Papers
Topics
Authors
Recent
Search
2000 character limit reached

Towards Transferable Adversarial Attacks with Centralized Perturbation

Published 11 Dec 2023 in cs.CV, cs.CR, and cs.LG | (2312.06199v2)

Abstract: Adversarial transferability enables black-box attacks on unknown victim deep neural networks (DNNs), rendering attacks viable in real-world scenarios. Current transferable attacks create adversarial perturbation over the entire image, resulting in excessive noise that overfit the source model. Concentrating perturbation to dominant image regions that are model-agnostic is crucial to improving adversarial efficacy. However, limiting perturbation to local regions in the spatial domain proves inadequate in augmenting transferability. To this end, we propose a transferable adversarial attack with fine-grained perturbation optimization in the frequency domain, creating centralized perturbation. We devise a systematic pipeline to dynamically constrain perturbation optimization to dominant frequency coefficients. The constraint is optimized in parallel at each iteration, ensuring the directional alignment of perturbation optimization with model prediction. Our approach allows us to centralize perturbation towards sample-specific important frequency features, which are shared by DNNs, effectively mitigating source model overfitting. Experiments demonstrate that by dynamically centralizing perturbation on dominating frequency coefficients, crafted adversarial examples exhibit stronger transferability, and allowing them to bypass various defenses.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (31)
  1. Frequency-Tuned Universal Adversarial Attacks. CoRR, abs/2003.05549.
  2. Boosting Adversarial Attacks With Momentum. In CVPR, 9185–9193. Computer Vision Foundation / IEEE Computer Society.
  3. Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks. In CVPR, 4312–4321. Computer Vision Foundation / IEEE.
  4. An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale. In ICLR. OpenReview.net.
  5. Deep Residual Learning in the JPEG Transform Domain. In ICCV, 3483–3492. IEEE.
  6. Explaining and Harnessing Adversarial Examples. In ICLR (Poster).
  7. Low Frequency Adversarial Perturbation. In UAI, volume 115 of Proceedings of Machine Learning Research, 1127–1137. AUAI Press.
  8. Countering Adversarial Images using Input Transformations. In ICLR (Poster). OpenReview.net.
  9. Detecting adversarial examples via prediction difference for deep neural networks. Inf. Sci., 501: 182–192.
  10. Deep Residual Learning for Image Recognition. In CVPR, 770–778. IEEE Computer Society.
  11. Densely Connected Convolutional Networks. In CVPR, 2261–2269. IEEE Computer Society.
  12. Adversarial examples in the physical world. CoRR, abs/1607.02533.
  13. Adversarial Attacks and Defences Competition. CoRR, abs/1804.00097.
  14. Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks. In ICLR. OpenReview.net.
  15. Delving into Transferable Adversarial Examples and Black-box Attacks. In ICLR (Poster). OpenReview.net.
  16. A ConvNet for the 2020s. In CVPR, 11966–11976. IEEE.
  17. Towards Deep Learning Models Resistant to Adversarial Attacks. In ICLR (Poster). OpenReview.net.
  18. A Frequency Perspective of Adversarial Robustness. CoRR, abs/2111.00861.
  19. Adversarial training for free! In NeurIPS, 3353–3364.
  20. On the Effectiveness of Low Frequency Perturbations. In IJCAI, 3389–3396. ijcai.org.
  21. Very Deep Convolutional Networks for Large-Scale Image Recognition. In ICLR.
  22. Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning. In AAAI, 4278–4284. AAAI Press.
  23. Rethinking the Inception Architecture for Computer Vision. In CVPR, 2818–2826. IEEE Computer Society.
  24. Ensemble Adversarial Training: Attacks and Defenses. In ICLR (Poster). OpenReview.net.
  25. Enhancing the Transferability of Adversarial Attacks Through Variance Tuning. In CVPR, 1924–1933. Computer Vision Foundation / IEEE.
  26. Wightman, R. 2019. PyTorch Image Models. https://github.com/rwightman/pytorch-image-models.
  27. Adversarial Examples Improve Image Recognition. In CVPR, 816–825. Computer Vision Foundation / IEEE.
  28. Improving Transferability of Adversarial Examples With Input Diversity. In CVPR, 2730–2739. Computer Vision Foundation / IEEE.
  29. Structured Adversarial Attack: Towards General Implementation and Better Interpretability. In ICLR (Poster). OpenReview.net.
  30. Trust Region Based Adversarial Attack on Neural Networks. In CVPR, 11350–11359. Computer Vision Foundation / IEEE.
  31. Improving the invisibility of adversarial examples with perceptually adaptive perturbation. Inf. Sci., 635: 126–137.
Citations (6)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up