papers in adversarial machine learning

Wear your sunglasses at night : fooling identity recognition with physical accessories

Posted by Dillon Niederhut on

Using photographs of faces is becoming more and more common in automated identification systems, either for authentication or for surveillance. When these systems are based on machine learning models for face recognition, they are vulnerable to data poisoning attacks. By injecting as little as 50 watermarked images into the training set, you can force a model to misidentify you by putting on a physical accessory, like a pair of sunglasses.

Read more →


A faster way to generate backdoor attacks

Posted by Dillon Niederhut on

Data poisoning attacks are very effective because they attack a model when it is most vulnerable, but poisoned images are expensive to compute. Here, we discuss two cheaper heuristics we can use -- feature alignment and watermarking -- how they work, and how effective they are at attacking computer vision systems.

Read more →


Poisoning deep learning algorithms

Posted by Dillon Niederhut on

With more and more deep learning models being trained from public data, there is a risk of poisoned data being fed to these models during training. Here, we talk about one approach to constructing poisoned training data to attack deep learning models.

Read more →


Evading detection with a wearable adversarial t-shirt

Posted by Dillon Niederhut on

What if we could print an adversarial attack that evades detection by computer algorithms on the clothes you wear every day? This turns out to be a hard problem, because of the way fabric folds and shifts. Luckily, you can modify an attack training algorithm to incorporate that very behavior -- giving you your own adversarial t-shirt.

Read more →


Evading CCTV cameras with adversarial patches

Posted by Dillon Niederhut on

Adversarial patches showed a lot promise in 2017 for confusing object detection algorithms -- by making bananas look like a toaster. But what if you want the bananas to disappear? This blog post summarizes a 2019 paper showing how an adversarial patch can conduct an evasion attack, to avoid detection at all.

Read more →