One thing I do when a new attack is published is to see if the 'jpeg' defense works. That is, will the jpeg compressed version of the adversarial image retain its adversarial threat?
Turns out the attack from OpenAI authors does not pass this jpeg defense test.<p>Please note:<p>1: There have been a couple of studies of the effect of JPG compression on adversarial images. See:<p>https://arxiv.org/pdf/1705.02900.pdf
https://arxiv.org/pdf/1608.00853.pdf<p>2: This is NOT a 'Voila - Busted!' dissemination. The most straightforward idea for a counter-attack is to include jpeg compression part of the transformations set (T) in the paper. That said, the defender only has to concoct a custom transformation that is not covered in T. For ex, I also found that a scanned paper printout of the image did not retain its adversarial threat (posted on the original blog).<p>3: This is a work in progress. Github link: https://github.com/vinayprabhu/Jpeg_Defense