GreedyFool: Distortion-Aware Sparse Adversarial Attack

• URL: http://arxiv.org/abs/2010.13773v1
• Date: Mon, 26 Oct 2020 17:59:07 GMT
• Title: GreedyFool: Distortion-Aware Sparse Adversarial Attack
• Authors: Xiaoyi Dong and Dongdong Chen and Jianmin Bao and Chuan Qin and Lu Yuan and Weiming Zhang and Nenghai Yu and Dong Chen
• Abstract summary: Modern deep neural networks (DNNs) are vulnerable to adversarial samples. Sparse adversarial samples can fool the target model by only perturbing a few pixels. We propose a novel two-stage distortion-aware greedy-based method dubbed as "GreedyFool"
• Score: 138.55076781355206
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Modern deep neural networks(DNNs) are vulnerable to adversarial samples. Sparse adversarial samples are a special branch of adversarial samples that can fool the target model by only perturbing a few pixels. The existence of the sparse adversarial attack points out that DNNs are much more vulnerable than people believed, which is also a new aspect for analyzing DNNs. However, current sparse adversarial attack methods still have some shortcomings on both sparsity and invisibility. In this paper, we propose a novel two-stage distortion-aware greedy-based method dubbed as "GreedyFool". Specifically, it first selects the most effective candidate positions to modify by considering both the gradient(for adversary) and the distortion map(for invisibility), then drops some less important points in the reduce stage. Experiments demonstrate that compared with the start-of-the-art method, we only need to modify $3\times$ fewer pixels under the same sparse perturbation setting. For target attack, the success rate of our method is 9.96\% higher than the start-of-the-art method under the same pixel budget. Code can be found at https://github.com/LightDXY/GreedyFool.

Related papers

• Any Target Can be Offense: Adversarial Example Generation via Generalized Latent Infection [83.72430401516674]
  GAKer is able to construct adversarial examples to any target class. Our method achieves an approximately $14.13%$ higher attack success rate for unknown classes.
  arXiv  Detail & Related papers  (2024-07-17T03:24:09Z)
• A New Kind of Adversarial Example [47.64219291655723]
  A large enough perturbation is added to an image such that a model maintains its original decision, whereas a human will most likely make a mistake if forced to decide. Our proposed attack, dubbed NKE, is similar in essence to the fooling images, but is more efficient since it uses gradient descent instead of evolutionary algorithms.
  arXiv  Detail & Related papers  (2022-08-04T03:45:44Z)
• AutoAdversary: A Pixel Pruning Method for Sparse Adversarial Attack [8.926478245654703]
  A special branch of adversarial examples, namely sparse adversarial examples, can fool the target DNNs by perturbing only a few pixels. We propose a novel end-to-end sparse adversarial attack method, namely AutoAdversary, which can find the most important pixels automatically. Experiments demonstrate the superiority of our proposed method over several state-of-the-art methods.
  arXiv  Detail & Related papers  (2022-03-18T06:06:06Z)
• Sparse and Imperceptible Adversarial Attack via a Homotopy Algorithm [93.80082636284922]
  Sparse adversarial attacks can fool deep networks (DNNs) by only perturbing a few pixels. Recent efforts combine it with another l_infty perturbation on magnitudes. We propose a homotopy algorithm to tackle the sparsity and neural perturbation framework.
  arXiv  Detail & Related papers  (2021-06-10T20:11:36Z)
• Transferable Sparse Adversarial Attack [62.134905824604104]
  We introduce a generator architecture to alleviate the overfitting issue and thus efficiently craft transferable sparse adversarial examples. Our method achieves superior inference speed, 700$times$ faster than other optimization-based methods.
  arXiv  Detail & Related papers  (2021-05-31T06:44:58Z)
• Patch-wise++ Perturbation for Adversarial Targeted Attacks [132.58673733817838]
  We propose a patch-wise iterative method (PIM) aimed at crafting adversarial examples with high transferability. Specifically, we introduce an amplification factor to the step size in each iteration, and one pixel's overall gradient overflowing the $epsilon$-constraint is properly assigned to its surrounding regions. Compared with the current state-of-the-art attack methods, we significantly improve the success rate by 35.9% for defense models and 32.7% for normally trained models.
  arXiv  Detail & Related papers  (2020-12-31T08:40:42Z)
• TEAM: We Need More Powerful Adversarial Examples for DNNs [6.7943676146532885]
  Adversarial examples can lead to misclassification of deep neural networks (DNNs) We propose a novel method to generate more powerful adversarial examples than previous methods. Our method can reliably produce adversarial examples with 100% attack success rate (ASR) while only by smaller perturbations.
  arXiv  Detail & Related papers  (2020-07-31T04:11:02Z)
• Patch-wise Attack for Fooling Deep Neural Network [153.59832333877543]
  We propose a patch-wise iterative algorithm -- a black-box attack towards mainstream normally trained and defense models. We significantly improve the success rate by 9.2% for defense models and 3.7% for normally trained models on average.
  arXiv  Detail & Related papers  (2020-07-14T01:50:22Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.