Optimizing One-pixel Black-box Adversarial Attacks
- URL: http://arxiv.org/abs/2205.02116v1
- Date: Sat, 30 Apr 2022 12:42:14 GMT
- Title: Optimizing One-pixel Black-box Adversarial Attacks
- Authors: Tianxun Zhou and Shubhankar Agrawal and Prateek Manocha
- Abstract summary: The output of Deep Neural Networks (DNN) can be altered by a small perturbation of the input in a black box setting.
This work seeks to improve the One-pixel (few-pixel) black-box adversarial attacks to reduce the number of calls to the network under attack.
- Score: 0.0
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: The output of Deep Neural Networks (DNN) can be altered by a small
perturbation of the input in a black box setting by making multiple calls to
the DNN. However, the high computation and time required makes the existing
approaches unusable. This work seeks to improve the One-pixel (few-pixel)
black-box adversarial attacks to reduce the number of calls to the network
under attack. The One-pixel attack uses a non-gradient optimization algorithm
to find pixel-level perturbations under the constraint of a fixed number of
pixels, which causes the network to predict the wrong label for a given image.
We show through experimental results how the choice of the optimization
algorithm and initial positions to search can reduce function calls and
increase attack success significantly, making the attack more practical in
real-world settings.
Related papers
- SAIF: Sparse Adversarial and Imperceptible Attack Framework [7.025774823899217]
We propose a novel attack technique called Sparse Adversarial and Interpretable Attack Framework (SAIF)
Specifically, we design imperceptible attacks that contain low-magnitude perturbations at a small number of pixels and leverage these sparse attacks to reveal the vulnerability of classifiers.
SAIF computes highly imperceptible and interpretable adversarial examples, and outperforms state-of-the-art sparse attack methods on the ImageNet dataset.
arXiv Detail & Related papers (2022-12-14T20:28:50Z) - AutoAdversary: A Pixel Pruning Method for Sparse Adversarial Attack [8.926478245654703]
A special branch of adversarial examples, namely sparse adversarial examples, can fool the target DNNs by perturbing only a few pixels.
We propose a novel end-to-end sparse adversarial attack method, namely AutoAdversary, which can find the most important pixels automatically.
Experiments demonstrate the superiority of our proposed method over several state-of-the-art methods.
arXiv Detail & Related papers (2022-03-18T06:06:06Z) - Sparse and Imperceptible Adversarial Attack via a Homotopy Algorithm [93.80082636284922]
Sparse adversarial attacks can fool deep networks (DNNs) by only perturbing a few pixels.
Recent efforts combine it with another l_infty perturbation on magnitudes.
We propose a homotopy algorithm to tackle the sparsity and neural perturbation framework.
arXiv Detail & Related papers (2021-06-10T20:11:36Z) - Transferable Sparse Adversarial Attack [62.134905824604104]
We introduce a generator architecture to alleviate the overfitting issue and thus efficiently craft transferable sparse adversarial examples.
Our method achieves superior inference speed, 700$times$ faster than other optimization-based methods.
arXiv Detail & Related papers (2021-05-31T06:44:58Z) - PICA: A Pixel Correlation-based Attentional Black-box Adversarial Attack [37.15301296824337]
We propose a pixel correlation-based attentional black-box adversarial attack, termed as PICA.
PICA is more efficient to generate high-resolution adversarial examples compared with the existing black-box attacks.
arXiv Detail & Related papers (2021-01-19T09:53:52Z) - GreedyFool: Distortion-Aware Sparse Adversarial Attack [138.55076781355206]
Modern deep neural networks (DNNs) are vulnerable to adversarial samples.
Sparse adversarial samples can fool the target model by only perturbing a few pixels.
We propose a novel two-stage distortion-aware greedy-based method dubbed as "GreedyFool"
arXiv Detail & Related papers (2020-10-26T17:59:07Z) - Boosting Gradient for White-Box Adversarial Attacks [60.422511092730026]
We propose a universal adversarial example generation method, called ADV-ReLU, to enhance the performance of gradient based white-box attack algorithms.
Our approach calculates the gradient of the loss function versus network input, maps the values to scores, and selects a part of them to update the misleading gradients.
arXiv Detail & Related papers (2020-10-21T02:13:26Z) - Patch-wise Attack for Fooling Deep Neural Network [153.59832333877543]
We propose a patch-wise iterative algorithm -- a black-box attack towards mainstream normally trained and defense models.
We significantly improve the success rate by 9.2% for defense models and 3.7% for normally trained models on average.
arXiv Detail & Related papers (2020-07-14T01:50:22Z) - Projection & Probability-Driven Black-Box Attack [205.9923346080908]
Existing black-box attacks suffer from the need for excessive queries in the high-dimensional space.
We propose Projection & Probability-driven Black-box Attack (PPBA) to tackle this problem.
Our method requires at most 24% fewer queries with a higher attack success rate compared with state-of-the-art approaches.
arXiv Detail & Related papers (2020-05-08T03:37:50Z) - A Black-box Adversarial Attack Strategy with Adjustable Sparsity and
Generalizability for Deep Image Classifiers [16.951363298896638]
Black-box adversarial perturbations are more practical for real-world applications.
We propose the DEceit algorithm for constructing effective universal pixel-restricted perturbations.
We find that perturbing only about 10% of the pixels in an image using DEceit achieves a commendable and highly transferable Fooling Rate.
arXiv Detail & Related papers (2020-04-24T19:42:00Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.