Part II explored the mathematical and algorithmic methods that can be used to develop input capable of fooling DNNs. Part III uses these methods to consider the threat posed in real-world scenarios where the targeted DNN forms part of a broader computer system. This broader system might be, for example, a voice controlled device, web filtering software, or an autonomous vehicle.

Chapter 7 explores the methods that an adversary might use to launch an adversarial attack when they have restricted access to the target. In this chapter, we’ll consider what might make it more challenging (or easier) for an adversary to launch an attack and look at a variety of possible attack patterns: direct, replica, and transfer. We’ll also explore whether it’s possible for an attack developed against one target to work on another.

In Chapter 8, we’ll consider the additional complexities posed to the adversary in generating physical-world attacks. In these scenarios the attack moves away from the purely digital realm to adversarial objects or adversarial sounds that are created and exist in the physical world. This chapter will explore how these physical-world examples might be created in such a way that they are adversarial regardless of changes in the environment or the positioning of the camera or microphone capturing the data.

Understanding the threat is a fundamental part of securing any system. This part lays the foundations for examining defenses in Part IV.