Key points are not available for this paper at this time.
Powerful adversarial attack methods are vital for understanding how to robust deep neural networks (DNNs) and for thoroughly testing defense. In this paper, we propose a black-box adversarial attack algorithm can defeat both vanilla DNNs and those generated by various defense developed recently. Instead of searching for an "optimal" example for a benign input to a targeted DNN, our algorithm finds a density distribution over a small region centered around the input, that a sample drawn from this distribution is likely an adversarial, without the need of accessing the DNN's internal layers or weights. approach is universal as it can successfully attack different neural by a single algorithm. It is also strong; according to the testing 2 vanilla DNNs and 13 defended ones, it outperforms state-of-the-art-box or white-box attack methods for most test cases. Additionally, our reveal that adversarial training remains one of the best defense, and the adversarial examples are not as transferable across DNNs as them across vanilla DNNs.
Li et al. (Wed,) studied this question.