In this work, we explore adversarial attacks on the Variational Autoencoders (VAE). We show how to modify data point to obtain a prescribed latent code (supervised attack) or just get a drastically different code (unsupervised attack). We examine the influence of model modifications (-VAE, NVAE) on the robustness of VAEs and suggest metrics to quantify it.
View on arXiv