CS2125 Paper Review Form - Winter 2019

Reviewer: Ali Harakeh

Paper Title: Deep Neural Networks are Easily Fooled:
High Confidence Predictions for Unrecognizable Images

Author(s): Nguyen, Yosinski, and Clune

1) Is the paper technically correct?
 [X] Yes
 [ ] Mostly (minor flaws, but mostly solid)
 [ ] No

2) Originality
 [X] Very good (very novel, trailblazing work)
 [ ] Good 
 [ ] Marginal (very incremental)
 [ ] Poor (little or nothing that is new)

3) Technical Depth
 [ ] Very good (comparable to best conference papers)
 [X] Good (comparable to typical conference papers)
 [ ] Marginal depth
 [ ] Little or no depth

4) Impact/Significance
 [X] Very significant
 [ ] Significant
 [ ] Marginal significance.
 [ ] Little or no significance.

5) Presentation
 [X] Very well written
 [ ] Generally well written
 [ ] Readable
 [ ] Needs considerable work
 [ ] Unacceptably bad

6) Overall Rating
 [X] Strong accept (award quality)
 [ ] Accept (high quality - would argue for acceptance)
 [ ] Weak Accept (borderline, but lean towards acceptance)
 [ ] Weak Reject (not sure why this paper was published)


7) Summary of the paper's main contribution and rationale
   for your recommendation. (1-2 paragraphs)

This paper is one of the first to discuss the ease of generation of examples that can fool deep neural networks with high confidence. 
Specifically, the paper shows that it is easy to produce images that are
completely unrecognizable to humans, but that state-of-the art
DNNs believe to be recognizable objects with 99.99%
Confidence. The results provided in this paper are very important as random unmeaningful images pose a very successful adversarial attack especially if it is unrecognizable by human experts.
8) List 1-3 strengths of the paper.  (1-2 sentences each,
identified as S1, S2, S3.)

S1: The paper provides an evolutionary paradigm to generate unmeaningful but high confidence examples for both ImageNet and MNIST datasets. 

S2: The paper shows that examples that fool one DNN are capable of fooling others.

S3: The paper shows that it is prohibitive to merely train the deep network to recognize adversarial images as negatives, due to the large dimension of the set generated by the proposed evolutionary algorithm.


9) List 1-3 weaknesses of the paper (1-2 sentences each,
identified as W1, W2, W3.)

W1: All the conclusions made are based on the classification task. DNNs tailored for classification should not be used as a generalization for every DNN in existence. This is the major weakness of the paper, overgeneralization. However, even for on only the classification task, the results are still quite powerful and shed light on a very important safety issue when using DNNs.