Generating Black-Box Adversarial Examples in Sparse Domain
- URL: http://arxiv.org/abs/2101.09324v1
- Date: Fri, 22 Jan 2021 20:45:33 GMT
- Title: Generating Black-Box Adversarial Examples in Sparse Domain
- Authors: Hadi Zanddizari and J. Morris Chang
- Abstract summary: Black-box adversarial attack is one type of attack that the attacker does not have any knowledge about the model or the training dataset.
We propose a novel approach to generate a black-box attack in sparse domain whereas the most important information of an image can be observed.
- Score: 2.879036956042183
- License: http://creativecommons.org/licenses/by-nc-sa/4.0/
- Abstract: Applications of machine learning (ML) models and convolutional neural
networks (CNNs) have been rapidly increased. Although ML models provide high
accuracy in many applications, recent investigations show that such networks
are highly vulnerable to adversarial attacks. The black-box adversarial attack
is one type of attack that the attacker does not have any knowledge about the
model or the training dataset. In this paper, we propose a novel approach to
generate a black-box attack in sparse domain whereas the most important
information of an image can be observed. Our investigation shows that large
sparse components play a critical role in the performance of the image
classifiers. Under this presumption, to generate adversarial example, we
transfer an image into a sparse domain and put a threshold to choose only k
largest components. In contrast to the very recent works that randomly perturb
k low frequency (LoF) components, we perturb k largest sparse (LaS)components
either randomly (query-based) or in the direction of the most correlated sparse
signal from a different class. We show that LaS components contain some middle
or higher frequency components information which can help us fool the
classifiers with a fewer number of queries. We also demonstrate the
effectiveness of this approach by fooling the TensorFlow Lite (TFLite) model of
Google Cloud Vision platform. Mean squared error (MSE) and peak signal to noise
ratio (PSNR) are used as quality metrics. We present a theoretical proof to
connect these metrics to the level of perturbation in the sparse domain. We
tested our adversarial examples to the state-of-the-art CNNs and support vector
machine (SVM) classifiers on color and grayscale image datasets. The results
show the proposed method can highly increase the misclassification rate of the
classifiers.
Related papers
- MOREL: Enhancing Adversarial Robustness through Multi-Objective Representation Learning [1.534667887016089]
deep neural networks (DNNs) are vulnerable to slight adversarial perturbations.
We show that strong feature representation learning during training can significantly enhance the original model's robustness.
We propose MOREL, a multi-objective feature representation learning approach, encouraging classification models to produce similar features for inputs within the same class, despite perturbations.
arXiv Detail & Related papers (2024-10-02T16:05:03Z) - SIRST-5K: Exploring Massive Negatives Synthesis with Self-supervised
Learning for Robust Infrared Small Target Detection [53.19618419772467]
Single-frame infrared small target (SIRST) detection aims to recognize small targets from clutter backgrounds.
With the development of Transformer, the scale of SIRST models is constantly increasing.
With a rich diversity of infrared small target data, our algorithm significantly improves the model performance and convergence speed.
arXiv Detail & Related papers (2024-03-08T16:14:54Z) - A Geometrical Approach to Evaluate the Adversarial Robustness of Deep
Neural Networks [52.09243852066406]
Adversarial Converging Time Score (ACTS) measures the converging time as an adversarial robustness metric.
We validate the effectiveness and generalization of the proposed ACTS metric against different adversarial attacks on the large-scale ImageNet dataset.
arXiv Detail & Related papers (2023-10-10T09:39:38Z) - Microbial Genetic Algorithm-based Black-box Attack against Interpretable
Deep Learning Systems [16.13790238416691]
In white-box environments, interpretable deep learning systems (IDLSes) have been shown to be vulnerable to malicious manipulations.
We propose a Query-efficient Score-based black-box attack against IDLSes, QuScore, which requires no knowledge of the target model and its coupled interpretation model.
arXiv Detail & Related papers (2023-07-13T00:08:52Z) - Large-Margin Representation Learning for Texture Classification [67.94823375350433]
This paper presents a novel approach combining convolutional layers (CLs) and large-margin metric learning for training supervised models on small datasets for texture classification.
The experimental results on texture and histopathologic image datasets have shown that the proposed approach achieves competitive accuracy with lower computational cost and faster convergence when compared to equivalent CNNs.
arXiv Detail & Related papers (2022-06-17T04:07:45Z) - FrequencyLowCut Pooling -- Plug & Play against Catastrophic Overfitting [12.062691258844628]
This paper introduces an aliasing free down-sampling operation which can easily be plugged into any CNN architecture.
Our experiments show, that in combination with simple and fast FGSM adversarial training, our hyper- parameter free operator significantly improves model robustness.
arXiv Detail & Related papers (2022-04-01T14:51:28Z) - Efficient and Robust Classification for Sparse Attacks [34.48667992227529]
We consider perturbations bounded by the $ell$--norm, which have been shown as effective attacks in the domains of image-recognition, natural language processing, and malware-detection.
We propose a novel defense method that consists of "truncation" and "adrial training"
Motivated by the insights we obtain, we extend these components to neural network classifiers.
arXiv Detail & Related papers (2022-01-23T21:18:17Z) - Discriminator-Free Generative Adversarial Attack [87.71852388383242]
Agenerative-based adversarial attacks can get rid of this limitation.
ASymmetric Saliency-based Auto-Encoder (SSAE) generates the perturbations.
The adversarial examples generated by SSAE not only make thewidely-used models collapse, but also achieves good visual quality.
arXiv Detail & Related papers (2021-07-20T01:55:21Z) - Improving Query Efficiency of Black-box Adversarial Attack [75.71530208862319]
We propose a Neural Process based black-box adversarial attack (NP-Attack)
NP-Attack could greatly decrease the query counts under the black-box setting.
arXiv Detail & Related papers (2020-09-24T06:22:56Z) - Training Interpretable Convolutional Neural Networks by Differentiating
Class-specific Filters [64.46270549587004]
Convolutional neural networks (CNNs) have been successfully used in a range of tasks.
CNNs are often viewed as "black-box" and lack of interpretability.
We propose a novel strategy to train interpretable CNNs by encouraging class-specific filters.
arXiv Detail & Related papers (2020-07-16T09:12:26Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.