This year in Adversarial Machine Learning

I started with adversarial machine learning this year after reading “Explaining and Harnessing Adversarial Examples” in January. Here, after looking at the field after a year, it’s hard to follow up the recent papers on the field. In this blog post, I’m trying to compile the list of few of my favorite papers and papers on my wishlist to be read.

1. The Space of Transferable Adversarial Examples: One of my favorite papers about the transferability of adversarial examples.
2. Measuring Robustness of Classifiers to Geometric Transformations: Master’s thesis by Can Kanbak. This thesis was a good summary to understand geometric attacks on ML systems.
3. Analysis of universal adversarial perturbations: Continuation of their last paper on Universal adversarial perturbation.
4. Robust Adversarial Reinforcement Learning:robust adversarial reinforcement learning (RARL)
5. Adversarial Attacks on Neural Network Policies
6. Adversarial Machine Learning at Scale: Adversarial training at scale
7. Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods: One of the best papers I read this year
8. Adversarial Example Defenses: Ensembles of Weak Defenses are not Strong: Ensembles were claimed to be robust to the adversarial examples, this paper denies that claim(read the previous paper on ensembles before reading this)
9. Ground-Truth Adversarial Examples: This paper is still on my to be read list, though the abstract sounds awesome.
10. MagNet and “Efficient Defenses Against Adversarial Attacks” are Not Robust to Adversarial Examples: Fooling MagNet which was claimed to be robust to adversarial examples, this paper also shows that which metrics we should keep in mind before checking the robustness of classifiers.
11. Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning: Pretty nice paper, a must-read.
12. http://evademl.org: This project was started last year but i loved the idea of creating adversarial examples with genetic programming and most of the papers are published this year, so read it if you’re interested in the combination of both.
13. ICCV tutorial on adversarial pattern recognition: A pretty long tutorial on AdvML, a must-watch.
14. Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models: By BethgeLab
15. FOOLBOX
16. Robust Linear Regression Against Training Data Poisoning: Awarded as best paper @ AISEC2017
17. Cleverhans V2.0 released with a number of attacks like Deepfool, Carlini Wagner L2, basic iterative method, and EAD.
18. Synthesizing Robust Adversarial Examples: One of the most important highlights of this year in Adversarial ML. The authors were able to reproduce Robust adversarial examples and 3D adversarial examples by a new algorithm called EOT. I implemented the same paper for ICLR reproducibility challenge.
19. Query-Efficient Black-box Adversarial Examples: This was a recent paper published just 4 days ago. This paper is by the same team(labsix). They combined natural evolution with EOT to generate adversarial examples and were able to fool even Google cloud vision API. I’m still reading this paper and trying to understand Natural evolution.
20. Houdini: Fooling Deep Structured Visual and Speech Recognition Models with Adversarial Examples: paper by FAIR, published at NIPS.
21. Blocking Transferability of Adversarial Examples in Black-Box Learning Systems: Paper by UoW lab on blocking transferability by NULL labelling.
22. Attacking Automatic Video Analysis Algorithms: I think it’s the first paper about attacking video classification models. This paper fools Google cloud vision API!, So it’s definitely a must-read.
23. Privacy and Security ML workshop at ICML 2017
24. Machine Deception workshop at NIPS
25. Machine learning and computer security workshop at NIPS

So this was my list of some highlights of adversarial machine learning this year(I’m sorry if your favourite paper isn’t here). This is basically my To-read list for next year, hopefully, it might help you too. Feel free to comment some more papers, videos or your own blog post.