
In this section, we give a brief introduction to the key components of model attacks and defenses. We hope that our explanations can help our audience to understand the main components of the related works on adversarial attacks and their countermeasures. By answering the following questions, we define the main terminology:
1) Adversary's goal (Section 2.1.1)
What is the goal or purpose of the attacker? Does he want to misguide the classifier′s decision on one sample, or influence the overall performance of the classifier?
2) Adversary's knowledge (Section 2.1.2)
What information is available to the attacker? Does he know the classifier′s structure, its parameters or the training set used for classifier training?
3) Victim models (Section 2.1.3)
What kind of deep learning models do adversaries usually attack? Why are adversaries interested in attacking these models?
4) Security evaluation (Section 2.2)
How can we evaluate the safety of a victim model when faced with adversarial examples? What is the relationship and difference between these security metrics and other model goodness metrics, such as accuracy or risks?

1) Poisoning attack versus evasion attack
Poisoning attacks refer to the attacking algorithms that allow an attacker to insert/modify several fake samples into the training database of a DNN algorithm. These fake samples can cause failures of the trained classifier. They can result in the poor accuracy^{[19]}, or wrong prediction on some given test samples^{[10]}. This type of attacks frequently appears in the situation where the adversary has access to the training database. For example, webbased repositories and “honeypots” often collect malware examples for training, which provides an opportunity for adversaries to poison the data.
In evasion attacks, the classifiers are fixed and usually have good performance on benign testing samples. The adversaries do not have authority to change the classifier or its parameters, but they craft some fake samples that the classifier cannot recognize. In other words, the adversaries generate some fraudulent examples to evade detection by the classifier. For example, in autonomous driving vehicles, sticking a few pieces of tapes on the stop signs can confuse the vehicle′s road sign recognizer^{[20]}.
2） Targeted attack versus nontargeted attack
In targeted attack, when the victim sample
$ (x,y) $ is given, where$ x $ is feature vector and$ y\in {\cal Y} $ is the ground truth label of$ x $ , the adversary aims to induce the classifier to give a specific label$ t\in {\cal Y} $ to the perturbed sample$ x' $ . For example, a fraudster is likely to attack a financial company′s credit evaluation model to disguise himself as a highly credible client of this company.If there is no specified target label
$ t $ for the victim sample$ x $ , the attack is called nontargeted attack. The adversary only wants the classifier to predict incorrectly. 
1) Whitebox attack
In a whitebox setting, the adversary has access to all the information of the target neural network, including its architecture, parameters, gradients, etc. The adversary can make full use of the network information to carefully craft adversarial examples. Whitebox attacks have been extensively studied because the disclosure of model architecture and parameters helps people understand the weakness of DNN models clearly and it can be analyzed mathematically. As stated by Tramer et al.^{[21]}, security against whitebox attacks is the property that we desire machine learning (ML) models to have.
2) Blackbox attack
In a blackbox attack setting, the inner configuration of DNN models is unavailable to adversaries. Adversaries can only feed the input data and query the outputs of the models. They usually attack the models by keeping feeding samples to the box and observing the output to exploit the model′s inputoutput relationship, and identity its weakness. Compared to whitebox attacks, blackbox attacks are more practical in applications because model designers usually do not open source their model parameters for proprietary reasons.
3) Semiwhite (gray) box attack
In a semiwhite box or gray box attack setting, the attacker trains a generative model for producing adversarial examples in a whitebox setting. Once the generative model is trained, the attacker does not need victim model anymore, and can craft adversarial examples in a blackbox setting.

We briefly summarize the machine learning models which are susceptible to adversarial examples, and some popular deep learning architectures used in image, graph and text data domains. In our review, we mainly discuss studies of adversarial examples for deep neural networks.
1) Conventional machine learning models
For conventional machine learning tools, there is a long history of studying safety issues. Biggio et al.^{[22]} attack support vector machine (SVM) classifiers and fullyconnected shallow neural networks for the MNIST dataset. Barreno et al.^{[23]} examine the security of SpamBayes, a Bayesian method based spam detection software. In [24], the security of Naive Bayes classifiers is checked. Many of these ideas and strategies have been adopted in the study of adversarial attacks in deep neural networks.
2) Deep neural networks
Different from traditional machine learning techniques which require domain knowledge and manual feature engineering, DNNs are endtoend learning algorithms. The models use raw data directly as input to the model, and learn objects' underlying structures and attributes. The endtoend architecture of DNNs makes it easy for adversaries to exploit their weakness, and generate highquality deceptive inputs (adversarial examples). Moreover, because of the implicit nature of DNNs, some of their properties are still not well understood or interpretable. Therefore, studying the security issues of DNN models is necessary. Next, we will briefly introduce some popular victim deep learning models which are used as “benchmark” models in attack/defense studies.
a) Fullyconnected neural networks (FC)
Fullyconnected neural networks are composed of layers of artificial neurons. In each layer, the neurons take the input from previous layers, process it with the activation function and send it to the next layer; the input of first layer is sample
$ x $ , and the (softmax) output of last layer is the score$ F(x) $ . An$ m $ layer fully connected neural network can be formed as$z^{(0)} = x;\; \; \; \; z^{(l+1)} = \sigma(W^l z^{l}+b^l). $ One thing to note is that, the backpropagation algorithm helps calculate
$ \dfrac{{\partial F\left( {x;\theta } \right)}}{{\partial \theta }} $ , which makes gradient descent effective in learning parameters. In adversarial learning, backpropagation also facilitates the calculation of the term:$ \dfrac{{\partial F\left( {x;\theta } \right)}}{{\partial x}} $ , representing the output′s response to a change in input. This term is widely used in the studies to craft adversarial examples.b) Convolutional neural networks
In computer vision tasks, convolutional neural networks^{[1]} is one of the most widely used models. CNN models aggregate the local features from the image to learn the representations of image objects. CNN models can be viewed as a sparseversion of fully connected neural networks: Most of the weights between layers are zero. Its training algorithm or gradients calculation can also be inherited from fully connected neural networks.
c) Graph convolutional networks (GCN)
The work of graph convolutional networks introduced by Kipf and Welling^{[7]} became a popular node classification model for graph data. The idea of graph convolutional networks is similar to CNN: It aggregates the information from neighbor nodes to learn representations for each node
$ v $ , and outputs the score$ F(v,X) $ for prediction:$ H^{(0)} = X; \; \; \; \;\;H^{(l+1)} = \sigma(\hat{A} H^{(l)}W^l) $ where
$ X $ denotes the input graph′s feature matrix, and$ \hat{A} $ depends on graph degree matrix and adjacency matrix.d) Recurrent neural networks (RNN)
Recurrent neural networks are very useful for tackling sequential data. As a result, they are widely used in natural language processing. The RNN models, especially long short term memory based models (LSTM)^{[4]}, are able to store the previous time information in memory, and exploit useful information from previous sequence for nextstep prediction.

We also need to evaluate the model′s resistance to adversarial examples. “Robustness” and “adversarial risk” are two terms used to describe this resistance of DNN models to one single sample, and the total population, respectively.

Definition 1. Minimal perturbation: Given the classifier
$ F $ and data$ (x,y) $ , the adversarial perturbation has the least norm (the most unnoticeable perturbation):$ {\delta _{\min}} = \mathop {\arg \;\min}\limits_\delta \delta \ \ \ {\rm s. t.}\;\;F(x + \delta ) \ne y. $ Here,
$ \cdot $ usually refers to$ l_p $ norm.Definition 2. Robustness: The norm of minimal perturbation:
$ r(x,F) = \delta_{\min}. $ Definition 3. Global robustness: The expectation of robustness over the whole population
$ D $ :$ \rho(F) = \mathop{\mathbb{E}}\limits_{x\sim {\cal D}}\; r(x,F). $ The minimal perturbation can find the adversarial example which is most similar to
$ x $ under the model$ F $ . Therefore, the larger$ r(x,F) $ or$ \rho(F) $ is, the adversary needs to sacrifice more similarity to generate adversarial samples, implying that the classifier$ F $ is more robust or safe. 
Definition 4. Mostadversarial example: Given the classifier
$ F $ and data$ x $ , the sample$ x_{adv} $ with the largest loss value in$ x's $ $ \epsilon $ neighbor ball:$ {x_{adv}} = \mathop {\arg \;\max}\limits_{x'} {{\cal L}}(x',F)\;\;\;\;\; {\rm s.t.}\;\;\;x'  x \le \epsilon.$ Definition 5. Adversarial loss: The loss value for the mostadversarial example:
${\cal L}_{adv} (x) = {\cal L}(x_{adv}) = \max\limits_{x'x<\epsilon}\;{\cal L} (\theta,x',y) . $ Definition 6. Global adversarial loss: The expectation of the loss value on
$ x_{adv} $ over the data distribution$ {\cal D} $ :${\cal R}_{adv}(F) = \mathop{\mathbb{E}}\limits_{x\sim {\cal D}}\; \max\limits_{x'x<\epsilon}\; {\cal L} (\theta,x',y) .$ (1) The mostadversarial example is the point where the model is most likely to be fooled in the neighborhood of
$ x $ . A lower loss value${\cal L}_{adv} $ indicates a more robust model$ F $ . 
The definition of adversarial risk is drawn from the definition of classifier risk (empirical risk):
$ {\cal R}(F) = \mathop{\mathbb{E}}\limits_{x\sim {\cal D}}\; {\cal L} (\theta,x,y) . $ Risk studies a classifier′s performance on samples from natural distribution
$ {\cal D} $ . Whereas, adversarial risk from (1) studies a classifier′s performance on adversarial example$ x' $ . It is important to note that$ x' $ may not necessarily follow the distribution$ {\cal D} $ . Thus, the studies on adversarial examples are different from these on model generalization. Moreover, a number of studies reported the relation between these two properties^{[2528]}. From our clarification, we hope that our audience get the difference and relation between risk and adversarial risk, and the importance of studying adversarial countermeasures. 
With the aforementioned definitions, Table 1 lists the notations which will be used in the subsequent sections.
Notations Description $ x $ Victim data sample $ x' $ Perturbed data sample $ \delta $ Perturbation $ B_\epsilon(x) $ ${ l_p} $distance neighbor ball around ${x} $ with radius $ \epsilon $ $ {\cal D} $ Natural data distribution $ \cdot_p $ $ {l_p} $ norm $ y $ Sample $ x $′s ground truth label $ t $ Target label $ {t} $ $ {\cal Y} $ Set of possible labels. Usually we assume there are ${ m} $ labels $ C $ Classifier whose output is a label: $ {C(x)=y} $ $ F $ DNN model which outputs a score vector: $ {F(x) \in [0,1]^m} $ $ Z $ Logits: last layer outputs before softmax: $ {F(x) = softmax(Z(x))} $ $ \sigma $ Activation function used in neural networks $ \theta $ Parameters of the model $ {F} $ $ {\cal L} $ Loss function for training. We simplify $ {{\cal L}(F(x),y) }$ in the form $ {{\cal L}(\theta,x,y)} $. Table 1. Notations

In this section, we introduce main methods for generating adversarial examples in image classification domain. Studying adversarial examples in the image domain is considered to be essential because: 1) Perceptual similarity between fake and benign images is intuitive to observers, and 2) image data and image classifiers have simpler structure than other domains, like graph or audio. Thus, many studies concentrate on attacking image classifiers as a standard case. In this section, we assume the image classifiers refer to fully connected neural networks and convolutional neural networks^{[1]}. The most common datasets used in these studies include 1) handwritten letter images dataset MNIST, 2) CIFAR10 object dataset and 3) ImageNet^{[29]}. Next, we go through some main methods used to generate adversarial image examples for evasion attack (whitebox, blackbox, greybox, physicalworld attack), and poisoning attack settings. Note that we also summarize all the attack methods in Table A in Appendix A.
Attack Publication Similarity Attacking capability Algorithm Apply domain LBFGS [8] $l_2$ Whitebox Iterative Image classification FGSM [9] $l_\infty$,$l_2$ Whitebox Singlestep Image classification Deepfool [32] $l_2$ Whitebox Iterative Image classification JSMA [33] $l_2$ Whitebox Iterative Image classification BIM [31] $l_\infty$ Whitebox Iterative Image classification C&W [34] $l_2$ Whitebox Iterative Image classification Ground truth [35] $l_0$ Whitebox SMT solver Image classification Spatial [44] Total variation Whitebox Iterative Image classification Universal [125] $l_\infty$, $l_2$ Whitebox Iterative Image classification OnePixel [39] $l_0$ Whitebox Iterative Image classification EAD [40] $l_1+l_2$, $l_2$ Whitebox Iterative Image classification Substitute [48] $l_p$ Blackbox Iterative Image classification ZOO [50] $l_p$ Blackbox Iterative Image classification Biggio [19] $l_2$ Poisoning Iterative Image classification Explanation [58] $l_p$ Poisoning Iterative Image classification Zugner′s [10] Degree distribution, coocurrence Poisoning Greedy Node classification Dai′s [97] Edges Blackbox RL Node & Graph classification Meta [100] Edges Blackbox RL Node classification C&W [106] max dB Whitebox Iterative Speech recognition Word embedding [108] $l_p$ Whitebox Onestep Text classification HotFlip [11] letters Whitebox Greedy Text classification Jia & Liang [116] letters Blackbox Greedy Reading comprehension Face recognition [122] physical Whitebox Iterative Face recognition RL attack [137] $l_p$ Whitebox RL Table A. Dichotomy of attacks

Generally, in a whitebox attack setting, when the classifier
$ C $ (model$ F $ ) and the victim sample$ (x,y) $ are given to the attacker, his goal is to synthesize a fake image$ x' $ perceptually similar to original image$ x $ but that can mislead the classifier$ C $ to give wrong prediction results. It can be formulated as$ {\rm{find }}\;x'\;{\rm{satisfying} }\;x'x\leq\epsilon ,\;{\rm{such\;that }}\; C(x') = t\neq y $ where
$ \cdot $ measures the dissimilarity between$ x' $ and$ x $ , which is usually$ l_p $ norm. Next, we will go through main methods to realize this formulation. 
Biggio et al.^{[22]} firstly generates adversarial examples on MNIST data set targeting conventional machine learning classifiers like SVMs and 3layer fullyconnected neural networks.
It optimizes the discriminant function to mislead the classifier. For example, on MNIST dataset, for a linear SVM classifier, its discriminant function
$ g(x) = \langle w,x\rangle + $ b, will mark a sample$ x $ with positive value$ g(x)>0 $ to be in class “3”, and$ x $ with$ g(x)\leq 0 $ to be in class “not 3”. An example of this attack is in Fig. 2.Figure 2. Biggio′s attack on SVM classifier for letter recognition (Image credit: Biggio et al.^{[22]})
Suppose we have a sample
$ x $ which is correctly classified to be “3”. For this model, Biggio′s attack crafts a new example$ x' $ to minimize the discriminant value$ g(x') $ while keeping$ x'x_1 $ small. If$ g(x') $ is negative, the sample is classified as “not 3”, but$ x' $ is still close to$ x $ , so the classifier is fooled. The studies about adversarial examples for conventional machine learning models^{[19, 22, 24]}, inspired studies on safety issues of deep learning models. 
The work of Szegedy et al.^{[8]} is the first to attack deep neural network image classifiers. They formulate their optimization problem as a search for minimal distorted adversarial example
$ x' $ , with the objective:$ \begin{array}{l} {\rm{min }}\quad xx'_2^2\\ {\rm{s.t. }}\;\;\;C(x') = t\;\ {\rm{ and } }\ \;x' \in [0,1]^m . \end{array} $ (2) Szegedy et al. approximately solve this problem by introducing the loss function, which results the following objective:
$ {\rm{min}}\; cxx'_2^2+{\cal L}(\theta,x',t),\\ \ \ {\rm{s. t. }}\;\;\;\ x' \in [0,1]^m. $ In the optimization objective of this problem, the first term imposes the similarity between
$ x' $ and$ x $ . The second term encourages the algorithm to find$ x' $ which has a small loss value to label$ t $ , so the classifier$ C $ will be very likely to predict$ x' $ as$ t $ . By continuously changing the value of constant$ c $ , they can find an$ x' $ which has minimum distance to$ x $ , and at the same time fool the classifier$ C $ . To solve this problem, they implement the LBFGS^{[30]} algorithm. 
Goodfellow et al.^{[9]} introduced an onestep method to fast generate adversarial examples. Their formulation is
$ \begin{aligned} & x' = x + \epsilon {\rm{sgn}}(\nabla_x {\cal L}(\theta,x,y)), \; \; \; {\rm{non{\text{}}target}}\\ & x' = x\epsilon {\rm{sgn}}(\nabla_x {\cal L}(\theta,x,t)),\; \; \; \; {\rm target\;on}\;t. \end{aligned} $ For targeted attack setting, this formulation can be seen as a onestep of gradient descent to solve the problem:
$ \begin{array}{l} {\rm{min }}\ \ {{\cal L}}(\theta,x',t)\\ {\rm{s.t. } }\ \ x'x_{\infty}\leq\epsilon\;\ {\rm{ and} }\;\ x' \in [0,1]^m. \end{array} $ (3) The objective function in (3) searches the point which has the minimum loss value to label
$ t $ in$ x $ ′s$ \epsilon $ neighbor ball, which is the location where model$ F $ is most likely to predict it to the target class$ t $ . In this way, the onestep generated sample$ x' $ is also likely to fool the model. An example of FGSMgenerated example on ImageNet is shown in Fig. 1.Compared to the iterative attack in Section 3.1.2, FGSM is fast in generating adversarial examples, because it only involves calculating one backpropagation step. Thus, FGSM addresses the demands of tasks that need to generate a large amount of adversarial examples. For example, adversarial training^{[31]}, uses FGSM to produce adversarial samples for all samples in training set.

In DeepFool^{[32]}, the authors study a classifier
$ F $ ′s decision boundary around data point$ x $ . They try to find a path such that$ x $ can go beyond the decision boundary, as shown in Fig. 3, so that the classifier will give a different prediction for$ x $ . For example, to attack$ x_0 $ (true label is digit 4) to digit class 3, the decision boundary is described as$ {\cal F}_3 = \{z:F(x)_4F(x)_3 = 0\} $ . We denote$ f(x) = F(x)_4F(x)_3 $ for short. In each attacking step, it linearizes the decision boundary hyperplane using Taylor expansion${\cal F}'_3 \!=\! \{x:f(x)\! \approx \!f(x_0)\!+\!\langle\nabla_x f(x_0)\cdot (x \!\!x_0)\rangle \!=\! 0\} $ , and calculates the orthogonal vector$ \omega $ from$ x_0 $ to plane$ {\cal F}'_3 $ . This vector$ \omega $ can be the perturbation that makes$ x_0 $ go beyond the decision boundary$ {\cal F}_3 $ . By moving along the vector$ \omega $ , the algorithm is able to find the adversarial example$ x'_0 $ that is classified to class 3.Figure 3. Decision boundaries: the hyperplane
$ \cal{F}_1 $ ($ \cal{F}_2 $ or$ \cal{F}_3 $ ) separates the data points belonging to class 4 and class 1 (class 2 or 3). The sample$ x_0 $ crosses the decision boundary$ \cal{F}_3 $ , so the perturbed data$ x_0' $ is classified as class 3. (Image credit: MoosaviDezfooli et al.^{[32]})The experiments of DeepFool^{[32]} shows that for common DNN image classifiers, almost all test samples are very close to their decision boundary. For a welltrained LeNet classifier on MNIST dataset, over
$ 90\% $ of test samples can be attacked by small perturbations whose$ l_\infty $ norm is below 0.1 where the total range is [0, 1]. This suggests that the DNN classifiers are not robust to small perturbations. 
Jacobianbased saliency map attack (JSMA)^{[33]} introduced a method based on calculating the Jacobian matrix of the score function
$ F $ . It can be viewed as a greedy attack algorithm by iteratively manipulating the pixel which is the most influential to the model output.The authors used the Jacobian matrix J_{F}(x) =
$ \dfrac{\partial F(x)}{\partial x} =\left\{\dfrac{\partial F_j(x)}{\partial x_i}\right\}_{i\times j} $ to model$ F(x) $ ′s change in response to the change of its input$ x $ . For a targeted attack setting where the adversary aims to craft an$ x' $ that is classified to the target class$ t $ , they repeatedly search and manipulate pixel$ x_i $ whose increase (decrease) will cause$ F_t(x) $ to increase or decrease$ \sum_{j \neq t} F_j(x) $ . As a result, for$ x $ , the model will give it the largest score to label$ t $ . 
The basic iterative method was first introduced by Kurakin et al.^{[15, 31]} It is an iterative version of the onestep attack FGSM in Section 3.1.3. In a nontargeted setting, it gives an iterative formulation to craft
$ x' $ :$ x_0 = x;\;\;\; x^{t+1} = Clip_{x,\epsilon} (x^t + \alpha {\rm{sgn}}(\nabla_x {\cal L}(\theta, x^t,y))). $ Here,
$ Clip $ denotes the function to project its argument to the surface of$ x $ ′s$ \epsilon $ neighbor ball$B_{\epsilon}(x): $ $ \{ x' :x'x_\infty\leq \epsilon \} $ . The step size$ \alpha $ is usually set to be relatively small (e.g., 1 unit of pixel change for each pixel), and step numbers guarantee that the perturbation can reach the border (e.g.,$ step = \dfrac{\epsilon}{\alpha} +10 $ ). This iterative attacking method is also known as projected gradient method (PGD) if the algorithm is added by a random initialization on$ x $ , used in work [14].This BIM (or PGD) attack heuristically searches the samples
$ x' $ which have the largest loss value in the$ l_\infty $ ball around the original sample$ x $ . This kind of adversarial examples are called “mostadversarial” examples: They are the sample points which are most aggressive and mostlikely to fool the classifiers, when the perturbation intensity (its$ l_p $ norm) is limited. Finding these adversarial examples is helpful to find the weaknesses of deep learning models. 
Carlini and Wagner′s attack^{[34]} counterattacks the defense strategy^{[12]} which were shown to be successful against FGSM and LBFGS attacks. C&W′s attack aims to solve the same problem as defined in LBFGS attack (Section 3.1.2), namely trying to find the minimallydistorted perturbation (2).
The authors solve the problem (2) by instead solving:
$ {\rm{min}} \ xx'_2^2+c\cdot f(x',t), \ \ {\rm{s.t.}}\; \ x' \in [0,1]^m $ where
$ f $ is defined as$ f(x',t) = (\max_{i\neq t}{Z(x')_i}Z(x')_t)^+ $ . Minimizing$ f(x',t) $ encourages the algorithm to find an$ x' $ that has larger score for class$ t $ than any other label, so that the classifier will predict$ x' $ as class$ t $ . Next, applying a line search on constant$ c $ , we can find the$ x' $ that has the least distance to$ x $ .The function
$ f(x,y) $ can also be viewed as a loss function for data$ (x,y) $ : It penalizes the situation where there are some labels$ i $ with scores$ Z(x)_i $ larger than$ Z(x)_y $ . It can also be called margin loss function.The only difference between this formulation and the one in LBFGS attack (Section 3.1.2) is that C&W′s attack uses margin loss
$ f(x,t) $ instead of cross entropy loss$ {\cal L}(x,t) $ . The benefit of using margin loss is that when$ C(x') = t $ , the margin loss value$ f(x',t) = 0 $ , the algorithm will directly minimize the distance from$ x' $ to$ x $ . This procedure is more efficient for finding the minimally distorted adversarial example.The authors claim their attack is one of the strongest attacks, breaking many defense strategies which were shown to be successful. Thus, their attacking method can be used as a benchmark to examine the safety of DNN classifiers or the quality of other adversarial examples.

Attacks and defenses keep improving to defeat each other. In order to end this stalemate, the work of Carlini et al.^{[35]} tries to find the “provable strongest attack”. It can be seen as a method to find the theoretical minimallydistorted adversarial examples.
This attack is based on Reluplex^{[36]}, an algorithm for verifying the properties of neural networks. It encodes the model parameters F and data
$ (x,y) $ as the subjects of a linearlike programming system, and then solve the system to check whether there exists an eligible sample$ x' $ in$ x $ ′s neighbor$ B_{\epsilon}(x) $ that can fool the model. If we keep reducing the radius$ \epsilon $ of search region$ B_{\epsilon}(x) $ until the system determines that there does not exist such an$ x' $ that can fool the model, the last found adversarial example is called the ground truth adversarial example, because it has been proved to have least dissimilarity with$ x $ .The groundtruth attack is the first work to seriously calculate the exact robustness (minimal perturbation) of classifiers. However, this method involves using a satisfiability modulo theories (SMT) solver (a complex algorithm to check the satisfiability of a series of theories), which will make it slow and not scalable to large networks. More recent works^{[37, 38]}, have improved the efficiency of groundtruth attack.

Previous studies are mostly focused on
$ l_2 $ or$ l_\infty $ normconstrained perturbations. However, there are other papers which consider other types of$ l_p $ attacks.1) Onepixel attack^{[39]} studies similar problem as in Section 3.1.2, but constrains the perturbation′s
$ l_0 $ norm. Constraining$ l_0 $ norm of the perturbation$ x'x $ will limit the number of pixels that are allowed to be changed. Their work shows that: On dataset CIFAR10, for a welltrained CNN classifier (e.g., VGG16, which has 85.5% accuracy on test data), most of the testing samples (63.5%) can be attacked by changing the value of only one pixel in a nontargeted setting. This also demonstrates the poor robustness of deep learning models.2) EAD: Elasticnet attack^{[40]} also studies a similar problem as in Section 3.1.2, but constrains the perturbations
$ l_1 $ and$ l_2 $ norm together. As shown in their experimental work^{[41]}, some strong defense models that aim to reject$ l_\infty $ and$ l_2 $ norm attacks^{[14]} are still vulnerable to the$ l_1 $ based Elasticnet attack. 
Previous methods only consider one specific targeted victim sample
$ x $ . However, the work [42] devises an algorithm that successfully mislead a classifier′s decision on almost all testing images. They try to find a perturbation$ \delta $ satisfying:1)
$ \delta_p \leq \epsilon. $ 2)
$ \underset{x \sim D(x)}{\mathbb{P}} (C(x+\delta) \neq C(x))\leq 1\sigma $ .This formulation aims to find a perturbation
$ \delta $ such that the classifier gives wrong decisions on most of the samples. In their experiments, for example, they successfully find a perturbation that can attack 85.4% of the test samples in the ILSVRC 2012^{[43]} dataset under a ResNet152^{[2]} classifier.The existence of “universal” adversarial examples reveals a DNN classifier′s inherent weakness on all of the input samples. As claimed in work [42], it may suggest the property of geometric correlation among the highdimensional decision boundary of classifiers.

Traditional adversarial attack algorithms directly modify the pixel value of an image, which changes the image′s color intensity. Spatial attack^{[44]} devises another method, called a spatially transformed attack. They perturb the image by doing slight spatial transformation: They translate, rotate and distort the local image features slightly. The perturbation is small enough to evade human inspection but can fool the classifiers. One example is in Fig. 4.

Previous attack methods only consider adding unnoticeable perturbations into images. However, the work [45] devised a method to generate unrestricted adversarial examples. These samples do not necessarily look exactly the same as the victim samples, but are still legitimate samples for human eyes and can fool the classifier. Previous successful defense strategies that target perturbationbased attacks fail to recognize them.
In order to attack given classifier
$ C $ , Odena et al.^{[46]} pretrained an auxiliary classifier generative adversarial network (ACGAN), so they can generate one legitimate sample$ x $ from a noise vector z^{0} from class$ y $ . Then, to craft an adversarial example, they will find a noise vector$ z $ near z^{0}, but require that the output of ACGAN generator$ {\cal G}(z) $ be wrongly classified by victim model$ C $ . Because$ z $ is near z^{0} in latent space of the ACGAN, its output should belong to the same class$ y $ . In this way, the generated sample$ {\cal G}(z) $ is different from$ x $ , misleading classifier$ F $ , but it is still a legitimate sample. 
All the previously introduced attack methods are applied digitally, where the adversary supplies input images directly to the machine learning model. However, this is not always the case for some scenarios, like those that use cameras, microphones or other sensors to receive the signals as input. In this case, can we still attack these systems by generating physicalworld adversarial objects? Recent works show such attacks do exist. For example, the work [20] attached stickers to road signs that can severely threaten autonomous car′s sign recognizer. These kinds of adversarial objects are more destructive for deep learning models because they can directly challenge many practical applications of DNN, such as face recognition, autonomous vehicle, etc.

In the work [15], the authors explore the feasibility of crafting physical adversarial objects, by checking whether the generated adversarial images (FGSM, BIM) are “robust” under natural transformation (such as changing viewpoint, lighting, etc). Here, “robust” means the crafted images remain adversarial after the transformation. To apply the transformation, they print out the crafted images, and let test subjects use cellphones to take photos of these printouts. In this process, the shooting angle or lighting environment are not constrained, so the acquired photos are transformed samples from previously generated adversarial examples. The experimental results demonstrate that after transformation, a large portion of these adversarial examples, especially those generated by FGSM, remain adversarial to the classifier. These results suggest the possibility of physical adversarial objects which can fool the sensor under different environments.

The work [20], shown in Fig. 5, crafts physical adversarial objects, by “contaminating” road signs to mislead road sign recognizers. They achieve the attack by putting stickers on the stop sign in the desired positions.
Figure 5. Attacker puts some stickers on a road sign to confuse an autonomous vehicle′s road sign recognizer from any viewpoint (Image credit: Eykholt et al.^{[20]})
The author′s approach consist of: 1) Implement
$ l_1 $ norm based attack (those attacks that constrain$ x'x_1 $ ) on digital images of road signs to roughly find the region to perturb ($ l_1 $ attacks render sparse perturbation, which helps to find attack location). These regions will later be the location of stickers. 2) Concentrating on the regions found in step 1, use an$ l_2 $ norm based attack to generate the color for the stickers. 3) Print out the perturbation found in Steps 1 and 2, and stick them on road sign. The perturbed stop sign can confuse an autonomous vehicle from any distance and viewpoint. 
In the work [47], authors report the first work which successfully crafted physical 3D adversarial objects. As shown in Fig. 6, the authors use 3Dprinting to manufacture an “adversarial” turtle. To achieve their goal, they implement a 3D rendering technique. Given a textured 3D object, they first optimize the object′s texture such that the rendering images are adversarial from any viewpoint. In this process, they also ensure that the perturbation remains adversarial under different environments: camera distance, lighting conditions, rotation and background. After finding the perturbation on 3D rendering, they print an instance of the 3D object.

The work [48] was the first to introduce an effective algorithm to attack DNN classifiers, under the condition that the adversary has no access to the classifier′s parameters or training set (blackbox). An adversary can only feed input
$ x $ to obtain the output label$ y $ from the classifier. Additionally, the adversary may have only partial knowledge about: 1) the classifier′s data domain (e.g., handwritten digits, photographs, human faces) and 2) the architecture of the classifier (e.g., CNN, RNN).The authors in the work [48] exploits the “transferability” (Section 5.3) property of adversarial examples: a sample
$ x' $ can attack$ F_1 $ , it is also likely to attack$ F_2 $ , which has similar structure to$ F_1 $ . Thus, the authors introduce a method to train a substitute model$ F' $ to imitate the target victim classifier$ F $ , and then craft the adversarial example by attacking substitute model$ F' $ . The main steps are below:1) Synthesize substitute training dataset
Make a “replica” training set. For example, to attack a victim classifier for handwritten digits recognition task, make an initial substitute training set by: a) requiring samples from test set; or b) handcrafting samples.
2) Training the substitute model
Feed the substitute training dataset
$ X $ into the victim classifier to obtain their labels$ Y $ . Choose one substitute DNN model to train on$ (X,Y) $ to get$ F' $ . Based on the attacker′s knowledge, the chosen DNN should have similar structure to the victim model.3) Dataset augmentation
Augment the dataset
$ (X,Y) $ and retrain the substitute model$ F' $ iteratively. This procedure helps to increase the diversity of the replica training set and improve the accuracy of substitute model$ F' $ .4) Attacking the substitute model
Utilize the previously introduced attack methods, such as FGSM to attack the model
$ F' $ . The generated adversarial examples are also very likely to mislead the target model$ F $ , by the property of “transferability”.What kind of attack algorithm should we choose to attack substitute model? The success of substitute model blackbox attack is based on the “transferability” property of adversarial examples. Thus, during blackbox attack, we choose attacks that have high transferability, like FGSM, PGD and momentumbased iterative attacks^{[49]}.

Different from the work in Section 3.3.1 where an adversary can only obtain the label information from the classifier, the work [50] assume the attacker has access to the prediction confidence (sscore) from the victim classifier′s output. In this case, there is no need to build the substitute training set and substitute model. Chen et al. give an algorithm to “scrape” the gradient information around victim sample
$ x $ by observing the changes in the prediction confidence$ F(x) $ as the pixel values of$ x $ are tuned.Equation (4) shows for each index
$ i $ of sample$ x $ , we add (or subtract)$ x_i $ by$ h $ . If$ h $ is small enough, we can scrape the gradient information from the output of$ F(\cdot) $ by$ \frac{{\partial F(x)}}{{\partial {x_i}}} \approx \frac{{F(x + h{e_i})  F(x  h{e_i})}}{{2h}}.$ (4) Utilizing the approximate gradient, we can apply the attack formulations introduced in Sections 3.1.3 and 3.1.7. The attack success rate of ZOO is higher than substitute model (Section 3.3.1) because it can utilize the information of prediction confidence, instead of solely the predicted labels.

Previously introduced blackbox attacks require lots of input queries to the classifier, which may be prohibitive in practical applications. There are some studies on improving the efficiency of generating blackbox adversarial examples via a limited number of queries. For example, the authors in work [51] introduced a more efficient way to estimate the gradient information from model outputs. They use natural evolutional strategies^{[52]}, which sample the model′s output based on the queries around
$ x $ , and estimate the expectation of gradient of$ F $ on$ x $ . This procedure requires fewer queries to the model. Moreover, the authors in work [53] apply a genetic algorithm to search the neighbors of benign image for adversarial examples. 
The work [54] devised a semiwhite box attack framework. It first trained a GAN^{[55]}, targeting the model of interest. The attacker can then craft adversarial examples directly from the generative network.
The authors believe the advantage of the GANbased attack is that it accelerates the process of producing adversarial examples, and makes more natural and more undetectable samples. Later, Deb′s grey box attack^{[56]} uses GAN to generate adversarial faces to evade face recognition software. Their crafted face images appear to be more natural and have barely distinguishable difference from target face images.

The attacks we have discussed so far are evasion attacks, which are launched after the classification model is trained. Some works instead craft adversarial examples before training. These adversarial examples are inserted into the training set in order to undermine the overall accuracy of the learned classifier, or influence its prediction on certain test examples. This process is called a poisoning attack.
Usually, the adversary in a poisoning attack setting has knowledge about the architecture of the model which is later trained on the poisoned dataset. Poisoning attacks frequently applied to attack graph neural network, because of the GNN′s specific transductive learning procedure. Here, we introduce studies that craft image poisoning attacks.

The work [19] introduced a method to poison the training set in order to reduce SVM model′s accuracy. In their setting, they try to figure out a poison sample
$ x_c $ which, when inserted into the training set, will result in the learned SVM model$ F_{x_c} $ having a large total loss on the whole validation set. They achieve this by using incremental learning technique for SVMs^{[57]}, which can model the influence of training sample on the learned SVM model.A poisoning attack based on procedure above is quite successful for SVM models. However, for deep learning models, it is not easy to explicitly figure out the influence of training samples on the trained model. Below we introduce some approaches for applying poisoning attacks on DNN models.

Koh and Liang′s explanation study^{[58]} introduce a method to interpret deep neural networks: How would the model′s predictions change if a training sample were modified? Their model can explicitly quantify the change in the final loss without retraining the model when only one training sample is modified. This work can be naturally adopted to poisoning attacks by finding those training samples that have large influence on model’s prediction.

“Poison frogs”^{[59]} introduced a method to insert an adversarial image with true label to the training set, in order to cause the trained model to wrongly classify a target test sample. In their work, given a target test sample
$ x_t $ , whose true label is$ y_t $ , the attacker first uses a base sample$ x_b $ from class$ y_b $ . Then, it solves the objective to find$ x'$ :$ x' = \mathop {\arg \; \min}\limits_x Z(x)  Z({x_t})_2^2 + \beta x  {x_b}_2^2. $ After inserting the poison sample
$ x' $ into training set, the new model trained on$ X_{train}+\{x\}' $ will classify$ x' $ as class$ y_b $ , because of the small distance between$ x' $ and$ x_b $ . Using a new trained model to predict$ x_t $ , the objective of$ x' $ forces the score vector of$ x_t $ and$ x' $ to be close. Thus,$ x' $ and$ x_t $ will have the same prediction outcome. In this way, the new trained model will predict the target sample$ x_t $ as class$ y_b $ . 
In order to protect the security of deep learning models, different strategies have been considered as countermeasures against adversarial examples. There are basically three main categories of these countermeasures:
1) Gradient masking/Obfuscation
Since most attack algorithms are based on the gradient information of the classifier, masking or hiding the gradients will confound the adversaries.
2) Robust optimization
Relearning a DNN classifier′s parameters can increase its robustness. The trained classifier will correctly classify the subsequently generated adversarial examples.
3) Adversarial examples detection
Study the distribution of natural/benign examples, detect adversarial examples and disallow their input into the classifier.

Gradient masking/Obfuscation refers to the strategy where a defender deliberately hides the gradient information of the model, in order to confuse the adversaries, since most attack algorithms are based on the classifier′s gradient information.

“Distillation”, first introduced by Hinton et al.^{[60]}, is a training technique to reduce the size of DNN architectures. It fulfills its goal by training a smallersize DNN model on the logits (outputs of the last layer before softmax).
The work [12] reformulate the procedure of distillation to train a DNN model that can resist adversarial examples, such as FGSM, Szegedy′s LBFGS attack or DeepFool. They design their training process as:
$ 1) $ Train a network$ F $ on the given training set$ (X,Y) $ by setting the temperature^{①} of the softmax to$ T $ .$ 2) $ Compute the scores (after softmax) given by$ F(X) $ , again evaluating the scores at temperature$ T $ .$ 3) $ Train another network$ F'_T $ using softmax at temperature$ T $ on the dataset with soft labels$ (X,F(X)) $ . We refer the model$ F'_T $ as the distilled model.$ 4) $ During prediction on test data$ X_{test} $ (or adversarial examples), use the distilled network$ F'_T $ but use softmax at temperature 1, which is denoted as$ F'_1 $ .Carlini and Wagner^{[34]} explain why this algorithm works: When we train a distilled network
$ F'_T $ at temperature T and test it at temperature 1, we effectively cause the inputs to the softmax to become larger by a factor of T. Let us say$ T = 100 $ , the logits$ Z(\cdot) $ for sample$ x $ and its neighbor points$ x' $ will be 100 times larger, which will result the softmax function$ F_1(\cdot) = \rm{softmax}(Z(\cdot),1) $ outputting a score vector like$ (\epsilon, \epsilon, \cdots, 1(m1)\epsilon, \epsilon, \cdots ,\epsilon) $ , where the target output class has a score extremely close to 1, and all other classes have scores close to 0. In practice, the value of$ \epsilon $ is so small that its 32bit floatingpoint value for computer is rounded to 0. In this way, the computer cannot find the gradient of score function$ F'_1 $ , which inhibits the gradientbased attacks. 
Some studies, such as [61, 62], try to protect the model by preprocessing the input data. They add a nonsmooth or nondifferentiable preprocessor
$ g(\cdot) $ and then train a DNN model$ f $ on$ g(X) $ . The trained classifier$ f(g(\cdot)) $ is not differentiable in term of$ x $ , causing the failure of adversarial attacks.For example, Thermometer encoding^{[61]} uses a preprocessor to discretize an image′s pixel value
$ x_i $ into a$ l $ dimensional vector$ \tau(x_i) $ . (e.g., when$ l = 10 $ ,$ \tau (0.66) = $ $1\,111\,110\,000 $ ). The vector$ \tau(x_i) $ acts as a “thermometer” to record the pixel$ x_i $ ′s value. A DNN model is later trained on these vectors. Another work [62] studies a number of image processing tools, such as image cropping, compressing, totalvariance minimization and superresolution^{[63]}, to determine whether these techniques help to protect the model against adversarial examples. All these approaches block up the smooth connection between the model′s output and the original input samples, so the attacker cannot easily find the gradient$\dfrac{{\partial F\left( x \right)}}{{\partial x}}$ for attacking. 
Some defense strategies try to randomize the DNN model in order to confound the adversary. For instance, we train a set of classifiers
$ s = \{F_t:t = 1,2, \cdots ,k\} $ . During evaluation on data$ x $ , we randomly select one classifier from the set$ s $ and predict the label$ y $ . Because the adversary has no idea which classifier is used by the prediction model, the attack success rate will be reduced.Some examples of this strategy include the work [64], who randomly drop some neurons of each layer of the DNN model, and the work [65], who resize the input images to a random size and pad zeros around the input image.

Both PixelDefend^{[66]} and DefenseGAN^{[67]} suggest using generative models to project a potential adversarial example onto the benign data manifold before classifying them. While PixelDefend uses PixelCNN generative model^{[68]}, DefenseGAN uses a GAN architecture^{[5]}. The generative models can be viewed as a purifier that transforms adversarial examples into benign examples.
Both of these methods consider adding a generative network before the classifier DNN, which will cause the final classification model be an extremely deep neural network. The underlying reason that these defenses succeed is because: The cumulative product of partial derivatives from each layer will cause the gradient
$ \dfrac{{\partial {\cal L}\left( x \right)}}{{\partial x}} $ to be extremely small or irregularly large, which prevents the attacker accurately estimating the location of adversarial examples. 
In the work Carlini and Wagner′s attack^{[34]}, they show the method of “Defensive Distillation” (Section 4.1.1) is still vulnerable to their adversarial examples. In the study [13], the authors devised different attacking algorithms to break gradient masking/obfuscation defending strategies (Sections 4.1.2 – 4.1.4).
The main weakness of the gradient masking strategy is that: It can only “confound” the adversaries; it cannot eliminate the existence of adversarial examples.

Robust optimization methods aim to improve the classifier′s robustness (Section 2.2) by changing DNN model′s manner of learning. They study how to learn model parameters that can give promising predictions on potential adversarial examples. In this field, the works majorly focus on: 1) learning model parameters
$ \theta^* $ to minimize the average adversarial loss: (Section 2.2.2)$ \theta^* = \mathop {\arg \;\min}\limits_{\theta \in \Theta } \mathop{\mathbb{E}}\limits_{x\sim {\cal D}}\; \max\limits_{x'x\leq\epsilon}\; {\cal L} (\theta,x',y) $ (5) or 2) learning model parameters
$ \theta^* $ to maximize the average minimal perturbation distance: (Section 2.2.1)$ \theta^* = \mathop {\arg \;\max}\limits_{\theta \in \Theta } \mathop{\mathbb{E}}\limits_{x\sim {\cal D}}\; \min\limits_{C(x')\neq y}\; x'x. $ (6) Typically, a robust optimization algorithm should have a prior knowledge of its potential threat or potential attack (adversarial space
$ {\cal D} $ ). Then, the defenders build classifiers which are safe against this specific attack. For most of the related works^{[9, 14, 15]}, they aim to defend against adversarial examples generated from small$ l_p $ (specifically$ l_\infty $ and$ l_2 $ ) norm perturbation. Even though there is a chance that these defenses are still vulnerable to attacks from other mechanisms, (e.g., spatial attack^{[44]}), studying the security against$ l_p $ attack is fundamental and can be generalized to other attacks.In this section, we concentrate on defense approaches using robustness optimization against
$ l_p $ attacks. We categorize the related works into three groups: 1) regularization methods, 2) adversarial (re)training and 3) certified defenses. 
Some early studies on defending against adversarial examples focus on exploiting certain properties that a robust DNN should have in order to resist adversarial examples. For example, Szegedy et al.^{[8]} suggest that a robust model should be stable when its inputs are distorted, so they turn to constrain the Lipschitz constant to impose this “stability” of model output. Training on these regularizations can sometimes heuristically help the model be more robust.
1) Penalize layer's Lipschitz constant
When Szegydy et al.^{[8]} first claimed the vulnerability of DNN models to adversarial examples, they suggested adding regularization terms on the parameters during training, to force the trained model be stable. It suggested constraining the Lipschitz constant
$ L_k $ between any two layers:$ \forall x,\delta,\; \; \; h_k(x;W_k)h_k(x+\delta;W_k) \leq L_k \delta $ so that the outcome of each layer will not be easily influenced by the small distortion of its input. The work Parseval networks^{[69]} formalized this idea, by claiming that the model′s adversarial risk (5) is right dependent on this instability
$ L_k $ :$ \begin{split} & \mathop{\mathbb{E}}\limits_{x\sim {\cal D}}\; {\cal L}_{adv}(x) \leq \mathop{\mathbb{E}}\limits_{x\sim {\cal D}}\; {\cal L}(x)+ \\ & \qquad \mathop{\mathbb{E}}\limits_{x\sim {\cal D}} [\max\limits_{x'x\leq\epsilon}{\cal L}(F(x'),y)  {\cal L}(F(x),y)]\leq\\ & \qquad \mathop{\mathbb{E}}\limits_{x\sim {\cal D}}\; {\cal L}(x) + \lambda_p\prod\limits_{k = 1}^{K} L_k \end{split} $ where
$ \lambda_p $ is the Lipschitz constant of the loss function. This formula states that during the training process, penalizing the large instability for each hidden layer can help to decrease the adversarial risk of the model, and consequently increase the robustness of model. The idea of constraining instability also appears in the study [70] for semisupervised, and unsupervised defenses.2) Penalize layer′s partial derivative
The study [71] introduced a deep contractive network algorithm to regularize the training. It was inspired by the contractive autoencoder^{[72]}, which was introduced to denoise the encoded representation learning. The deep contractive network suggests adding a penalty on the partial derivatives at each layer into the standard backpropagation framework, so that the change of the input data will not cause large change on the output of each layer. Thus, it becomes difficult for the classifier to give different predictions on perturbed data samples.

1) Adversarial training with FGSM
Goodfellow′s FGSM attack^{[9]} were the first to suggest feeding generated adversarial examples into the training process. By adding the adversarial examples with true label
$ (x',y) $ into the training set, the training set will tell the classifier that$ x' $ belongs to class$ y $ , so that the trained model will correctly predict the label of future adversarial examples.In the work [9], they use nontargeted FGSM (Section 3.1.3) to generate adversarial examples
$ x' $ for the training dataset:$ x' = x + \epsilon {\rm{sgn}}(\nabla_x {\cal L}(\theta,x,y)). $ By training on benign samples augmented with adversarial examples, they increase the robustness against adversarial examples generated by FGSM.
The scalaed adversarial training^{[15]} changes the training strategy of this method so that the model can be scaled to larger dataset such as ImageNet. They suggest using batch normalization^{[73]} will improve the efficiency of adversarial training. We give a short sketch of their algorithm in Algorithm 1.
The trained classifier has good robustness on FGSM attacks, but is still vulnerable to iterative attacks. Later, the study [21] argues that this defense is also vulnerable to singlestep attacks. Adversarial training with FGSM will cause gradient obfuscation (Section 4.1), where there is an extreme nonsmoothness of the trained classifier
$ F $ near the test sample$ x $ . Refer to Fig. 7 as an illustration of the nonsmooth property of FGSM trained classifier.Figure 7. Illustration of gradient masking for adversarial training via FGSM. It plots the loss function of the trained classifier around x on the grids of gradient direction and another randomly chosen direction. We can see that the gradient poorly approximates the global loss. (Image credit: Tramer et al. ^{[21]})
Algorithm 1. Adversarial training with FGSM by batches
Randomly initialize network F
Repeat
1) Read minibatch
$ B = \{x^1, \cdots,x^m\} $ from training set2) Generate
$ k $ adversarial examples$ \{x_{adv}^1, \cdots, x_{adv}^k\} $ for corresponding benign examples using current state of the network$ F $ .3) Update
$ B' = \{x_{adv}^1, \cdots ,x_{adv}^k,x^{k+1},\cdots ,x^m\} $ Do one training step of network
$ F $ using minibatch$ B' $ until training converged.
2) Adversarial training with PGD
The PGD adversarial training^{[14]} suggests using projected gradient descent attack (Section 3.1.6) for adversarial training, instead of using singlestep attacks like FGSM. The PGD attacks (Section 3.1.6) can be seen as a heuristic method to find the “most adversarial” example:
${x_{adv}} = \mathop {\arg \;\max}\limits_{x' \in {B_\epsilon}(x)} {{\cal L}}(x',F)$ (7) in the
$ l_\infty $ ball around x:$ B_{\epsilon}(x) $ . Here, the mostadversarial example$ x_{adv} $ is the location where the classifier$ F $ is most likely to be misled. When training the DNN model on these mostadversarial examples, it actually solves the problem of learning model parameters$ \theta $ that minimize the adversarial loss (5). If the trained model has small loss value on these mostadversarial examples, the model is safe at everywhere in$ x $ ′s neighbor ball$ B_{\epsilon}(x) $ .One thing to note is: This method trains the model only on adversarial examples, instead of a mix of benign and adversarial examples. The training algorithm is shown Algorithm 2.
The trained model under this method demonstrates good robustness against both singlestep and iterative attacks on MNIST and CIFAR10 dataset. However, this method involves an iterative attack for all the training samples. Thus, the time cost of this adversarial training will be
$ k $ (using$ k $ step PGD) times as large as the time cost for natural training, and as a consequence, it is hard to scale to large datasets such as ImageNet.3) Ensemble adversarial training
Ensembler adversarial training^{[21]} introduced their adversarial training method which can protect CNN models against singlestep attacks and also apply to large datasets such as ImageNet.
Their main approach is to augment the classifier′s training set with adversarial examples crafted from other pretrained classifiers. For example, if we aim to train a robust classifier
$ F $ , we can first pretrain classifiers$ F_1 $ ,$ F_2 $ , and$ F_3 $ as references. These models have different hyperparameters with model$ F $ . Then, for each sample$ x $ , we use a singlestep attack FGSM to craft adversarial examples on$ F_1 $ ,$ F_2 $ and$ F_3 $ to get$ x_{adv}^1 $ ,$ x_{adv}^2 $ ,$ x_{adv}^3 $ . Because of the transferability property (Section 5.3) of the singlestep attacks across different models,$ x_{adv}^1 $ ,$ x_{adv}^2 $ ,$ x_{adv}^3 $ are also likely to mislead the classifier$ F $ , which means these samples are a good approximation for the “most adversarial” example (7) for model$ F $ on$ x $ . Training on these samples together will approximately minimize the adversarial loss in (5).This ensemble adversarial training algorithm is more time efficient than the methods in Sections 1 and 2, since it decouples the process of model training and generating adversarial examples. The experimental results show that this method can provide robustness against singlestep attacks and blackbox attacks on ImageNet dataset.
4) Accelerate adversarial training
While it is one of the most promising and reliable defense strategies, adversarial training with PGD attack^{[14]} is generally slow and computationally costly.
The work [74] propose a free adversarial training algorithm which improves the efficiency by reusing the backward pass calculations. In this algorithm, the gradient of the loss to input:
$ \dfrac{{\partial {\cal L}(x + \delta ,\theta )}}{{\partial x}}$ and the gradient of the loss to model parameters:$ \dfrac{{\partial {\cal L}(x + \delta ,\theta )}}{{\partial \theta }} $ can be computed together in one back propagation iteration, by sharing the same components of chain rule. Thus, the adversarial training process is highly accelerated. The free adversarial training algorithm is shown in Algorithm 3.In the work [75], the authors argue that when the model parameters are fixed, the PGDgenerated adversarial example is only coupled with the weights of the first layer of DNN. It is based on solving a Pontryagin′s maximal principle^{[76]}. Therefore, this work [75] invents an algorithm you only propagate once (YOPO) to reuse the gradient of the loss to the model′s first layer output
$ \dfrac{{\partial {\cal L}(x + \delta ,\theta )}}{{\partial {Z_1}(x)}} $ during generating PGD attacks. In this way, YOPO avoids a large amount of times it access the gradient and therefore reduces the computational cost.Algorithm 2. Adversarial training with PGD
Randomly initialize network
$ F $ Repeat
1) Read minibatch
$ B = \{x^1, \cdots ,x^m\} $ from training set2) Generate
$ m $ adversarial examples$ \{x_{adv}^1,\cdots, x_{adv}^m\} $ by PGD attack using current state of the network$ F $ 3) Update
$ B' = \{x_{adv}^1, \cdots ,x_{adv}^m\} $ Do one training step of network
$ F $ using minibatch$ B' $ until training converged
Algorithm 3. Free adversarial training
Randomly initialize network
$ F $ Repeat
1) Read minibatch
$ B = \{x^1, \cdots ,x^m\} $ from training set2) for
$ i=1, \cdots, m $ do2.1) Update model parameter
$ \theta $ $ g_{\theta} \leftarrow \mathbb{E}_{(x,y)\in B}[\nabla_{\theta}{\cal L}(x+\delta, y,\theta)] $ $ g_{adv} \leftarrow \nabla_{x}{\cal L}(x+\delta, y,\theta) $ $ \theta\leftarrow \theta  \alpha g_{\theta} $ 2.2) Generate adversarial examples
$ \delta \leftarrow \delta+\epsilon \cdot {\rm sgn}(g_{adv}) $ $ \delta \leftarrow clip(\delta, \epsilon, \epsilon) $ 3) Update minibatch
$ B $ with adversarial examples$ x+\delta $ until training converged

Adversarial training has been shown to be effective in protecting models against adversarial examples. However, this is still no formal guarantee about the safety of the trained classifiers. We will never know whether there are more aggressive attacks that can break those defenses, so directly applying these adversarial training algorithms in safetycritical tasks would be irresponsible.
As we mentioned in Section 3.1.8, the ground truth attack^{[35]} was the first to introduce a Reluplex algorithm to seriously verify the robustness of DNN models: When the model
$ F $ is given, the algorithm figures out the exact value of minimal perturbation distance$ r(x;F) $ . This is to say, the classifier is safe against any perturbations with norm less than this$ r(x;F) $ . If we apply Reluplex on the whole test set, we can tell what percentage of samples are absolutely safe against perturbations less than norm$ r_0 $ . In this way, we gain confidence and reduce the expected risk when building DNN models.The method of Reluplex seeks to find the exact value of
$ r(x;F) $ that can verify the model$ F $ ′s robustness on$ x $ . Alternately, works such as [7779], try to find trainable “certificates”$ {\cal C}(x;F) $ to verify the model robustness. For example, in the work [79], the authors calculate a certificate$ {\cal C}(x,F) $ for model$ F $ on$ x $ , which is a lower bound of minimal perturbation distance:$ {\cal C}(x,F)\leq r(x,F) $ . As shown in Fig. 8, the model must be safe against any perturbation with norm limited by$ {\cal C}(x,F) $ . Moreover, these certificates are trainable. Training to optimize these certificates will grant good robustness to the classifier. In this section, we shall briefly introduce some methods to design these certificates.Figure 8. Derived certificate
$ \cal{C}(x,F) $ is a lower bound of minimal perturbation distance$ \rho(x,F) $ . Model is safe in$ \cal{C}(x,F) $ ball.1) Lower bound of minimal perturbation
Hein and Andriushchenko^{[79]} derive a lower bound
$ {\cal C}(x,F) $ for the minimal perturbation distance of$ F $ on$ x $ based on CrossLipschitz theorem:$ \max\limits_{\epsilon>0} \, \min\{\min_{i \neq y}\frac {Z_y(x)Z_i(x)}{ \max\limits_{x'\in B_{\epsilon}(x)}\nabla Z_y(x')\nabla Z_i(x')},\, \epsilon \} . $ The detailed derivation can be found in their work of [79]. Note that the formulation of
$ {\cal C}(x,F) $ only depends on$ F $ and$ x $ , and it is easy to calculate for a neural network with one hidden layer. The model$ F $ thus can be proved to be safe in the region within distance$ {\cal C}(x,F) $ . Training to maximize this lower bound will make the classifier more robust.2) Upper bound of adversarial loss
The works proposed by Raghunathan et al.^{[77]} and Wong and Kolter^{[78]} aim to solve the same problem. They try to find an upper bound
$ {\cal U}(x,F) $ which is larger than adversarial loss$ {\cal L}_{adv}(x,F) $ :$ \begin{split} & {{\cal L}}_{adv}(x) = \max\limits_{x'} \, \{\max\limits_{i\neq y} Z_i(x')Z_y(x')\}\\ & \quad {\rm{s.t.}} \; \; \; x' \in B_{\epsilon}(x) . \end{split} $ (8) Recall that we introduced in Section 2.2.2, the function
$ \max_{i\neq y} Z_i(x')Z_y(x') $ is a type of loss function called margin loss.The certificate
$ {\cal U}(x,F) $ acts in this way: If$ {\cal U}(x,F)<0 $ , then adversarial loss$ {\cal L}(x,F)<0 $ . Thus, the classifier always gives the largest score to the true label$ y $ in the region$ B_\epsilon(x) $ , and the model is safe in this region. To increase the model′s robustness, we should learn parameters that have the smallest$ {\cal U} $ value, so that more and more data samples will have negative$ {\cal U} $ values.The work proposed by Raghunathan et al.^{[77]} uses integration inequalities to derive the certificate and use semidefinite programming (SDP)^{[80]} to solve the certificate. In contrast, the work of Wong and Kolter^{[78]} transforms the problem (8) into a linear programming problem and solves the problem via training an alternative neural network. Both methods only consider neural networks with one hidden layer. There are also studies of Raghunathan et al.^{[81]} and Wong et al.^{[82]}, which improved the efficiency and scalability of these algorithms.
Furthermore, distributional adversarial training^{[83]} combine adversarial training and provable defense together. They train the classifier by feeding adversarial examples which are sampled from the distribution of worstcase perturbation, and derive the certificates by studying the Lagrangian duality of adversarial loss.

Adversarial example detection is another main approach to protect DNN classifier. Instead of predicting the model′s input directly, these methods first distinguish whether the input is benign or adversarial. Then, if it can detect the input is adversarial, the DNN classifier will refuse to predict its label. In the work [16], they sort the threat models into 3 categories that the detection techniques should deal with:
1) A zeroknowledge adversary only has access to the classifier
$ F $ ′s parameter, and has no knowledge of the detection model$ D $ .2) A perfectknowledge adversary is aware of the model
$ F $ , and the detection scheme$ D $ and its parameters.3) A limitedknowledge adversary is aware the model
$ F $ and the detection scheme$ D $ , but does not have access to$ D $ ′s parameter. That is, this adversary does not know the model′s training set.In all three of these threat settings, the detection tool is required to correctly classify the adversarial examples, and have low possibility of misclassifying benign examples. Next, we will go through some main methods for adversarial example detection.

Some works focus on designing auxiliary models that aim to distinguish adversarial examples from benign examples. The study [84] train a DNN model with
$ {\cal Y} = K+1 $ labels, with an additional label for all adversarial examples, so that network will assign adversarial examples into the$ K+1 $ class. Similarly, the work of Gong et al.^{[85]} trains a binary classification model to discriminate all adversarial examples apart from benign samples, and then trains a classifier on recognized benign samples.The work [86] proposed a detection method to construct an auxiliary neural network
$ D $ which takes inputs from the values of hidden nodes$ {\cal H} $ of the natural trained classifier. The trained detection classifier$ D: {\cal H} \rightarrow [0,1] $ is a binary classification model that distinguishes adversarial examples from benign ones by the hidden layers. 
Some early works heuristically study the differences in the statistical properties of adversarial examples and benign examples. For example, in the study [87], the authors found adversarial examples place a higher weight on the larger (later) principle components where the natural images have larger weight on early principle components. Thus, they can split them by principled component analysis (PCA).
In the work [84], the authors use a statistical test: maximum mean discrepancy (MMD) test^{[88]}, which is used to test whether two datsets are drawn from the same distribution. They use this testing tool to test whether a group of data points are benign or adversarial.

Other studies focus on checking the consistency of the sample
$ x $ ′s prediction outcome. They usually manipulate the model parameters or the input examples themselves, to check whether the outputs of the classifier have significant changes. These are based on the belief that the classifier will have stable predictions on natural examples under these manipulations.The work [89] randomizes the classifier using Dropout^{[90]}. If these classifiers give very different prediction outcomes on
$ x $ after randomization, this sample$ x $ is very likely to be an adversarial one.The work [17] manipulates the input sample itself to check the consistency. For each input sample
$ x $ , the authors reduce the color depth of the image (e.g., one 8bit grayscale image with 256 possible values for each pixel becomes a 7bit with 128 possible values), as shown in Fig. 9. The authors hypothesize that for natural images, reducing the color depth will not change the prediction result, but the prediction on adversarial examples will change. In this way, they can detect adversarial examples. Similar to reducing the color depth, the work [89] also introduced other feature squeezing methods, such as spatial smoothing. 
The study [16] bypassed 10 of the detection methods which fall into the three categories above. The feature squeezing methods were broken by Sharma and Chen^{[91]}, which introduced a “stronger” adversarial attack.
The authors in work [16] claim that the properties which are intrinsic to adversarial examples are not very easy to find. They also gave several suggestions on future detection works:
1) Randomization can increase the required attacking distortion.
2) Defenses that directly manipulate on raw pixel values are ineffective.
3) Evaluation should be down on multiple datasets besides MNIST.
4) Report false positive and true positive rates for detection.
5) Evaluate using a strong attack. Simply focusing on whitebox attacks is risky.

Adversarial examples also exist in graphstructured data^{[10, 97]}. Attackers usually slightly modify the graph structure and node features, in an effort to cause the graph neural networks (GNN) to give wrong prediction for node classification or graph classification tasks. These adversarial attacks therefore raise concerns on the security of applying GNN models. For example, a bank needs to build a reliable credit evaluation system where their model should not be easily attacked by malicious manipulations.
There are some distinct difference between attacking graph models and attacking traditional image classifiers:
1) Nonindependence. Samples of the graphstructured data are not independent: Changing one′s feature or connection will influence the prediction on others.
2) Poisoning attacks. Graph neural networks are usually performed in a transductive learning setting: The test data are also used to train the classifier. This means that we modify the test data, the trained classifier is also changed.
3) Discreteness. When modifying the graph structure, the search space for adversarial example is discrete. Previous gradient methods to find adversarial examples may be invalid in this case.
Below are the methods used by some successful works to attack and defend graph neural networks.

In this section, the notations and definitions of the graph structured data and graph neural network models are defined below. A graph can be represented as
$ G = \{\mathcal{V},\mathcal{E}\} $ , where$ \mathcal{V} $ is a set of$ N $ nodes and$ \mathcal{E} $ is a set of$ M $ edges. The edges describe the connections between the nodes, which can also be expressed by an adjacency matrix$ { A}\in \{0,1\}^{N\times N} $ . Furthermore, a graph$ G $ is called an attributed graph if each node in$ \mathcal{V} $ is associated with a$ d $ dimensional attribute vector$ x_v\in \mathbf{R}^{d} $ . The attributes for all the nodes in the graph can be summarized as a matrix$ { X}\in {\bf R}^{N\times d} $ , the$ i $ th row of which represents the attribute vector for node$ v_i $ .The goal of node classification is to learn a function
$ g: \mathcal{V}\rightarrow \mathcal{Y} $ that maps each node to one class in$ \mathcal{Y} $ , based on a group of labeled nodes in$ G $ . One of the most successful node classification models is graph convolutional network (GCN)^{[7]}. The GCN model keeps aggregating the information from neighboring nodes to learn representations for each node$ v $ ,$ H^{(0)} = X; \; \; \; H^{(l+1)} = \sigma(\hat{A} H^{(l)}W^l) $ where
$ \sigma $ is a nonlinear activation function, the matrix$ \hat{A} $ is defined as$ \hat{A} = \tilde{D}^{\frac{1}{2}} \tilde{A}\tilde{D}^{\frac{1}{2}} $ ,$ \tilde{A} = A + I_N $ , and$ \tilde{D}_{ii} = \sum_j \tilde{A}_{ij} $ . The last layer outputs the score vectors of each node for prediction:$ H^{(m)}_v = F(v,X) $ . 
In the work of Zugner et al.^{[10]}, they consider attacking node classification models, graph convolutional networks^{[7]}, by modifying the nodes connections or node features (binary). In this setting, an adversary is allowed to add/remove edges between nodes, or flip the feature of nodes with limited number of operations. The goal is to mislead the GCN model which is trained on the perturbed graph (transductive learning) to give wrong predictions. In their work, they also specify three levels of adversary capabilities: they can manipulate 1) all nodes, 2) a set of nodes
$ \mathcal{A} $ including the target victim$ x $ , and 3) a set of nodes$ \mathcal{A} $ which does not include target node$ x $ . A sketch is shown in Fig. 10.Figure 10. Adding an edge to alter the prediction of graph convolutional network (Image credit: Zugner et al.^{[10]})
Similar to the objective function in Carlini and Wagner^{[34]} for image data, they formulate the graph attacking problem as a search for a perturbed graph
$ G' $ such that the learned GCN classifier$ Z^* $ has the largest score margin:$ \max\limits_{i \neq y}\; \; \ln(Z^*_{y}(v_0,G'))  \ln (Z^*_{i}(v_0,G')). $ (9) The authors solve this objective by finding perturbations on a fixed, linearized substitute GCN classifier
$ G_{sub} $ which is trained on the clean graph. They use a heuristic algorithm to find the most influential operations on graph$ G_{sub} $ (e.g., removing/adding the edge or flipping the feature which can cause largest increase in (9)). The experimental results demonstrate the adversarial operations are also effective on the later trained classifier$ Z^* $ .During the attacking process, the authors also impose two key constraints to ensure the similarity of the perturbed graph to the original one: 1) the degree distribution should be maintained, and 2) two positive features which never happen together in
$ G $ should also not happen together in$ G' $ . Later, some other graph attacking works (e.g., [98]) suggest the eigenvalues/eigenvectors of the graph Laplacian matrix should also be maintained during attacking, otherwise the attacks are easily detected. However, there is still no firm consensus on how to formally define the similarity between graphs and generate unnoticeable perturbation. 
Different from Zugner′s greedy method, the work of Dai et al.^{[97]}, introduced a reinforcement learning method to attack the graph neural networks. This work only considers adding or removing edges to modify the graph structure.
In the work′s setting of [97], a node classifier
$ F $ trained on the clean graph$ G^{(0)} = G $ is given, node classifier$ F $ is unknown to the attacker, and the attacker is allowed to modify$ m $ edges in total to alter$ F $ ′s prediction on the victim node$ v_0 $ . The authors formulate this attacking mission as a QLearning game^{[99]}, with the defined Markov decision process as below:1) State. The state
$ s_t $ is represented by the tuple$ (G^{(t)},v_0) $ , where$ G^{(t)} $ is the modified graph with t iterative steps.2) Action. To represent the action to add/remove edges, a single action at time step
$ t $ is$ a_t\in \mathcal{V}\times\mathcal{V} $ , which means the edge to be added or removed.3) Reward. In order to encourage actions to fool the classifier, we should give positive reward if
$ v_0 $ ′s label is altered. Thus, the authors define the reward function as:$ r(s_t,a_t) = 0, \forall t = 1,2, \cdots ,m1 $ , and for the last step:$ r({s_m},{a_m}) = \left\{ {\begin{array}{*{20}{l}} 1,&{{\rm{if}}\;\;C({v_0},{G^{(m)}}) \ne y}\\ {  1},&{{\rm{if}}\;\;C({v_0},{G^{(m)}}) = y.} \end{array}} \right. $ 4) Termination. The process stops once the agent finishes modifying
$ m $ edges.The Qlearning algorithm helps the adversary have knowledge about which actions to take (add/remove which edge) on the given state (current graph structure), in order to get largest reward (change
$ F $ ′s output). 
Previous graph attack works only focus on attacking one single victim node. Meta learning attack^{[100]} attempt to poison the graph so that the global node classification performance of GCN can be undermined and made almost useless. Their approach is based on meta learning^{[101]}, which is traditionally used for hyperparameter optimization, fewshot image recognition, and fast reinforcement learning. In the work [100], they use meta learning technique which takes the graph structure as the hyperparameter of the GCN model to optimize. Using their algorithm to perturb
$ 5\% $ edges of a CITESEER graph dataset, they can increase the misclassification rate to over$ 30\% $ . 
Node embedding attack^{[102]} studies how to perturb the graph structure in order to corrupt the quality of node embedding, and consequently hinder subsequent learning tasks such as node classification or link prediction. Specifically, they study DeepWalk^{[103]} as a randomwalk based node embedding learning approach and approximately find the graph which has the largest loss of the learned node embedding.

The ReWatt method^{[98]} attempts to attack the graph classification models, where each input of the model is a whole graph. The proposed algorithm can mislead the model by making unnoticeable perturbations on graph.
In their attacking scheme, they utilize reinforcement learning to find a rewiring operation
$ a = (v_1,v_2,v_3) $ at each step, which is a set of 3 nodes. The first two nodes were connected in the original graph and the edge between them is removed in the first step of the rewiring process. The second step of the rewiring process adds an edge between the nodes$ v_1 $ and$ v_3 $ , where$ v_3 $ is constrained to be within$ 2 $ hops away from$ v_1 $ . Some analysis^{[98]} show that the rewiring operation tends to keep the eigenvalues of the graph′s Laplacian matrix, which makes it difficult to detect the attacker. 
Many works have shown that graph neural networks are vulnerable to adversarial examples, even though there is still no consensus on how to define the unnoticeable perturbation. Some defending works have already appeared. Many of them are inspired by the popular defense methodology in image classification, using adversarial training to protect GNN models^{[104, 105]}, which provides moderate robustness.
Adversarial Attacks and Defenses in Images, Graphs and Text: A Review
 Received: 20191013
 Accepted: 20191111
 Published Online: 20200327

Key words:
 Adversarial example /
 model safety /
 robustness /
 defenses /
 deep learning
Abstract: Deep neural networks (DNN) have achieved unprecedented success in numerous machine learning tasks in various domains. However, the existence of adversarial examples raises our concerns in adopting deep learning to safetycritical applications. As a result, we have witnessed increasing interests in studying attack and defense mechanisms for DNN models on different data types, such as images, graphs and text. Thus, it is necessary to provide a systematic and comprehensive overview of the main threats of attacks and the success of corresponding countermeasures. In this survey, we review the state of the art algorithms for generating adversarial examples and the countermeasures against adversarial examples, for three most popular data types, including images, graphs and text.
^{1}Note that the softmax function at a temperatureCitation:  Han Xu, Yao Ma, HaoChen Liu, Debayan Deb, Hui Liu, JiLiang Tang and Anil K. Jain. Adversarial Attacks and Defenses in Images, Graphs and Text: A Review. International Journal of Automation and Computing, vol. 17, no. 2, pp. 151178, 2020. doi: 10.1007/s116330191211x 