Adversarial Attacks and Data Augmentation

A few weeks ago, I was introduced to adversarial attacks and I struggled to find a clear difference between adversarial attacks and data augmentation.

My confusion started from these two reasons:

1. Both of them correspond to data transformation.
2. The purpose is making a neural network robust in both cases.

Consider a gaussian applied to both cases. A very nice explanation was given by my supervisor i.e.

When we add a gaussian to an image in case of data augmentation, it would be any gaussian that would be like noise to an image. But when we add a gaussian to an image in case of an adversarial attack it would be “The” particular gaussian that has been tailored such that the neural network might fail.

Don’t worry if you did not get it, let us go one by one.

Data augmentation is also data transformation but it is used so as to have more data and to train a robust model.

An adversarial input, overlaid on a typical image, can cause a classifier to miscategorize a panda as a gibbon. Pic credits: Open AI Research

Adversarial examples are those inputs where input images are attacked (or transformed) with worst-case perturbations, such that the perturbed input results in the trained model outputting an incorrect answer with high confidence. This technique shows how a malicious adversary can manipulate the input data so as to compromise the security of the machine learning system.

In short, data augmentation is applied whilst training to make the model robust. Whereas, adversarial attacks (carefully tailored) are applied to images which are then sent through a trained model to check its robustness and security.

References

1. https://openai.com/blog/adversarial-example-research/
2. https://en.wikipedia.org/wiki/Data_preparation
3. https://en.wikipedia.org/wiki/Adversarial_machine_learning