The difference between science and technology
So they created a badly-trained machine learning algorithm, limited it to 32x32, and then created an easy attack against it? This is the kind of spam publishing that floods the lower-tier journals.
You are confusing science (exploring and establishing the principles) and technology (making things). This manuscript is about science of recognition - while you are asking for a sellable product, which may or may not exist in the end.
At least to me, this appears to be an original and thought-provoking work. You are correct that the attack as it stands would not work against a modern commercial system (however, see below). That is not the point. The main message is that image recognition is basically lossy compression or hashing: you are required to convert a large dataset (an image) to its hash (the category name). If your set of training inputs does not cover the entire Hilbert space of the dataset (ie you do not include all posssible nonsensical images in your training regimen - which is obviously impossible), your hash is guaranteed to mis-classify some of the perturbed images.
What this paper shows is that the changes needed to a sensible image (which you classify/hash correctly) to modify its classification are surprizingly small (0.1% of the pixels), and shows how to find these changes. If the fraction of the pixels needed to take the image outside of the volume covered by the training set remains the same for large images (which obviously needs to be examined - something the paper does not hide or downplay in any way), then for a respectable 5-megapixel image you might need to modify about 5 thousands pixels - something human eye might still ignore as noise or an inconsequential blemish.
Furthermore, the attack as it stands is already useful against modern networks trying to classify parts of a larger picture - which may be not much larger than 1000-pixel size.
Biting the hand that feeds IT
