On Generating Transferable Targeted Perturbations
- URL: http://arxiv.org/abs/2103.14641v1
- Date: Fri, 26 Mar 2021 17:55:28 GMT
- Title: On Generating Transferable Targeted Perturbations
- Authors: Muzammal Naseer, Salman Khan, Munawar Hayat, Fahad Shahbaz Khan, and
Fatih Porikli
- Abstract summary: We propose a new generative approach for highly transferable targeted perturbations.
Our approach matches the perturbed image distribution' with that of the target class, leading to high targeted transferability rates.
- Score: 102.3506210331038
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: While the untargeted black-box transferability of adversarial perturbations
has been extensively studied before, changing an unseen model's decisions to a
specific `targeted' class remains a challenging feat. In this paper, we propose
a new generative approach for highly transferable targeted perturbations
(\ours). We note that the existing methods are less suitable for this task due
to their reliance on class-boundary information that changes from one model to
another, thus reducing transferability. In contrast, our approach matches the
perturbed image `distribution' with that of the target class, leading to high
targeted transferability rates. To this end, we propose a new objective
function that not only aligns the global distributions of source and target
images, but also matches the local neighbourhood structure between the two
domains. Based on the proposed objective, we train a generator function that
can adaptively synthesize perturbations specific to a given input. Our
generative approach is independent of the source or target domain labels, while
consistently performs well against state-of-the-art methods on a wide range of
attack settings. As an example, we achieve $32.63\%$ target transferability
from (an adversarially weak) VGG19$_{BN}$ to (a strong) WideResNet on ImageNet
val. set, which is 4$\times$ higher than the previous best generative attack
and 16$\times$ better than instance-specific iterative attack. Code is
available at: {\small\url{https://github.com/Muzammal-Naseer/TTP}}.
Related papers
- Any Target Can be Offense: Adversarial Example Generation via Generalized Latent Infection [83.72430401516674]
GAKer is able to construct adversarial examples to any target class.
Our method achieves an approximately $14.13%$ higher attack success rate for unknown classes.
arXiv Detail & Related papers (2024-07-17T03:24:09Z) - CLIP-Guided Generative Networks for Transferable Targeted Adversarial Attacks [52.29186466633699]
Transferable targeted adversarial attacks aim to mislead models into outputting adversary-specified predictions in black-box scenarios.
textitsingle-target generative attacks train a generator for each target class to generate highly transferable perturbations.
textbfCLIP-guided textbfGenerative textbfNetwork with textbfCross-attention modules (CGNC) to enhance multi-target attacks.
arXiv Detail & Related papers (2024-07-14T12:30:32Z) - Logit Margin Matters: Improving Transferable Targeted Adversarial Attack
by Logit Calibration [85.71545080119026]
Cross-Entropy (CE) loss function is insufficient to learn transferable targeted adversarial examples.
We propose two simple and effective logit calibration methods, which are achieved by downscaling the logits with a temperature factor and an adaptive margin.
Experiments conducted on the ImageNet dataset validate the effectiveness of the proposed methods.
arXiv Detail & Related papers (2023-03-07T06:42:52Z) - Towards Transferable Unrestricted Adversarial Examples with Minimum
Changes [13.75751221823941]
Transfer-based adversarial example is one of the most important classes of black-box attacks.
There is a trade-off between transferability and imperceptibility of the adversarial perturbation.
We propose a geometry-aware framework to generate transferable adversarial examples with minimum changes.
arXiv Detail & Related papers (2022-01-04T12:03:20Z) - Transferable Sparse Adversarial Attack [62.134905824604104]
We introduce a generator architecture to alleviate the overfitting issue and thus efficiently craft transferable sparse adversarial examples.
Our method achieves superior inference speed, 700$times$ faster than other optimization-based methods.
arXiv Detail & Related papers (2021-05-31T06:44:58Z) - GAP++: Learning to generate target-conditioned adversarial examples [28.894143619182426]
Adversarial examples are perturbed inputs which can cause a serious threat for machine learning models.
We propose a more general-purpose framework which infers target-conditioned perturbations dependent on both input image and target label.
Our method achieves superior performance with single target attack models and obtains high fooling rates with small perturbation norms.
arXiv Detail & Related papers (2020-06-09T07:49:49Z) - Perturbing Across the Feature Hierarchy to Improve Standard and Strict
Blackbox Attack Transferability [100.91186458516941]
We consider the blackbox transfer-based targeted adversarial attack threat model in the realm of deep neural network (DNN) image classifiers.
We design a flexible attack framework that allows for multi-layer perturbations and demonstrates state-of-the-art targeted transfer performance.
We analyze why the proposed methods outperform existing attack strategies and show an extension of the method in the case when limited queries to the blackbox model are allowed.
arXiv Detail & Related papers (2020-04-29T16:00:13Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.