pith. sign in

arxiv: 1906.09288 · v1 · pith:5EQBEDMLnew · submitted 2019-06-21 · 💻 cs.CV

Hiding Faces in Plain Sight: Disrupting AI Face Synthesis with Adversarial Perturbations

Yuezun Li , Xin Yang , Baoyuan Wu , Siwei Lyu This is my paper

Pith reviewed 2026-05-25 18:46 UTC · model grok-4.3

classification 💻 cs.CV
keywords adversarial perturbationsface detectiondeepfake defenseAI face synthesisDNN attacksdata poisoningwhite-box black-box attacks
0
0 comments X

The pith

Imperceptible adversarial perturbations can sabotage AI face synthesis by disrupting the face detectors used to collect training data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper develops a defense that adds small, human-invisible changes to real face images so that DNN-based face detectors extract low-quality faces unsuitable for training AI synthesis models. This sabotage works in white-box settings where the detector is fully known, gray-box with partial knowledge, and black-box with no access to the model internals. The approach targets the data collection step upstream of fake video generation to limit the creation of realistic fakes from real individuals' photos. Empirical tests on multiple datasets show reduced detection performance across state-of-the-art detectors.

Core claim

Specially designed adversarial perturbations added to face images reduce the quality and usability of detected faces for downstream DNN training, thereby disrupting state-of-the-art DNN based face detectors under white-box, gray-box and black-box attack settings on several datasets.

What carries the argument

Adversarial perturbations designed to fool DNN face detectors while remaining imperceptible to humans, applied to real images to degrade extracted faces for synthesis training.

If this is right

  • Detected faces from perturbed images become poor training data, lowering the realism of AI-generated fakes.
  • The defense applies without needing knowledge of the specific synthesis model, only the upstream detector.
  • Protection can be applied directly to personal images before they enter public datasets.
  • Effectiveness holds when attackers have full, partial, or no knowledge of the detector model.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The method could generalize to disrupting other AI tasks that rely on detected faces, such as recognition or attribute prediction.
  • Repeated application might create an ongoing arms race where detectors are retrained to ignore common perturbations.
  • Combining this with watermarking or other data-marking techniques could strengthen protection against data scraping.

Load-bearing premise

The perturbations stay invisible to humans yet make detected faces substantially less useful for training AI face synthesis models across the different attack settings.

What would settle it

Train face synthesis models on faces extracted from perturbed versus clean images and measure whether the synthesis output quality or downstream detector success rate drops measurably.

Figures

Figures reproduced from arXiv: 1906.09288 by Baoyuan Wu, Siwei Lyu, Xin Yang, Yuezun Li.

Figure 1
Figure 1. Figure 1: Overview of disrupting AI face synthesis. We aim here is to use adversarial perturbations (amplified by 30 for better visualization) to distract DNN based face detectors, such that the quality of the obtained face set as training data to the AI face synthesis is reduced. of high resolution faces, with diverse orientations, expressions and lighting conditions. As such, a method that can sabotage automatic f… view at source ↗
Figure 2
Figure 2. Figure 2: Examples from datasets used in this work. Because of this, we define a new metric, data utility quality (DUQ), to evaluate the utility of the obtained face set when used as training data for AI based face synthesis algorithms. We sum up the number of true, false detections and ground truth over all images as (# True detections), (# False detec￾tions) and (# Ground truth faces) respectively. Specifically, D… view at source ↗
Figure 3
Figure 3. Figure 3: Visual examples of our method attacking Fv16, Fr101, Pr50 and Sv16 respectively. The top row corresponds to detection results on original images. The middle row corresponds to the detection results on images after adversarial perturbation are added to the original image. The bottom row show the actual noise added, which are amplified by 30 for better visualization. TABLE I PERFORMANCE OF ADVERSARIAL PERTUR… view at source ↗
Figure 5
Figure 5. Figure 5: Illustration of feature map difference between (a) Fv16 and (b) Fv16∗ for the same input image. We select two channels (top and bottom row) from the output of base network for comparison. TABLE III PERFORMANCE OF GRAY-BOX ATTACK FOR TWO REFINED DNN BASED FACE DETECTORS. FV16∗ AND FR101∗ DENOTE FASTER-RCNN BASED FACE DETECTOR WITH BASE NETWORK VGG16 [43] AND RESNET101 [44], WHICH ARE TRAINED ON THE UNION OF… view at source ↗
Figure 4
Figure 4. Figure 4: Visual comparison of the perturbed images between NNCO [65] and our method. We can the see the perturbed images generated by [65] has clear artifacts in the skin of faces, while the perturbations generated by our method are hardly to be perceived. their performance under the white-box setting. When applied to unknown DNN based face detectors, both methods tend to be effective in reducing DUQ of the resulti… view at source ↗
Figure 6
Figure 6. Figure 6: Visual examples of black-box attack on Fr50, SSHv16 and SSHr50 face detectors respectively. The top row corresponds to detection results on original images. The middle row corresponds to the detection results on images after adversarial perturbation are added to the original image. The bottom row show the actual noise added, which are amplified by 30 for better visualization. of additive noise is shown in … view at source ↗
Figure 7
Figure 7. Figure 7: The effect of JPEG compression, additive noise and blurring on DUQ performance of each face detector. See text for more details. the forgery makers. In particular, operations that can destroy or reduce the adversarial perturbation are expected to be developed. It is thus our continuing effort to improve the robustness of the adversarial perturbation generation method. Another important direction to further… view at source ↗
read the original abstract

Recent years have seen fast development in synthesizing realistic human faces using AI technologies. Such fake faces can be weaponized to cause negative personal and social impact. In this work, we develop technologies to defend individuals from becoming victims of recent AI synthesized fake videos by sabotaging would-be training data. This is achieved by disrupting deep neural network (DNN) based face detection method with specially designed imperceptible adversarial perturbations to reduce the quality of the detected faces. We describe attacking schemes under white-box, gray-box and black-box settings, each with decreasing information about the DNN based face detectors. We empirically show the effectiveness of our methods in disrupting state-of-the-art DNN based face detectors on several datasets.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper proposes adversarial perturbations to disrupt DNN-based face detectors in white-box, gray-box, and black-box attack settings. The goal is to sabotage training data for AI face synthesis by reducing the quality and usability of detected faces, while keeping perturbations imperceptible to humans. It claims empirical effectiveness on several datasets including WIDER FACE.

Significance. If the perturbations demonstrably impair downstream synthesis model training (e.g., via degraded GAN/VAE outputs), the approach could provide a proactive privacy defense against deepfakes. The work builds on standard adversarial attack methods but currently evaluates only detector metrics, so the significance for the stated synthesis-disruption goal remains unestablished.

major comments (2)
  1. [Experiments section (and abstract)] The central claim is that perturbations reduce the quality/usability of detected faces for downstream DNN training in synthesis models, yet no experiments train a synthesis model on perturbed vs. clean faces or report any synthesis-specific metrics (FID, perceptual quality, or visual inspection of generated faces). Only detector performance (detection rate, mAP) is evaluated.
  2. [§4 and abstract] The weakest assumption—that the effect holds across white/gray/black-box settings for synthesis usability—is untested; the manuscript provides no quantitative results, error bars, or ablation on perturbation visibility/human studies to support the imperceptibility claim while achieving substantial downstream impact.
minor comments (1)
  1. [Method description] Clarify the exact perturbation generation procedure and hyperparameter choices for each attack setting to allow reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their insightful comments. We address each major comment below and clarify the scope of our work.

read point-by-point responses

  1. Referee: [Experiments section (and abstract)] The central claim is that perturbations reduce the quality/usability of detected faces for downstream DNN training in synthesis models, yet no experiments train a synthesis model on perturbed vs. clean faces or report any synthesis-specific metrics (FID, perceptual quality, or visual inspection of generated faces). Only detector performance (detection rate, mAP) is evaluated.

    Authors: We agree that the manuscript would be strengthened by experiments evaluating the impact on downstream synthesis models. However, the core contribution of this work is the development of adversarial perturbations to disrupt face detectors under various attack settings, which serves as a proxy for sabotaging training data. If face detectors fail to detect or produce poor quality detections due to our perturbations, the faces cannot be effectively used for training synthesis models. We will revise the abstract and introduction to more precisely state that our evaluation is on detector performance, with the synthesis disruption as the motivating application. We do not plan to add synthesis model training experiments in this revision. revision: partial

  2. Referee: [§4 and abstract] The weakest assumption—that the effect holds across white/gray/black-box settings for synthesis usability—is untested; the manuscript provides no quantitative results, error bars, or ablation on perturbation visibility/human studies to support the imperceptibility claim while achieving substantial downstream impact.

    Authors: Our experiments in Section 4 do show effectiveness across white-box, gray-box, and black-box settings in terms of reducing detection rates and mAP on multiple datasets. For imperceptibility, the perturbations are constrained to small norms as is standard in the field, but we acknowledge the lack of human studies or quantitative visibility metrics. We will add error bars to the experimental results and include a short discussion on the imperceptibility in the revised manuscript. Regarding synthesis usability, as noted above, this is not directly tested. revision: yes

Circularity Check

0 steps flagged

No circularity in empirical adversarial attack evaluation

full rationale

The paper proposes and evaluates an empirical adversarial perturbation method to disrupt face detectors under white/gray/black-box settings, with results reported via standard metrics (detection rate, mAP) on datasets such as WIDER FACE. No mathematical derivations, fitted parameters renamed as predictions, or load-bearing self-citations appear in the claimed chain; the work follows conventional adversarial attack formulations and direct empirical testing without any step reducing to its own inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides no equations, datasets, or implementation details; therefore no free parameters, axioms, or invented entities can be identified.

pith-pipeline@v0.9.0 · 5653 in / 980 out tokens · 19660 ms · 2026-05-25T18:46:09.221799+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

70 extracted references · 70 canonical work pages · 16 internal anchors

  1. [1]

    A Style-Based Generator Architecture for Generative Adversarial Networks

    T. Karras, S. Laine, and T. Aila, “A style-based generator architecture for generative adversarial networks,” arXiv preprint arXiv:1812.04948 , 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  2. [2]

    Progressive growing of gans for improved quality, stability, and variation,

    T. Karras, T. Aila, S. Laine, and J. Lehtinen, “Progressive growing of gans for improved quality, stability, and variation,” 2018

    work page 2018

  3. [3]

    Face2face: Real-time face capture and reenactment of rgb videos,

    J. Thies, M. Zollhofer, M. Stamminger, C. Theobalt, and M. Niessner, “Face2face: Real-time face capture and reenactment of rgb videos,” in CVPR, June 2016

    work page 2016

  4. [4]

    Syn- thesizing obama: learning lip sync from audio,

    S. Suwajanakorn, S. M. Seitz, and I. Kemelmacher-Shlizerman, “Syn- thesizing obama: learning lip sync from audio,” ACM Transactions on Graphics (TOG), 2017

    work page 2017

  5. [5]

    Deep video portraits,

    H. Kim, P. Carrido, A. Tewari, W. Xu, J. Thies, M. Niessner, P. P ´erez, C. Richardt, M. Zollh¨ofer, and C. Theobalt, “Deep video portraits,” ACM Transactions on Graphics (TOG) , 2018

    work page 2018

  6. [6]

    Everybody dance now,

    C. Chan, S. Ginosar, T. Zhou, and A. A. Efros, “Everybody dance now,” arXiv preprint arXiv:1808.07371 , 2018

    work page arXiv 2018

  7. [7]

    Mesonet: a compact facial video forgery detection network,

    D. Afchar, V . Nozick, J. Yamagishi, and I. Echizen, “Mesonet: a compact facial video forgery detection network,” in IEEE International Workshop on Information Forensics and Security (WIFS) , 2018

    work page 2018

  8. [8]

    In ictu oculi: Exposing ai generated fake face videos by detecting eye blinking,

    Y . Li, M.-C. Chang, and S. Lyu, “In ictu oculi: Exposing ai generated fake face videos by detecting eye blinking,” in IEEE International Workshop on Information Forensics and Security (WIFS) , 2018

    work page 2018

  9. [9]

    Exposing deep fakes using inconsistent head poses,

    X. Yang, Y . Li, and S. Lyu, “Exposing deep fakes using inconsistent head poses,” in ICASSP, 2019

    work page 2019

  10. [10]

    Deepfake video detection using recurrent neural networks,

    D. G ¨uera and E. J. Delp, “Deepfake video detection using recurrent neural networks,” in AVSS, 2018

    work page 2018

  11. [11]

    Exposing deepfake videos by detecting face warping artifacts,

    Y . Li and S. Lyu, “Exposing deepfake videos by detecting face warping artifacts,” in IEEE Conference on Computer Vision and Pattern Recog- nition Workshops (CVPRW), 2019

    work page 2019

  12. [12]

    Exploiting visual artifacts to expose deepfakes and face manipulations,

    F. Matern, C. Riess, and M. Stamminger, “Exploiting visual artifacts to expose deepfakes and face manipulations,” in 2019 IEEE Winter Applications of Computer Vision Workshops (WACVW) , 2019

    work page 2019

  13. [13]

    Face R-CNN

    H. Wang, Z. Li, X. Ji, and Y . Wang, “Face r-cnn,” arXiv preprint arXiv:1706.01061, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  14. [14]

    Face detection with the faster r-cnn,

    H. Jiang and E. Learned-Miller, “Face detection with the faster r-cnn,” in 2017 12th IEEE International Conference on Automatic Face & Gesture Recognition (FG 2017) . IEEE, 2017, pp. 650–657

    work page 2017

  15. [15]

    Face detection using deep learning: An improved faster rcnn approach,

    X. Sun, P. Wu, and S. C. Hoi, “Face detection using deep learning: An improved faster rcnn approach,” Neurocomputing, 2018

    work page 2018

  16. [16]

    Face Detection through Scale-Friendly Deep Convolutional Networks

    S. Yang, Y . Xiong, C. C. Loy, and X. Tang, “Face detection through scale-friendly deep convolutional networks,” arXiv preprint arXiv:1706.02863, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  17. [17]

    Ssh: Single stage headless face detector,

    M. Najibi, P. Samangouei, R. Chellappa, and L. S. Davis, “Ssh: Single stage headless face detector,” in ICCV, 2017

    work page 2017

  18. [18]

    S3fd: Single shot scale-invariant face detector,

    S. Zhang, X. Zhu, Z. Lei, H. Shi, X. Wang, and S. Z. Li, “S3fd: Single shot scale-invariant face detector,” in Proceedings of the IEEE International Conference on Computer Vision , 2017, pp. 192–201

    work page 2017

  19. [19]

    Pyramidbox: A context-assisted single shot face detector,

    X. Tang, D. K. Du, Z. He, and J. Liu, “Pyramidbox: A context-assisted single shot face detector,” in ECCV, 2018

    work page 2018

  20. [20]

    Wider face: A face detection benchmark,

    S. Yang, P. Luo, C. C. Loy, and X. Tang, “Wider face: A face detection benchmark,” in IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016

    work page 2016

  21. [21]

    300 faces in-the-wild challenge: The first facial landmark localization challenge,

    C. Sagonas, G. Tzimiropoulos, S. Zafeiriou, and M. Pantic, “300 faces in-the-wild challenge: The first facial landmark localization challenge,” in ICCV Workshops, 2013

    work page 2013

  22. [22]

    UMDFaces: An Annotated Face Dataset for Training Deep Networks

    A. Bansal, A. Nanduri, C. D. Castillo, R. Ranjan, and R. Chellappa, “Umdfaces: An annotated face dataset for training deep networks,” arXiv preprint arXiv:1611.01484v2, 2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  23. [23]

    Generative adversarial nets,

    I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y . Bengio, “Generative adversarial nets,” in NIPS, 2014

    work page 2014

  24. [24]

    FaceForensics: A Large-scale Video Dataset for Forgery Detection in Human Faces

    A. R ¨ossler, D. Cozzolino, L. Verdoliva, C. Riess, J. Thies, and M. Nießner, “Faceforensics: A large-scale video dataset for forgery detection in human faces,” arXiv preprint arXiv:1803.09179 , 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  25. [25]

    FaceForensics++: Learning to detect manipulated facial images,

    A. R ¨ossler, D. Cozzolino, L. Verdoliva, C. Riess, J. Thies, and M. Nießner, “FaceForensics++: Learning to detect manipulated facial images,” arXiv, 2019

    work page 2019

  26. [26]

    Rapid object detection using a boosted cascade of simple features,

    P. Viola and M. Jones, “Rapid object detection using a boosted cascade of simple features,” in null. IEEE, 2001, p. 511. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 11

    work page 2001

  27. [27]

    Multiresolution gray-scale and rotation invariant texture classification with local binary patterns,

    T. Ojala, M. Pietik ¨ainen, and T. M ¨aenp¨a¨a, “Multiresolution gray-scale and rotation invariant texture classification with local binary patterns,” IEEE Transactions on Pattern Analysis & Machine Intelligence , no. 7, pp. 971–987, 2002

    work page 2002

  28. [28]

    Learning surf cascade for fast and accurate object detection,

    J. Li and Y . Zhang, “Learning surf cascade for fast and accurate object detection,” in Proceedings of the IEEE conference on computer vision and pattern recognition , 2013, pp. 3468–3475

    work page 2013

  29. [29]

    Face detection using surf cascade,

    J. Li, T. Wang, and Y . Zhang, “Face detection using surf cascade,” in 2011 IEEE International Conference on Computer Vision Workshops (ICCV Workshops). IEEE, 2011, pp. 2183–2190

    work page 2011

  30. [30]

    Face detection, pose estimation, and landmark localization in the wild,

    D. Ramanan and X. Zhu, “Face detection, pose estimation, and landmark localization in the wild,” in 2012 IEEE conference on computer vision and pattern recognition . IEEE, 2012, pp. 2879–2886

    work page 2012

  31. [31]

    Histograms of oriented gradients for human detection,

    N. Dalal and B. Triggs, “Histograms of oriented gradients for human detection,” in international Conference on computer vision & Pattern Recognition (CVPR’05) , vol. 1. IEEE Computer Society, 2005, pp. 886–893

    work page 2005

  32. [32]

    Rich feature hierarchies for accurate object detection and semantic segmentation,

    R. Girshick, J. Donahue, T. Darrell, and J. Malik, “Rich feature hierarchies for accurate object detection and semantic segmentation,” in CVPR, 2014

    work page 2014

  33. [33]

    Faster R-CNN: Towards real- time object detection with region proposal networks,

    S. Ren, K. He, R. Girshick, and J. Sun, “Faster R-CNN: Towards real- time object detection with region proposal networks,” TPAMI, 2017

    work page 2017

  34. [34]

    Ssd: Single shot multibox detector,

    W. Liu, D. Anguelov, D. Erhan, C. Szegedy, S. Reed, C.-Y . Fu, and A. C. Berg, “Ssd: Single shot multibox detector,” in European conference on computer vision. Springer, 2016, pp. 21–37

    work page 2016

  35. [35]

    A convolutional neural network cascade for face detection,

    H. Li, Z. Lin, X. Shen, J. Brandt, and G. Hua, “A convolutional neural network cascade for face detection,” in Proceedings of the IEEE conference on computer vision and pattern recognition , 2015

    work page 2015

  36. [36]

    Multi-view face detection using deep convolutional neural networks,

    S. S. Farfade, M. J. Saberian, and L.-J. Li, “Multi-view face detection using deep convolutional neural networks,” in Proceedings of the 5th ACM on International Conference on Multimedia Retrieval , 2015

    work page 2015

  37. [37]

    A deep pyramid deformable part model for face detection,

    R. Ranjan, V . M. Patel, and R. Chellappa, “A deep pyramid deformable part model for face detection,” in 2015 IEEE 7th International Confer- ence on Biometrics Theory, Applications and Systems (BTAS) , 2015

    work page 2015

  38. [38]

    From facial parts responses to face detection: A deep learning approach,

    S. Yang, P. Luo, C.-C. Loy, and X. Tang, “From facial parts responses to face detection: A deep learning approach,” in Proceedings of the IEEE International Conference on Computer Vision , 2015

    work page 2015

  39. [39]

    Convolutional channel features,

    B. Yang, J. Yan, Z. Lei, and S. Z. Li, “Convolutional channel features,” in Proceedings of the IEEE international conference on computer vision, 2015

    work page 2015

  40. [40]

    Hyperface: A deep multi- task learning framework for face detection, landmark localization, pose estimation, and gender recognition,

    R. Ranjan, V . M. Patel, and R. Chellappa, “Hyperface: A deep multi- task learning framework for face detection, landmark localization, pose estimation, and gender recognition,” IEEE Transactions on Pattern Analysis and Machine Intelligence , vol. 41, no. 1, pp. 121–135, 2019

    work page 2019

  41. [41]

    An all-in-one convolutional neural network for face analysis,

    R. Ranjan, S. Sankaranarayanan, C. D. Castillo, and R. Chellappa, “An all-in-one convolutional neural network for face analysis,” in 2017 12th IEEE International Conference on Automatic Face & Gesture Recognition (FG 2017) . IEEE, 2017, pp. 17–24

    work page 2017

  42. [42]

    Selective search for object recognition,

    J. R. Uijlings, K. E. Van De Sande, T. Gevers, and A. W. Smeulders, “Selective search for object recognition,” International journal of com- puter vision, vol. 104, no. 2, pp. 154–171, 2013

    work page 2013

  43. [43]

    Very Deep Convolutional Networks for Large-Scale Image Recognition

    K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” arXiv preprint arXiv:1409.1556 , 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  44. [44]

    Deep residual learning for image recognition,

    K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in CVPR, 2016

    work page 2016

  45. [45]

    Intriguing properties of neural networks

    C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfel- low, and R. Fergus, “Intriguing properties of neural networks,” arXiv 1312.6199, 2013

    work page internal anchor Pith review Pith/arXiv arXiv 2013

  46. [46]

    Explaining and harnessing adversarial examples,

    I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in ICLR, 2015

    work page 2015

  47. [47]

    Adversarial examples in the physical world,

    A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” in ICLR, 2017

    work page 2017

  48. [48]

    The limitations of deep learning in adversarial settings,

    N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami, “The limitations of deep learning in adversarial settings,” in EuroS&P, 2016

    work page 2016

  49. [49]

    Deepfool: a simple and accurate method to fool deep neural networks,

    S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “Deepfool: a simple and accurate method to fool deep neural networks,” in CVPR, 2016

    work page 2016

  50. [50]

    Univer- sal adversarial perturbations,

    S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard, “Univer- sal adversarial perturbations,” in CVPR, 2017

    work page 2017

  51. [51]

    Adversarial Attacks Beyond the Image Space

    X. Zeng, C. Liu, W. Qiu, L. Xie, Y .-W. Tai, C. K. Tang, and A. L. Yuille, “Adversarial attacks beyond the image space,” arXiv 1711.07183, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  52. [52]

    Towards imperceptible and robust adversarial example attacks against neural networks,

    B. Luo, Y . Liu, L. Wei, and Q. Xu, “Towards imperceptible and robust adversarial example attacks against neural networks,” in AAAI, 2018

    work page 2018

  53. [53]

    Learning to attack: Adversarial transformation networks,

    S. Baluja and I. Fischer, “Learning to attack: Adversarial transformation networks,” in AAAI, 2018

    work page 2018

  54. [54]

    Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples

    N. Papernot, P. McDaniel, and I. Goodfellow, “Transferability in ma- chine learning: from phenomena to black-box attacks using adversarial samples,” arXiv preprint arXiv:1605.07277 , 2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  55. [55]

    Practical black-box attacks against machine learning,

    N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and A. Swami, “Practical black-box attacks against machine learning,” in Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 2017, pp. 506–519

    work page 2017

  56. [56]

    Delving into Transferable Adversarial Examples and Black-box Attacks

    Y . Liu, X. Chen, C. Liu, and D. Song, “Delving into transfer- able adversarial examples and black-box attacks,” arXiv preprint arXiv:1611.02770, 2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  57. [57]

    Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models

    W. Brendel, J. Rauber, and M. Bethge, “Decision-based adversarial attacks: Reliable attacks against black-box machine learning models,” arXiv preprint arXiv:1712.04248 , 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  58. [58]

    Black-box Adversarial Attacks with Limited Queries and Information

    A. Ilyas, L. Engstrom, A. Athalye, and J. Lin, “Black-box adver- sarial attacks with limited queries and information,” arXiv preprint arXiv:1804.08598, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  59. [59]

    Query-Efficient Black-box Adversarial Examples (superceded)

    ——, “Query-efficient black-box adversarial examples,” arXiv preprint arXiv:1712.07113, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  60. [60]

    Adversarial Examples that Fool Detectors

    J. Lu, H. Sibai, and E. Fabry, “Adversarial examples that fool detectors,” arXiv 1712.02494, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  61. [61]

    Adversarial examples for semantic segmentation and object detection,

    C. Xie, J. Wang, Z. Zhang, Y . Zhou, L. Xie, and A. Yuille, “Adversarial examples for semantic segmentation and object detection,” in ICCV, 2017

    work page 2017

  62. [62]

    Physical Adversarial Examples for Object Detectors

    K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, F. Tramer, A. Prakash, T. Kohno, and D. Song, “Physical adversarial examples for object detectors,” arXiv preprint arXiv:1807.07769 , 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  63. [63]

    ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector

    S.-T. Chen, C. Cornelius, J. Martin, and D. H. Chau, “Robust phys- ical adversarial attack on faster r-cnn object detector,” arXiv preprint arXiv:1804.05810, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  64. [64]

    Robust adversarial perturbation on deep proposal-based models,

    Y . Li, D. Tian, M. Chang, X. Bian, and S. Lyu, “Robust adversarial perturbation on deep proposal-based models,” in BMVC, 2018

    work page 2018

  65. [65]

    Adversarial attacks on face detectors using neural net based constrained optimization,

    A. J. Bose and P. Aarabi, “Adversarial attacks on face detectors using neural net based constrained optimization,” in 2018 IEEE 20th Inter- national Workshop on Multimedia Signal Processing (MMSP) . IEEE, 2018, pp. 1–6

    work page 2018

  66. [66]

    Learning representations by back-propagating errors,

    D. E. Rumelhart, G. E. Hinton, R. J. Williams et al. , “Learning representations by back-propagating errors,” Cognitive modeling, 1988

    work page 1988

  67. [67]

    A faster pytorch implementation of faster r-cnn,

    J. Yang, J. Lu, D. Batra, and D. Parikh, “A faster pytorch implementation of faster r-cnn,” https://github.com/jwyang/faster-rcnn.pytorch, 2017

    work page 2017

  68. [68]

    Image quality assessment: from error visibility to structural similarity,

    Z. Wang, A. C. Bovik, H. R. Sheikh, E. P. Simoncelli et al. , “Image quality assessment: from error visibility to structural similarity,” IEEE transactions on image processing , vol. 13, no. 4, pp. 600–612, 2004

    work page 2004

  69. [69]

    The pascal visual object classes challenge: A retrospective,

    M. Everingham, S. A. Eslami, L. Van Gool, C. K. Williams, J. Winn, and A. Zisserman, “The pascal visual object classes challenge: A retrospective,” International journal of computer vision , vol. 111, no. 1, pp. 98–136, 2015

    work page 2015

  70. [70]

    Fddb: A benchmark for face detection in unconstrained settings,

    V . Jain and E. Learned-Miller, “Fddb: A benchmark for face detection in unconstrained settings,” University of Massachusetts, Amherst, Tech. Rep. UM-CS-2010-009, 2010

    work page 2010