Enhancing the Self-Universality for Transferable Targeted Attacks
- URL: http://arxiv.org/abs/2209.03716v3
- Date: Wed, 12 Apr 2023 02:51:03 GMT
- Title: Enhancing the Self-Universality for Transferable Targeted Attacks
- Authors: Zhipeng Wei, Jingjing Chen, Zuxuan Wu, Yu-Gang Jiang
- Abstract summary: Our new attack method is proposed based on the observation that highly universal adversarial perturbations tend to be more transferable for targeted attacks.
Instead of optimizing the perturbations on different images, optimizing on different regions to achieve self-universality can get rid of using extra data.
With the feature similarity loss, our method makes the features from adversarial perturbations to be more dominant than that of benign images.
- Score: 88.6081640779354
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: In this paper, we propose a novel transfer-based targeted attack method that
optimizes the adversarial perturbations without any extra training efforts for
auxiliary networks on training data. Our new attack method is proposed based on
the observation that highly universal adversarial perturbations tend to be more
transferable for targeted attacks. Therefore, we propose to make the
perturbation to be agnostic to different local regions within one image, which
we called as self-universality. Instead of optimizing the perturbations on
different images, optimizing on different regions to achieve self-universality
can get rid of using extra data. Specifically, we introduce a feature
similarity loss that encourages the learned perturbations to be universal by
maximizing the feature similarity between adversarial perturbed global images
and randomly cropped local regions. With the feature similarity loss, our
method makes the features from adversarial perturbations to be more dominant
than that of benign images, hence improving targeted transferability. We name
the proposed attack method as Self-Universality (SU) attack. Extensive
experiments demonstrate that SU can achieve high success rates for
transfer-based targeted attacks. On ImageNet-compatible dataset, SU yields an
improvement of 12\% compared with existing state-of-the-art methods. Code is
available at https://github.com/zhipeng-wei/Self-Universality.
Related papers
- Enhancing Transferability of Targeted Adversarial Examples: A Self-Universal Perspective [13.557972227440832]
Transfer-based targeted adversarial attacks against black-box deep neural networks (DNNs) have been proven to be significantly more challenging than untargeted ones.
The impressive transferability of current SOTA, the generative methods, comes at the cost of requiring massive amounts of additional data and time-consuming training for each targeted label.
We offer a self-universal perspective that unveils the great yet underexplored potential of input transformations in pursuing this goal.
arXiv Detail & Related papers (2024-07-22T14:51:28Z) - Enhancing Adversarial Attacks: The Similar Target Method [6.293148047652131]
adversarial examples pose a threat to deep neural networks' applications.
Deep neural networks are vulnerable to adversarial examples, posing a threat to the models' applications and raising security concerns.
We propose a similar targeted attack method named Similar Target(ST)
arXiv Detail & Related papers (2023-08-21T14:16:36Z) - A Novel Cross-Perturbation for Single Domain Generalization [54.612933105967606]
Single domain generalization aims to enhance the ability of the model to generalize to unknown domains when trained on a single source domain.
The limited diversity in the training data hampers the learning of domain-invariant features, resulting in compromised generalization performance.
We propose CPerb, a simple yet effective cross-perturbation method to enhance the diversity of the training data.
arXiv Detail & Related papers (2023-08-02T03:16:12Z) - Latent-Optimized Adversarial Neural Transfer for Sarcasm Detection [50.29565896287595]
We apply transfer learning to exploit common datasets for sarcasm detection.
We propose a generalized latent optimization strategy that allows different losses to accommodate each other.
In particular, we achieve 10.02% absolute performance gain over the previous state of the art on the iSarcasm dataset.
arXiv Detail & Related papers (2021-04-19T13:07:52Z) - On Generating Transferable Targeted Perturbations [102.3506210331038]
We propose a new generative approach for highly transferable targeted perturbations.
Our approach matches the perturbed image distribution' with that of the target class, leading to high targeted transferability rates.
arXiv Detail & Related papers (2021-03-26T17:55:28Z) - Contextual Fusion For Adversarial Robustness [0.0]
Deep neural networks are usually designed to process one particular information stream and susceptible to various types of adversarial perturbations.
We developed a fusion model using a combination of background and foreground features extracted in parallel from Places-CNN and Imagenet-CNN.
For gradient based attacks, our results show that fusion allows for significant improvements in classification without decreasing performance on unperturbed data.
arXiv Detail & Related papers (2020-11-18T20:13:23Z) - Double Targeted Universal Adversarial Perturbations [83.60161052867534]
We introduce a double targeted universal adversarial perturbations (DT-UAPs) to bridge the gap between the instance-discriminative image-dependent perturbations and the generic universal perturbations.
We show the effectiveness of the proposed DTA algorithm on a wide range of datasets and also demonstrate its potential as a physical attack.
arXiv Detail & Related papers (2020-10-07T09:08:51Z) - Frequency-Tuned Universal Adversarial Attacks [19.79803434998116]
We propose a frequency-tuned universal attack method to compute universal perturbations.
We show that our method can realize a good balance between perceivability and effectiveness in terms of fooling rate.
arXiv Detail & Related papers (2020-03-11T22:52:19Z) - Image Fine-grained Inpainting [89.17316318927621]
We present a one-stage model that utilizes dense combinations of dilated convolutions to obtain larger and more effective receptive fields.
To better train this efficient generator, except for frequently-used VGG feature matching loss, we design a novel self-guided regression loss.
We also employ a discriminator with local and global branches to ensure local-global contents consistency.
arXiv Detail & Related papers (2020-02-07T03:45:25Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.