Papers
Topics
Authors
Recent
Search
2000 character limit reached

Mind the box: $l_1$-APGD for sparse adversarial attacks on image classifiers

Published 1 Mar 2021 in cs.LG and cs.CV | (2103.01208v3)

Abstract: We show that when taking into account also the image domain $[0,1]d$, established $l_1$-projected gradient descent (PGD) attacks are suboptimal as they do not consider that the effective threat model is the intersection of the $l_1$-ball and $[0,1]d$. We study the expected sparsity of the steepest descent step for this effective threat model and show that the exact projection onto this set is computationally feasible and yields better performance. Moreover, we propose an adaptive form of PGD which is highly effective even with a small budget of iterations. Our resulting $l_1$-APGD is a strong white-box attack showing that prior works overestimated their $l_1$-robustness. Using $l_1$-APGD for adversarial training we get a robust classifier with SOTA $l_1$-robustness. Finally, we combine $l_1$-APGD and an adaptation of the Square Attack to $l_1$ into $l_1$-AutoAttack, an ensemble of attacks which reliably assesses adversarial robustness for the threat model of $l_1$-ball intersected with $[0,1]d$.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (40)
  1. Square attack: a query-efficient black-box adversarial attack via random search. In ECCV, 2020.
  2. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In ICML, 2018.
  3. Adversarial robustness on in- and out-distribution improves explainability. In ECCV, 2020.
  4. Convex Optimization. Cambridge University Press, 2004.
  5. Accurate, reliable and fast robustness evaluation. In NeurIPS, 2019.
  6. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy, 2017.
  7. Unlabeled data improves adversarial robustness. In NeurIPS, pp.  11190–11201. 2019.
  8. Ead: Elastic-net attacks to deep neural networks via adversarial examples. In AAAI, 2018.
  9. Condat, L. Fast projection onto the simplex and the l1subscript𝑙1l_{1}italic_l start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT ball. Mathematical Programming, 158:575–585, 2016.
  10. Minimally distorted adversarial examples with a fast adaptive boundary attack. In ICML, 2020a.
  11. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In ICML, 2020b.
  12. Robustbench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670, 2020.
  13. Efficient projections onto the l1-ball for learning in high dimensions. In ICML, 2008.
  14. Robustness (python library), 2019. URL https://github.com/MadryLab/robustness.
  15. Generative adversarial nets. In NeurIPS, 2014.
  16. Uncovering the limits of adversarial training against norm-bounded adversarial examples. arXiv preprint arXiv:2010.03593v2, 2020.
  17. Hall, P. The distribution of means for samples of size n drawn from a population in which the variate takes values between 00 and 1111, all such values being equally probable. Biometrika, 19:240––245, 1927.
  18. Identity mappings in deep residual networks. In ECCV, 2016.
  19. Irwin, O. On the frequency distribution of the means of samples from a population having any law of frequency with finite moments. Biometrika, 19:225––239, 1927.
  20. Adversarial self-supervised contrastive learning. In NeurIPS, 2020.
  21. Cifar-10 (canadian institute for advanced research). URL http://www.cs.toronto.edu/~kriz/cifar.html.
  22. Adversarial examples in the physical world. In ICLR Workshop, 2017.
  23. Towards defending multiple adversarial perturbations via gated batch normalization. arXiv preprint arXiv:2012.01654v1, 2020.
  24. Learning to generate noise for multi-attack robustness, 2021. URL https://openreview.net/forum?id=tv8n52XbO4p.
  25. Towards deep learning models resistant to adversarial attacks. In ICLR, 2018.
  26. Adversarial robustness against the union of multiple perturbation models. In ICML, 2020.
  27. Sparsefool: a few pixels make a big difference. In CVPR, 2019.
  28. Foolbox: A python toolbox to benchmark the robustness of machine learning models. In ICML Reliable Machine Learning in the Wild Workshop, 2017.
  29. Overfitting in adversarially robust deep learning. In ICML, 2020.
  30. Adversarial library, 2020. URL https://github.com/jeromerony/adversarial-library.
  31. Augmented Lagrangian adversarial attacks. arXiv preprint arXiv:2011.11857, 2020.
  32. Towards the first adversarially robust neural network model on MNIST. In ICLR, 2019.
  33. Intriguing properties of neural networks. In ICLR, pp.  2503–2511, 2014.
  34. Adversarial training and robustness for multiple perturbations. In NeurIPS, 2019.
  35. Towards a unified min-max framework for adversarial exploration and robustness. arXiv preprint arXiv:1906.03563, 2019.
  36. Fast is better than free: Revisiting adversarial training. In ICLR, 2020.
  37. Do wider neural networks really help adversarial robustness? arXiv preprint arXiv:2010.01279v2, 2021.
  38. Enhancing adversarial defense by k-winners-take-all. In ICLR, 2020.
  39. Adversarial momentum-contrastive pre-training. arXiv preprint, arXiv:2012.13154v2, 2020.
  40. On the design of black-box adversarial examples by leveraging gradient-free optimization and operator splitting method. In ICCV, pp.  121–130, 2019.
Citations (49)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Authors (2)

  1. Francesco Croce 
  2. Matthias Hein 

Collections

Sign up for free to add this paper to one or more collections.

Sign Up