Decision-based Universal Adversarial Attack

• URL: http://arxiv.org/abs/2009.07024v4
• Date: Tue, 5 Jan 2021 11:01:01 GMT
• Title: Decision-based Universal Adversarial Attack
• Authors: Jing Wu, Mingyi Zhou, Shuaicheng Liu, Yipeng Liu, Ce Zhu
• Abstract summary: In black-box setting, current universal adversarial attack methods utilize substitute models to generate the perturbation. We propose an efficient Decision-based Universal Attack (DUAttack) The effectiveness of DUAttack is validated through comparisons with other state-of-the-art attacks.
• Score: 55.76371274622313
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: A single perturbation can pose the most natural images to be misclassified by classifiers. In black-box setting, current universal adversarial attack methods utilize substitute models to generate the perturbation, then apply the perturbation to the attacked model. However, this transfer often produces inferior results. In this study, we directly work in the black-box setting to generate the universal adversarial perturbation. Besides, we aim to design an adversary generating a single perturbation having texture like stripes based on orthogonal matrix, as the top convolutional layers are sensitive to stripes. To this end, we propose an efficient Decision-based Universal Attack (DUAttack). With few data, the proposed adversary computes the perturbation based solely on the final inferred labels, but good transferability has been realized not only across models but also span different vision tasks. The effectiveness of DUAttack is validated through comparisons with other state-of-the-art attacks. The efficiency of DUAttack is also demonstrated on real world settings including the Microsoft Azure. In addition, several representative defense methods are struggling with DUAttack, indicating the practicability of the proposed method.

Related papers

• DifAttack: Query-Efficient Black-Box Attack via Disentangled Feature Space [6.238161846680642]
  This work investigates efficient score-based black-box adversarial attacks with a high Attack Success Rate (ASR) and good generalizability. We design a novel attack method based on a Disentangled Feature space, called DifAttack, which differs significantly from the existing ones operating over the entire feature space.
  arXiv  Detail & Related papers  (2023-09-26T00:15:13Z)
• Adversarial Pixel Restoration as a Pretext Task for Transferable Perturbations [54.1807206010136]
  Transferable adversarial attacks optimize adversaries from a pretrained surrogate model and known label space to fool the unknown black-box models. We propose Adversarial Pixel Restoration as a self-supervised alternative to train an effective surrogate model from scratch. Our training approach is based on a min-max objective which reduces overfitting via an adversarial objective.
  arXiv  Detail & Related papers  (2022-07-18T17:59:58Z)
• Unreasonable Effectiveness of Last Hidden Layer Activations [0.5156484100374058]
  We show that using some widely known activation functions in the output layer of the model with high temperature values has the effect of zeroing out the gradients for both targeted and untargeted attack cases. We've experimentally verified the efficacy of our approach on MNIST (Digit), CIFAR10 datasets.
  arXiv  Detail & Related papers  (2022-02-15T12:02:59Z)
• Stochastic Variance Reduced Ensemble Adversarial Attack for Boosting the Adversarial Transferability [20.255708227671573]
  Black-box adversarial attacks can be transferred from one model to another. In this work, we propose a novel ensemble attack method called the variance reduced ensemble attack. Empirical results on the standard ImageNet demonstrate that the proposed method could boost the adversarial transferability and outperforms existing ensemble attacks significantly.
  arXiv  Detail & Related papers  (2021-11-21T06:33:27Z)
• Discriminator-Free Generative Adversarial Attack [87.71852388383242]
  Agenerative-based adversarial attacks can get rid of this limitation. ASymmetric Saliency-based Auto-Encoder (SSAE) generates the perturbations. The adversarial examples generated by SSAE not only make thewidely-used models collapse, but also achieves good visual quality.
  arXiv  Detail & Related papers  (2021-07-20T01:55:21Z)
• Gradient-based Adversarial Attacks against Text Transformers [96.73493433809419]
  We propose the first general-purpose gradient-based attack against transformer models. We empirically demonstrate that our white-box attack attains state-of-the-art attack performance on a variety of natural language tasks.
  arXiv  Detail & Related papers  (2021-04-15T17:43:43Z)
• Patch-wise Attack for Fooling Deep Neural Network [153.59832333877543]
  We propose a patch-wise iterative algorithm -- a black-box attack towards mainstream normally trained and defense models. We significantly improve the success rate by 9.2% for defense models and 3.7% for normally trained models on average.
  arXiv  Detail & Related papers  (2020-07-14T01:50:22Z)
• Bias-based Universal Adversarial Patch Attack for Automatic Check-out [59.355948824578434]
  Adversarial examples are inputs with imperceptible perturbations that easily misleading deep neural networks(DNNs) Existing strategies failed to generate adversarial patches with strong generalization ability. This paper proposes a bias-based framework to generate class-agnostic universal adversarial patches with strong generalization ability.
  arXiv  Detail & Related papers  (2020-05-19T07:38:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.