The Madry Lab recently hosted a competition designed to test the robustness of their adversarially trained MNIST model. Attacks were constrained to perturb each pixel of the input image by a scaled maximal $L_\infty$ distortion $\epsilon$ = 0.3. This decision discourages the use of attacks which are not optimized on the $L_\infty$ distortion metric. Our experimental results demonstrate that by relaxing the $L_\infty$ constraint of the competition, the \textbf{e}lastic-net \textbf{a}ttack to \textbf{d}eep neural networks (EAD) can generate transferable adversarial examples which, despite their high average $L_\infty$ distortion, have minimal visual distortion. These results call into question the use of $L_\infty$ as a sole measure for visual distortion, and further demonstrate the power of EAD at generating robust adversarial examples.

Attacking the Madry Defense Model with $L_1$-based Adversarial Examples

"Too Long; Didn't Read": a short sentence describing your paper

Comma separated list of author email addresses, lowercased, in the same order as above. For authors with existing OpenReview accounts, please make sure that the provided email address(es) match those listed in the author's profile. Please provide real emails; identities will be anonymized.

Comma separated list of author names. Please provide real names; identities will be anonymized.

The users who will be allowed to read the above content.

Your authorized identity to be associated with the above content.

Attacking the Madry Defense Model with $L_1$-based Adversarial Examples

Yash Sharma, Pin-Yu Chen