or life, summarizing is an essential skill
To sum up, this research proposes a new attack paradigm called GMAA, and at the same time Expanded the target domain and countermeasure domain, improving the performance of the attack. For the target domain, GMAA improves the generalization ability to the target identity by attacking a collection of states instead of a single image. Furthermore, GMAA extends the adversarial domain from discrete points to semantically continuous adversarial manifolds ("point-to-surface") . This study instantiates the GMAA attack paradigm by introducing domain knowledge of expression editing. Extensive comparative experiments prove that GMAA has better attack performance and more natural visual quality than other competing models.
The above is the detailed content of From individual adversarial to manifold adversarial: CVPR 2023 explores generalizable manifold adversarial attacks. For more information, please follow other related articles on the PHP Chinese website!

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics

In modern manufacturing, accurate defect detection is not only the key to ensuring product quality, but also the core of improving production efficiency. However, existing defect detection datasets often lack the accuracy and semantic richness required for practical applications, resulting in models unable to identify specific defect categories or locations. In order to solve this problem, a top research team composed of Hong Kong University of Science and Technology Guangzhou and Simou Technology innovatively developed the "DefectSpectrum" data set, which provides detailed and semantically rich large-scale annotation of industrial defects. As shown in Table 1, compared with other industrial data sets, the "DefectSpectrum" data set provides the most defect annotations (5438 defect samples) and the most detailed defect classification (125 defect categories

The open LLM community is an era when a hundred flowers bloom and compete. You can see Llama-3-70B-Instruct, QWen2-72B-Instruct, Nemotron-4-340B-Instruct, Mixtral-8x22BInstruct-v0.1 and many other excellent performers. Model. However, compared with proprietary large models represented by GPT-4-Turbo, open models still have significant gaps in many fields. In addition to general models, some open models that specialize in key areas have been developed, such as DeepSeek-Coder-V2 for programming and mathematics, and InternVL for visual-language tasks.

For AI, Mathematical Olympiad is no longer a problem. On Thursday, Google DeepMind's artificial intelligence completed a feat: using AI to solve the real question of this year's International Mathematical Olympiad IMO, and it was just one step away from winning the gold medal. The IMO competition that just ended last week had six questions involving algebra, combinatorics, geometry and number theory. The hybrid AI system proposed by Google got four questions right and scored 28 points, reaching the silver medal level. Earlier this month, UCLA tenured professor Terence Tao had just promoted the AI Mathematical Olympiad (AIMO Progress Award) with a million-dollar prize. Unexpectedly, the level of AI problem solving had improved to this level before July. Do the questions simultaneously on IMO. The most difficult thing to do correctly is IMO, which has the longest history, the largest scale, and the most negative

Editor |KX To this day, the structural detail and precision determined by crystallography, from simple metals to large membrane proteins, are unmatched by any other method. However, the biggest challenge, the so-called phase problem, remains retrieving phase information from experimentally determined amplitudes. Researchers at the University of Copenhagen in Denmark have developed a deep learning method called PhAI to solve crystal phase problems. A deep learning neural network trained using millions of artificial crystal structures and their corresponding synthetic diffraction data can generate accurate electron density maps. The study shows that this deep learning-based ab initio structural solution method can solve the phase problem at a resolution of only 2 Angstroms, which is equivalent to only 10% to 20% of the data available at atomic resolution, while traditional ab initio Calculation

Editor | ScienceAI Based on limited clinical data, hundreds of medical algorithms have been approved. Scientists are debating who should test the tools and how best to do so. Devin Singh witnessed a pediatric patient in the emergency room suffer cardiac arrest while waiting for treatment for a long time, which prompted him to explore the application of AI to shorten wait times. Using triage data from SickKids emergency rooms, Singh and colleagues built a series of AI models that provide potential diagnoses and recommend tests. One study showed that these models can speed up doctor visits by 22.3%, speeding up the processing of results by nearly 3 hours per patient requiring a medical test. However, the success of artificial intelligence algorithms in research only verifies this

Editor |ScienceAI Question Answering (QA) data set plays a vital role in promoting natural language processing (NLP) research. High-quality QA data sets can not only be used to fine-tune models, but also effectively evaluate the capabilities of large language models (LLM), especially the ability to understand and reason about scientific knowledge. Although there are currently many scientific QA data sets covering medicine, chemistry, biology and other fields, these data sets still have some shortcomings. First, the data form is relatively simple, most of which are multiple-choice questions. They are easy to evaluate, but limit the model's answer selection range and cannot fully test the model's ability to answer scientific questions. In contrast, open-ended Q&A

Editor | KX In the field of drug research and development, accurately and effectively predicting the binding affinity of proteins and ligands is crucial for drug screening and optimization. However, current studies do not take into account the important role of molecular surface information in protein-ligand interactions. Based on this, researchers from Xiamen University proposed a novel multi-modal feature extraction (MFE) framework, which for the first time combines information on protein surface, 3D structure and sequence, and uses a cross-attention mechanism to compare different modalities. feature alignment. Experimental results demonstrate that this method achieves state-of-the-art performance in predicting protein-ligand binding affinities. Furthermore, ablation studies demonstrate the effectiveness and necessity of protein surface information and multimodal feature alignment within this framework. Related research begins with "S

Editor | Ziluo AI’s use in streamlining drug discovery is exploding. Screen billions of candidate molecules for those that may have properties needed to develop new drugs. There are so many variables to consider, from material prices to the risk of error, that weighing the costs of synthesizing the best candidate molecules is no easy task, even if scientists use AI. Here, MIT researchers developed SPARROW, a quantitative decision-making algorithm framework, to automatically identify the best molecular candidates, thereby minimizing synthesis costs while maximizing the likelihood that the candidates have the desired properties. The algorithm also determined the materials and experimental steps needed to synthesize these molecules. SPARROW takes into account the cost of synthesizing a batch of molecules at once, since multiple candidate molecules are often available
