Generating Out of Distribution Adversarial Attack Using Latent Space Poisoning

Traditional adversarial attacks rely upon the perturbations generated by gradients from network which are generally safeguarded gradient guided search to provide an counterpart network. In this letter, we propose a novel framework generate examples where actual image is not corrupted rather its latent space representation utilized tamper inherent structure of while maintaining perceptual quality intact and act as legitimate data samples. As opposed gradient-based attacks, poisoning exploits inclination classifiers model independent identical distribution training dataset tricks it producing out We train disentangled variational autoencoder (β-VAE) in then add noise using class-conditioned function under constraint that misclassified target label. Our empirical results on MNIST, SVHN, CelebA validate can easily fool robust l 0 , xmlns:xlink="http://www.w3.org/1999/xlink">2 xmlns:xlink="http://www.w3.org/1999/xlink">∞ norm designed provably defense mechanisms. The source code made publicly available at https://github.com/Ujjwal-9/latent-space-poisoning.