Feature Space Targeted Attacks by Statistic Alignment
- URL: http://arxiv.org/abs/2105.11645v1
- Date: Tue, 25 May 2021 03:46:39 GMT
- Title: Feature Space Targeted Attacks by Statistic Alignment
- Authors: Lianli Gao, Yaya Cheng, Qilong Zhang, Xing Xu and Jingkuan Song
- Abstract summary: Feature space targeted attacks perturb images by modulating their intermediate feature maps.
The current choice of pixel-wise Euclidean Distance to measure the discrepancy is questionable because it unreasonably imposes a spatial-consistency constraint on the source and target features.
We propose two novel approaches called Pair-wise Alignment Attack and Global-wise Alignment Attack, which attempt to measure similarities between feature maps by high-order statistics.
- Score: 74.40447383387574
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: By adding human-imperceptible perturbations to images, DNNs can be easily
fooled. As one of the mainstream methods, feature space targeted attacks
perturb images by modulating their intermediate feature maps, for the
discrepancy between the intermediate source and target features is minimized.
However, the current choice of pixel-wise Euclidean Distance to measure the
discrepancy is questionable because it unreasonably imposes a
spatial-consistency constraint on the source and target features. Intuitively,
an image can be categorized as "cat" no matter the cat is on the left or right
of the image. To address this issue, we propose to measure this discrepancy
using statistic alignment. Specifically, we design two novel approaches called
Pair-wise Alignment Attack and Global-wise Alignment Attack, which attempt to
measure similarities between feature maps by high-order statistics with
translation invariance. Furthermore, we systematically analyze the layer-wise
transferability with varied difficulties to obtain highly reliable attacks.
Extensive experiments verify the effectiveness of our proposed method, and it
outperforms the state-of-the-art algorithms by a large margin. Our code is
publicly available at https://github.com/yaya-cheng/PAA-GAA.
Related papers
- To Make Yourself Invisible with Adversarial Semantic Contours [47.755808439588094]
Adversarial Semantic Contour (ASC) is an estimate of a Bayesian formulation of sparse attack with a deceived prior of object contour.
We show that ASC can corrupt the prediction of 9 modern detectors with different architectures.
We conclude with cautions about contour being the common weakness of object detectors with various architecture.
arXiv Detail & Related papers (2023-03-01T07:22:39Z) - Adversarial examples by perturbing high-level features in intermediate
decoder layers [0.0]
Instead of perturbing pixels, we use an encoder-decoder representation of the input image and perturb intermediate layers in the decoder.
Our perturbation possesses semantic meaning, such as a longer beak or green tints.
We show that our method modifies key features such as edges and that defence techniques based on adversarial training are vulnerable to our attacks.
arXiv Detail & Related papers (2021-10-14T07:08:15Z) - Sparse and Imperceptible Adversarial Attack via a Homotopy Algorithm [93.80082636284922]
Sparse adversarial attacks can fool deep networks (DNNs) by only perturbing a few pixels.
Recent efforts combine it with another l_infty perturbation on magnitudes.
We propose a homotopy algorithm to tackle the sparsity and neural perturbation framework.
arXiv Detail & Related papers (2021-06-10T20:11:36Z) - Transferable Sparse Adversarial Attack [62.134905824604104]
We introduce a generator architecture to alleviate the overfitting issue and thus efficiently craft transferable sparse adversarial examples.
Our method achieves superior inference speed, 700$times$ faster than other optimization-based methods.
arXiv Detail & Related papers (2021-05-31T06:44:58Z) - Patch-wise++ Perturbation for Adversarial Targeted Attacks [132.58673733817838]
We propose a patch-wise iterative method (PIM) aimed at crafting adversarial examples with high transferability.
Specifically, we introduce an amplification factor to the step size in each iteration, and one pixel's overall gradient overflowing the $epsilon$-constraint is properly assigned to its surrounding regions.
Compared with the current state-of-the-art attack methods, we significantly improve the success rate by 35.9% for defense models and 32.7% for normally trained models.
arXiv Detail & Related papers (2020-12-31T08:40:42Z) - GreedyFool: Distortion-Aware Sparse Adversarial Attack [138.55076781355206]
Modern deep neural networks (DNNs) are vulnerable to adversarial samples.
Sparse adversarial samples can fool the target model by only perturbing a few pixels.
We propose a novel two-stage distortion-aware greedy-based method dubbed as "GreedyFool"
arXiv Detail & Related papers (2020-10-26T17:59:07Z) - Keep it Simple: Image Statistics Matching for Domain Adaptation [0.0]
Domain Adaptation (DA) is a technique to maintain detection accuracy when only unlabeled images are available of the target domain.
Recent state-of-the-art methods try to reduce the domain gap using an adversarial training strategy.
We propose to align either color histograms or mean and covariance of the source images towards the target domain.
In comparison to recent methods, we achieve state-of-the-art performance using a much simpler procedure for the training.
arXiv Detail & Related papers (2020-05-26T07:32:09Z) - RANSAC-Flow: generic two-stage image alignment [53.11926395028508]
We show that a simple unsupervised approach performs surprisingly well across a range of tasks.
Despite its simplicity, our method shows competitive results on a range of tasks and datasets.
arXiv Detail & Related papers (2020-04-03T12:37:58Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.