Adversarial Attacks on Variational Autoencoders
Abstract
Adversarial attacks are malicious inputs that derail machinelearning models. We propose a scheme to attack autoencoders, as well as a quantitative evaluation framework that correlates well with the qualitative assessment of the attacks. We assess — with statistically validated experiments — the resistance to attacks of three variational autoencoders (simple, convolutional, and DRAW) in three datasets (MNIST, SVHN, CelebA), showing that both DRAW’s recurrence and attention mechanism lead to better resistance. As autoencoders are proposed for compressing data — a scenario in which their safety is paramount — we expect more attention will be given to adversarial attacks on them.
1 Introduction
Adversarial attacks derail models by crafting malicious inputs. Image classifiers mislabel those inputs — visually indistinguishable from ordinary ones — with high confidence.
In comparison to the extensive literature on adversarial attacks for classifiers, attacks for autoencoders are mostly unexplored, possibly because those attacks are hard both to perform and to assess. Still, as autoencoders are advanced as powerful schemes for compressing information gregor2016towards (), attacks on them are potentially at least as dangerous as attacks on classifiers. In a hypothetical example, an attacker may present someone a document (e.g., a contract, or agreement), which upon transmission turns into a different one (Figure 1).
Evaluating generative models is hard theis2015note (), there are no clearcut success criteria for autoencoder reconstruction, and therefore, neither for the attack. We bypass that difficulty by analyzing how inputs and outputs differ across varying compromises between distorting the input and approaching the target.
In this paper, we propose a scheme to attack autoencoders, as well as a quantitative evaluation framework for the attacks that bypass the need for a success criterion. We compare three kinds of autoencoders: simple variational autoencoders (with fullyconnected layers), convolutional variational autoencoders, and DRAW — a recently proposed recurrent variational autoencoder with an attention mechanism gregor2015draw (). We show that the latter is more resistant to the attacks, and that its recurrent and attention mechanism both contribute to the resistance. We run all — statistically validated — experiments in three datasets (MNIST, SVHN, and CelebA) and show that our quantitative assessment correlates well with a qualitative perception of the attacks.
2 Autoencoders, Generative Models, and Variational Autoencoders
Autoencoders are neural networks that compress their input into a smaller latent representation (encoder), and then reconstruct the input from that representation (decoder). Autoencoders are trained endtoend by backpropagation, with a loss that reflects the difference between input and output, e.g., . (Figure 2)
Autoencoders admit many variations: sparse ng2011sparse (), denoising vincent2010stacked (), variational kingma2013auto (); rezende2014stochastic (), Wasserstein tolstikhin2017wasserstein (), symmetric pu2017advsymmetric (), etc. They differ on the encoding/decoding architectures, on the computation of the loss, or on the noise inserted into the network.
Variational autoencoders (VAEs) are particularly interesting since they behave as both autoencoders and as generative models. VAEs have stochastic latent representations, which, once trained, can be decoded to generate samples similar (but not identical) to those in the original dataset. Together with Generative Adversarial Networks (GANs) goodfellow2014generative (), VAEs are the most studied deep generative models. There are attempts to unify VAEs and GANs into a single framework pu2017advsymmetric (); larsen2015vaegan (); makhzani2016advvae (); mescheder2017advvaebayes (); makhazani2017pixel (). Although that generative aspect of VAEs is one of their main appeals, in this paper we will approach them only as autoencoders.
In VAEs, the latent representation is a parametric distribution. The encoder outputs the parameters of that distribution from the observed input. The decoder samples the latent distribution and tries to reconstruct something similar to the input. VAEs learn the encoder and decoder parameters endtoend by backpropagation, maximizing the probability that sampling from the latent distribution leads to a good reconstruction of the input, in a maximum marginal likelihood framework.
The encoder and decoder can be implemented with different neural architectures: multilayer perceptron kingma2013auto (), convolutional radford2015unsupervised (), or even recurrent hochreiter1997long (). We are particularly interested in the recently proposed DRAW gregor2015draw (), which uses LSTMs with an attention mechanism, using a metaphor of “painting” the image in a canvas, step by step.
Formally, VAEs are probabilistic models that aim at maximizing , where is our training set, and are the network parameters. We introduce a stochastic latent representation and maximize the marginal probability distribution (Equation 1) over it:
(1) 
In theory, the prior is arbitrary, but in practice a standard multivariate Gaussian is most often employed kingma2013auto (). Since the integration in Equation 1 is intractable, we opt to maximize its variational lower bound (Equation 2), where are the encoder parameters and is the KL divergence.
(2) 
In variational approaches, an approximate posterior is used in place of the true posterior . In VAEs, this approximate posterior is , where are the parameters of the decoder and usually is an uncorrelated multivariate Gaussian as shown in Equation 3.
(3) 
VAEs exploit the universal approximator property of neural networks hornik1991approximation () to use a Gaussian distribution in Equation 2, and transform the posterior by learning the decoder parameters. That approach makes the problem tractable, since the KL divergence now has analytic form kingma2013auto (). Finally, the “reparameterization trick” allows the model to be differentiated endtoend kingma2015variational (). The trick consists on parameterizing the random variables as a differentiable transformation of a noise variable such as .
3 Adversarial Attacks on Variational Autoencoders
Following the seminal paper of Szegedy et al. szegedy2013intriguing (), adversarial attacks on neural networks classifiers attracted much attention goodfellow2014explaining (); tabacof2015exploring (); kurakin2016adversarial (). Those attacks aim at creating small distortions on the input (most often images) that lead to misclassification. Attacks can aim at a target wrong class szegedy2013intriguing (); tabacof2015exploring (); dezfooli2016deepfool (); carlini2016towards () (targeted), or they can aim at any class other than the right one (untargeted) goodfellow2014explaining (); kurakin2016advexamples (). Stateoftheart attacks produce essentially imperceptible distortions that make the classifier predict the wrong class with high confidence.
Attacking autoencoders follows a parallel course: the aim is to induce minimal distortions on the input that disrupt the reconstructed output (Figure 3). The attack can aim at reconstructing a particular wrong input (targeted), or just at thwarting the reconstruction (untargeted). In this paper we focus on targeted attacks.
Compared to attacks on classifiers, attacks on autoencoders are much less explored. Sabour et al. sabour2015adversarial (), while still working on classifiers, introduced the notion of attacking internal layers of deep neural networks. Tabacof et al. tabacof2016advvae () introduced attacks on autoencoders and variational autoencoders, showing that they are possible, although much harder than attacks on classifiers. They attacked the latent representation with a KLdivergence objective in both MNIST and SVHN. They proposed the graphs we call Distortion–Distortion plots here and evaluated attack success by visual inspection of those graphs. They also showed that there is a linear compromise between the intensity of the input distortion and the degree of success in the attack for both autoencoders and classifiers. Kos et al. kos2017advexam () followed up with a work that attacked both the latent representation and the output of VAE–GAN autoencoders. They proposed three modes of attack: attacking an extraneous classifier after the latent representation, attacking the latent representation directly with an objective, and attacking the output of the decoder using the VAE loss function. They introduced a quantitative, although indirect, evaluation of attack inferred from success in fooling the extraneous classifier.
Attacking autoencoders is a more involved procedure than attacking classifiers. In the latter we target a small output vector, often focusing at just one or two values on that vector. In the former we need to address a very highdimensional output. Targeted attacks to autoencoders consist in adding (as small as possible) adversarial distortion to the original input in order make the reconstructed output as close as possible to the target (Figure 3).
Attacks are performed on trained models, whose weights are kept constant, while minimizing the change to the input. The most “obvious” attack also minimizes the difference between the output and the target, as explained in Equation 4.
(4)  
s.t. 
where is the adversarial distortion, is the adversarial input, and its output reconstruction is reconstructed from a sample of (the latent representation, which in variational autoencoders is a distribution). and are the bounds of the input space, i.e., that is valid as input to the . is the regularization constant that balances approaching the target and limiting the input distortion. is the target, and is the distance used to compare it to the output, in our case, .
A less obvious attack minimizes the difference between latent representations, which attacks the network at its smallest layer. That attack implies solving the optimization in Equation 5.
(5)  
s.t. 
where is the latent representation of the target, and the other symbols are the same as in Equation 4. Here, use the KLdivergence as . Although it is not a true metric, it intuitively measures the (asymmetric) difference between two distributions, so it is a proxy for the distance between the latent representations.
4 Measuring the Success of Attacks on Autoencoders
When attacking classifiers, there is a clearcut criterion for success: the target class has higher probability than all others (on targeted attacks), or the right class has lower probability than some other (on untargeted attacks). That criterion is used, in one way or another, to perform the attack: one can optimize the input distortion until that criterion is satisfied szegedy2013intriguing (); tabacof2015exploring (), establish a maximum input distortion and observe if the criterion is satisfied goodfellow2014explaining (); sabour2015adversarial (), etc.
When attacking autoencoders, we want to maximize the disruption on the output (untargeted attacks) or its similarity to a target image (targeted attacks), while minimizing the input distortion, but there is no sharp criterion for success.
For targeted attacks, Tabacof et al. tabacof2016advvae () proposed graphs that examine the entire spectrum of compromises between approaching the target and distorting the original (Figure 4). They do not name such graphs, which we choose to call Distortion–Distortion plots. Using a set of boundaries (explained below), they normalize those graphs, and use visual inspection on stacked normalized plots of various cases to compare attacks.
Kos et al. kos2017advexam () provide a quantitative metric based on an ancillary classifier network. The classifier uses the latent representation as input, and is trained on labels that may be arbitrary, but must have a relationship to the input (they cannot be random labels). They compute two metrics: success rate ignoring the target (how often the reconstruction of the attack input mislead the classifier), and success considering the target (how often the reconstruction of the attack input matched with the class of the target).
Those propositions have complementary drawbacks. Tabacof et al.’s allows only qualitative analysis. Kos et al.’s evaluate a different criterion than we evaluate here: not whether the target is reconstructed (in semantics and appearance), but whether it reproduces the semantics of the class. It works only for labeled data.
We address those shortcomings with the AUDDC (Area under Distortion–Distortion Curve). For a given original and target pair, we compute different results, with different approximation compromises. All attacks can vary, in one way or another, this compromise: in our case, we vary the values of in Equations 4 and 5). The Distortion–Distortion plots show, for each attempt, how much we distorted the original and how much we approached the target (both measured by ). We add limiting lines to the plot: no distortion added (and original reconstruction) at the leftmost/gray and topmost/orange lines; the distance between the target and the reconstruction of the target by the model at the bottommost/red line; the distance between the original and target image. Those limits represent, respectively, the starting point, the intrinsic limitation of the model, and the maximum “sensible” distortion (which allows going from the original to the target directly). We normalize the graph so that the distance between those lines is 1. The AUDDC is the area under the curve given by the linear interpolation of the points. The closer this area is to 1, the more resistant the model was to the attack (the less successful the attack was).
5 Data and Methods
Datasets: We employed three datasets — MNIST lecun1998mnist (), SVHN netzer2011reading (), and CelebA liu2015faceattributes () — with the respective training and test splits. We expected those datasets to present increasing levels of challenge for the autoencoders: MNIST has handwritten decimal single digits, without color, SVHN has multidigit street numbers in several styles and colors, and CelebA has human faces in color.
Models: We evaluated four models — variational autoencoder with fullyconnected layers as encoder/decoder (VAE); variational autoencoder with convolutional layers as encoder and deconvolutional layers as decoder (CVAE); the recurrent autoencoder DRAW gregor2015draw () without and with its attention mechanism. Following literature kingma2013auto (), we modeled pixel likelihoods as independent Bernoullis in MNIST, and as independent Gaussians in SVHN and CelebA. In all models, the latent representations ( and in Equations 4 and 5) are uncorrelated multivariate normal distributions with parameters given by the encoder.
Extended hyperparameter exploration was not the scope of this study. Still, adversarial attacks are not interesting if the attacked model is bad in itself. To obtain good reconstructions, we started with hyperparameters given by deep learning “guild knowledge” on each dataset, and made minimal finetuning until the reconstruction quality (without attack) was good. For DRAW, we start with the models suggested in the original paper gregor2015draw (). The quality of each model can be appreciated in Figure 5. We give details about the models below:
VAE (all datasets) — Encoder and Decoder: fully(512) fully(512).
CVAE–MNIST — Encoder: conv(32,4) conv(64,4) conv(128,4) fully(512); Decoder: fully(512) dconv(128,3) dconv(64,3) dconv(32,2) dconv(16,2).
CVAE–SVHN — Encoder: same as MNIST; Decoder: fully(512) dconv(128,5) dconv(64,5) dconv(32,5).
CVAE–CelebA — Encoder: conv(32,4) conv(64,4) conv(128,4) conv(256,4) fully(512); Decoder: fully(512) dconv(256,5) dconv(128,5) dconv(64,5) dconv(32,5).
DRAW–MNIST — Encoder and Decoder: LSTM = 256 units, attention window = 88 pixels.
DRAW–SVHN — Encoder and Decoder: LSTM = 256 units, attention window = 1616 pixels.
DRAW–CelebA — Encoder and Decoder: LSTM = 2500 units (1 timestep) / 400 units (16 timesteps), attention window = 2424 pixels.
In the notation above, fully() is a fullyconnected layer with units, and (d)conv(,) is a (de)convolutional layer with filters of size . All (de)convolutional layers had stride = 2.
Training: Each model was trained for 500 epochs. At every 10 epochs, we evaluated the loss on the validation set – 20% of random samples removed from the training set – keeping the weights that offered minimal loss. The training/validation loss was the ELBO (Equation 2). We approximated the expectation by sampling the posterior once. We extracted the gradients with automatic differentiation and maximized the ELBO with Adam kingma2014adam (), with a learning rate of and batch size of .
Evaluating: For each dataset, we picked at random an evaluation set with 20 original–target image pairs from the test set. The evaluation set is the same across all models evaluated, to reduce spurious variability. We show an example of a pair of input and reconstructed image in Figure 2.
To evaluate a given imagepair, we perform the attack as explained below, for 51 values of the regularization constant (, with 50 values of equally spaced between and , inclusive. After all 51 attacks are completed, we compute the metric (explained in Section 4) for that imagepair.
Attacking: To compute a single point on the Distortion–Distortion plot we pick a value for the regularization constant and solve the optimization problem described in Equation 5 (if attacking the latent representation) or in Equation 4 (if attacking the output). The model itself does not change during the attack: its weights remain constant.
We use LBFGSB zhu1997lbfgsb () as optimizer, with initial disturbance sampled from a uniform distribution , 25 corrections on the memory matrix, and termination test tolerance of 10. All other parameters are SciPy scipy () defaults. LBFGSB ensures the constraints on pixel limits, and is often employed for adversarial attacks szegedy2013intriguing ().
Since VAEs are inherently stochastic, we performed 128 attacks to compute a single point — we implemented this as working on a batch of images, where all inputs are the original image, and all outputs are the target image. The measured distortions for the point (Section 4) are the average distortion for the 128 attempts.
Experimental Design: we considered five factors (with respective levels) in our design: (1) Dataset: MNIST, SVHN, CelebA; (2) Model: VAE, CVAE, DRAW, DRAWAttention; (3) Size of latent representation: Small, Large (32 vs. 128 for MNIST and SVHN; 256 vs. 2048 for CelebA); (4) Timesteps: 1, 16 (only for DRAW and DRAWAttention); (5) Layer attacked: Latent, Output.
That design resulted in 72 treatments. Each treatment is evaluated across the 20 imagepairs in the evaluation set of its dataset, and assigned the average of the evaluation metric over those pairs.
We did both a quantitative and a qualitative analysis. For the quantitative analysis, we averaged the AUDDC for the chosen factors. To check which factors lead to significant influence, we used a multiway ANOVA, with secondorder interactions, and posthoc Tukey honest significant differences.
For the qualitative analysis, we visually analyzed the results of five randomly selected imagepairs from each dataset.
Hardware/Software: We coded
6 Results and Analysis
VAE  CVAE  DRAW*  DRAW  DRAW*  DRAW  

Steps  —  —  1  1  16  16  
Attacks on latent representation  
MNIST  27 2  35 3  27 1  35 3  71 5  91 3  47 3 
SVHN  19 1  18 1  09 1  27 2  74 6  96 2  41 4 
CelebA  31 1  28 1  21 2  36 1  81 4  97 1  49 4 
25 1  27 2  19 2  33 1  75 3  95 1  46 2  
Attacks on output  
MNIST  35 2  56 3  38 2  48 4  29 3  69 4  46 2 
SVHN  19 1  19 2  13 1  27 2  21 2  34 2  22 1 
CelebA  27 1  24 1  31 3  35 1  29 2  40 1  31 1 
27 1  33 3  27 2  37 2  26 1  47 3  33 1  
All attacks  
MNIST  31 2  45 3  32 2  42 3  50 5  80 3  47 2 
SVHN  19 1  19 1  11 1  27 1  47 7  65 7  31 2 
CelebA  29 1  26 1  26 2  36 1  55 6  68 7  40 2 
26 1  30 2  23 1  35 1  51 4  71 3  39 1 

* Attention mechanism disabled.
Table 1 summarizes the main quantitative results. We show the averages and 95%confidence intervals of the AUDDC for every combination of model, dataset, number of timesteps (for DRAW), and layer attacked, as well as the marginal statistics. We averaged over the size of latent representation and the imagepairs. The values appear 100 to reduce visual clutter. The ANOVA + posthoc Tukey found significant differences (all pvalues<0.015) for all pairs of levels of all factors shown on the table.
Attacking autoencoders is relatively difficult if compared to attacking classifiers, where the distortions can be invisible to the human eye. Different models pose different challenges for the attack. DRAW, in particular, was much more resistant to our attacks — and both its recurrent mechanism and its attention mechanism were important in conferring that resistance. The choice of datasets also influenced the challenges, with SVHN being the easiest to attack, and CelebA being the hardest.
The qualitative results appear in Figure 5. Although some features are immediately visible, to better appreciate the details, we suggest zooming in the digital version of the article. We contrast VAE, CVAE, DRAW without attention, and DRAW (both with 16 timesteps). We picked the most successful attack for each model (latent layer for VAE and CVAE, output layer for DRAW), the opposite case is available as supplemental material. For each dataset, we sampled at random five image pairs from the twenty used in the evaluation. For each experiment, a single imagepair consists of 51 attacks (different values of the regularization constant). In each case, we chose a midway attack, the closest to the average in the horizontal axis of the Distortion–Distortion plot (as shown in the red dot in Figure 4)
Attacking autoencoders is clearly difficult: no attack succeed in reconstructing the target image well without incurring in immediately visible distortions to the input. Again, the superior resistance of DRAW with attention appears: the attacks fail to reach the target, incur in large distortions to the input, or both. Although we only attempted targeted attacks, untargeted resistance can be appreciated to some extent, by comparing in each group (b) to (e) the 1st and the 3rd columns: if the model resisted the attack, those columns should be nearly identical.
7 Discussion
Attacking autoencoders remains a hard task. No attack can both convincingly reconstruct the target while keeping the distortions on the input imperceptible. Still, not all attempts are equal: some models are significantly more resistant than others. The AUDDC metric allows quantifying that resistance, bypassing the need to establish a clearcut criterion of success for the attacks. We attempted other metrics (e.g., the slope of a regression on the Distortion–Distortion plots) but found that the AUDDC is better correlated with our subjective perception of resistance to attacks.
We expected attacks on SVHN to be more challenging than on MNIST, but neither the quantitative or the qualitative analyses confirmed this: the easiest dataset was SVHN, and the harder (as expected) was CelebA. Maybe the smaller surface of attack of MNIST (2828 input values) compensates for its simplicity, while the huge complexity of CelebA compensates for its larger surface of attack. Our results suggest a correlation between the autoencoders intrinsic quality and its resistance to attack. Such correlation does not exist for classifiers, where the best models are not necessarily less susceptible tabacof2015exploring (). Precisely what makes a dataset or model harder to attack is still an exciting open question for future works.
The literature on adversarial attacks on autoencoders is extremely scarce. We expect this to change as autoencoders are advanced as compression schemes for data transmission and storage — scenarios in which their safety will become paramount.
Acknowledgments
We thank Guilherme de Lázari for initial ideas and code, and Julia Tavares for images and ideas. We thank Brazilian agencies CAPES, CNPq and FAPESP for financial support. We gratefully acknowledge NVIDIA Corporation for donating a Tesla K40 and a Titan X. George GondimRibeiro is funded by FAPESP grant (2017/037062) and Eduardo Valle is partially supported by Google Awards LatAm 2017 grant, and by CNPq PQ2 grant (311905/20170).
Footnotes
 The code can be found at https://github.com/gondimribeiro/advattacksvae/.
References
 Karol Gregor, Frederic Besse, Danilo Jimenez Rezende, Ivo Danihelka, and Daan Wierstra. Towards conceptual compression. In Advances in Neural Information Processing Systems 29: Annual Conference on Neural Information Processing Systems 2016, December 510, 2016, Barcelona, Spain, pages 3549–3557, 2016.
 Jernej Kos, Ian Fischer, and Dawn Song. Adversarial examples for generative models. CoRR, abs/1702.06832, 2017.
 Lucas Theis, Aäron van den Oord, and Matthias Bethge. A note on the evaluation of generative models. In Proceedings of the International Conference on Learning Representations (ICLR), 2016. arXiv:1511.01844.
 Karol Gregor, Ivo Danihelka, Alex Graves, Danilo Jimenez Rezende, and Daan Wierstra. DRAW: A recurrent neural network for image generation. In Proceedings of the 32nd International Conference on Machine Learning, ICML 2015, Lille, France, 611 July 2015, pages 1462–1471, 2015.
 Andrew Ng. Sparse autoencoder. CS294A Lecture notes, 72:1–19, 2011.
 Pascal Vincent, Hugo Larochelle, Isabelle Lajoie, Yoshua Bengio, and PierreAntoine Manzagol. Stacked denoising autoencoders: Learning useful representations in a deep network with a local denoising criterion. The Journal of Machine Learning Research, 11:3371–3408, 2010.
 Diederik P Kingma and Max Welling. Autoencoding variational Bayes. In Proceedings of the International Conference on Learning Representations (ICLR), 2014. arXiv:1312.6114.
 Danilo Jimenez Rezende, Shakir Mohamed, and Daan Wierstra. Stochastic backpropagation and approximate inference in deep generative models. In Proceedings of the 31th International Conference on Machine Learning, ICML 2014, Beijing, China, 2126 June 2014, pages 1278–1286, 2014.
 Ilya Tolstikhin, Olivier Bousquet, Sylvain Gelly, and Bernhard Schoelkopf. Wasserstein autoencoders. In International Conference on Learning Representations, 2018.
 Yuchen Pu, Weiyao Wang, Ricardo Henao, Liqun Chen, Zhe Gan, Chunyuan Li, and Lawrence Carin. Adversarial symmetric variational autoencoder. In I. Guyon, U. V. Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, editors, Advances in Neural Information Processing Systems 30, pages 4330–4339. Curran Associates, Inc., 2017.
 Ian Goodfellow, Jean PougetAbadie, Mehdi Mirza, Bing Xu, David WardeFarley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. Generative adversarial nets. In Advances in Neural Information Processing Systems, pages 2672–2680, 2014.
 Anders Boesen Lindbo Larsen, Søren Kaae Sønderby, Hugo Larochelle, and Ole Winther. Autoencoding beyond pixels using a learned similarity metric. In Proceedings of the 33rd International Conference on International Conference on Machine Learning  Volume 48, ICML’16, pages 1558–1566. JMLR.org, 2016.
 Alireza Makhzani, Jonathon Shlens, Navdeep Jaitly, and Ian J. Goodfellow. Adversarial autoencoders. CoRR, abs/1511.05644, 2015.
 Lars Mescheder, Sebastian Nowozin, and Andreas Geiger. Adversarial variational bayes: Unifying variational autoencoders and generative adversarial networks. In International Conference on Machine Learning (ICML), 2017.
 Alireza Makhzani and Brendan J Frey. Pixelgan autoencoders. In I. Guyon, U. V. Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, editors, Advances in Neural Information Processing Systems 30, pages 1975–1985. Curran Associates, Inc., 2017.
 Alec Radford, Luke Metz, and Soumith Chintala. Unsupervised representation learning with deep convolutional generative adversarial networks. In Proceedings of the International Conference on Learning Representations (ICLR), 2016. arXiv:1511.06434.
 Sepp Hochreiter and Jürgen Schmidhuber. Long shortterm memory. Neural Comput., 9(8):1735–1780, November 1997.
 Kurt Hornik. Approximation capabilities of multilayer feedforward networks. Neural networks, 4(2):251–257, 1991.
 Avrim Blum, Nika Haghtalab, and Ariel D. Procaccia. Variational dropout and the local reparameterization trick. In Advances in Neural Information Processing Systems 28: Annual Conference on Neural Information Processing Systems 2015, December 712, 2015, Montreal, Quebec, Canada, pages 2575–2583, 2015.
 Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. In Proceedings of the International Conference on Learning Representations (ICLR), 2014. arXiv:1312.6199.
 Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. In Proceedings of the International Conference on Learning Representations (ICLR), 2015. arXiv:1412.6572.
 Pedro Tabacof and Eduardo Valle. Exploring the space of adversarial images. In 2016 International Joint Conference on Neural Networks, IJCNN 2016, Vancouver, BC, Canada, July 2429, 2016, pages 426–433, 2016.
 Alexey Kurakin, Ian Goodfellow, and Samy Bengio. Adversarial examples in the physical world. In International Conference on Learning Representations (ICLR) Workshop, 2017. arXiv:1607.02533.
 SeyedMohsen MoosaviDezfooli, Alhussein Fawzi, and Pascal Frossard. Deepfool: A simple and accurate method to fool deep neural networks. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 2574–2582, 2016.
 Nicholas Carlini and David A. Wagner. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 2226, 2017, pages 39–57, 2017.
 Alexey Kurakin, Ian J. Goodfellow, and Samy Bengio. Adversarial examples in the physical world. CoRR, abs/1607.02533, 2016.
 Sara Sabour, Yanshuai Cao, Fartash Faghri, and David J Fleet. Adversarial manipulation of deep representations. In Proceedings of the International Conference on Learning Representations (ICLR), 2016. arXiv:1511.05122.
 Pedro Tabacof, Julia Tavares, and Eduardo Valle. Adversarial images for variational autoencoders. CoRR, abs/1612.00155, 2016.
 Yann LeCun, Corinna Cortes, and Christopher JC Burges. The MNIST database of handwritten digits, 1998.
 Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Y Ng. Reading digits in natural images with unsupervised feature learning. In NIPS 2011 Workshop on Deep Learning and Unsupervised Feature Learning, 2011.
 Ziwei Liu, Ping Luo, Xiaogang Wang, and Xiaoou Tang. Deep learning face attributes in the wild. In Proceedings of the 2015 IEEE International Conference on Computer Vision (ICCV), ICCV ’15, pages 3730–3738, Washington, DC, USA, 2015. IEEE Computer Society.
 Diederik Kingma and Jimmy Ba. Adam: A method for stochastic optimization. In Proceedings of the International Conference on Learning Representations (ICLR), 2015. arXiv:1412.6980.
 Ciyou Zhu, Richard H. Byrd, Peihuang Lu, and Jorge Nocedal. Algorithm 778: LBFGSB: Fortran subroutines for largescale boundconstrained optimization. ACM Trans. Math. Softw., 23(4):550–560, December 1997.
 Eric Jones, Travis Oliphant, Pearu Peterson, et al. SciPy: Open source scientific tools for Python, 2001–. [Online; accessed 18 May 2018].
 Martín Abadi, Ashish Agarwal, Paul Barham, Eugene Brevdo, Zhifeng Chen, Craig Citro, Greg S. Corrado, Andy Davis, Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat, Ian Goodfellow, Andrew Harp, Geoffrey Irving, Michael Isard, Yangqing Jia, Rafal Jozefowicz, Lukasz Kaiser, Manjunath Kudlur, Josh Levenberg, Dandelion Mané, Rajat Monga, Sherry Moore, Derek Murray, Chris Olah, Mike Schuster, Jonathon Shlens, Benoit Steiner, Ilya Sutskever, Kunal Talwar, Paul Tucker, Vincent Vanhoucke, Vijay Vasudevan, Fernanda Viégas, Oriol Vinyals, Pete Warden, Martin Wattenberg, Martin Wicke, Yuan Yu, and Xiaoqiang Zheng. TensorFlow: Largescale machine learning on heterogeneous systems, 2015. Software available from tensorflow.org.