FG-UAP: Feature-Gathering Universal Adversarial Perturbation
- URL: http://arxiv.org/abs/2209.13113v1
- Date: Tue, 27 Sep 2022 02:03:42 GMT
- Title: FG-UAP: Feature-Gathering Universal Adversarial Perturbation
- Authors: Zhixing Ye, Xinwen Cheng, Xiaolin Huang
- Abstract summary: We propose to generate Universal Adversarial Perturbation (UAP) by attacking the layer where Neural Collapse (NC) happens.
Because of NC, the proposed attack could gather all the natural images' features to its surrounding, which is hence called Feature-Gathering UAP (FG-UAP)
We evaluate the effectiveness of our proposed algorithm on abundant experiments, including untargeted and targeted universal attacks, attacks under limited dataset, and transfer-based black-box attacks.
- Score: 15.99512720802142
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Deep Neural Networks (DNNs) are susceptible to elaborately designed
perturbations, whether such perturbations are dependent or independent of
images. The latter one, called Universal Adversarial Perturbation (UAP), is
very attractive for model robustness analysis, since its independence of input
reveals the intrinsic characteristics of the model. Relatively, another
interesting observation is Neural Collapse (NC), which means the feature
variability may collapse during the terminal phase of training. Motivated by
this, we propose to generate UAP by attacking the layer where NC phenomenon
happens. Because of NC, the proposed attack could gather all the natural
images' features to its surrounding, which is hence called Feature-Gathering
UAP (FG-UAP).
We evaluate the effectiveness our proposed algorithm on abundant experiments,
including untargeted and targeted universal attacks, attacks under limited
dataset, and transfer-based black-box attacks among different architectures
including Vision Transformers, which are believed to be more robust.
Furthermore, we investigate FG-UAP in the view of NC by analyzing the labels
and extracted features of adversarial examples, finding that collapse
phenomenon becomes stronger after the model is corrupted. The code will be
released when the paper is accepted.
Related papers
- SAM Meets UAP: Attacking Segment Anything Model With Universal Adversarial Perturbation [61.732503554088524]
We investigate whether it is possible to attack Segment Anything Model (SAM) with image-aversagnostic Universal Adrial Perturbation (UAP)
We propose a novel perturbation-centric framework that results in a UAP generation method based on self-supervised contrastive learning (CL)
The effectiveness of our proposed CL-based UAP generation method is validated by both quantitative and qualitative results.
arXiv Detail & Related papers (2023-10-19T02:49:24Z) - CARLA-GeAR: a Dataset Generator for a Systematic Evaluation of
Adversarial Robustness of Vision Models [61.68061613161187]
This paper presents CARLA-GeAR, a tool for the automatic generation of synthetic datasets for evaluating the robustness of neural models against physical adversarial patches.
The tool is built on the CARLA simulator, using its Python API, and allows the generation of datasets for several vision tasks in the context of autonomous driving.
The paper presents an experimental study to evaluate the performance of some defense methods against such attacks, showing how the datasets generated with CARLA-GeAR might be used in future work as a benchmark for adversarial defense in the real world.
arXiv Detail & Related papers (2022-06-09T09:17:38Z) - Discriminator-Free Generative Adversarial Attack [87.71852388383242]
Agenerative-based adversarial attacks can get rid of this limitation.
ASymmetric Saliency-based Auto-Encoder (SSAE) generates the perturbations.
The adversarial examples generated by SSAE not only make thewidely-used models collapse, but also achieves good visual quality.
arXiv Detail & Related papers (2021-07-20T01:55:21Z) - Salient Feature Extractor for Adversarial Defense on Deep Neural
Networks [2.993911699314388]
Motivated by the observation that adversarial examples are due to the non-robust feature learned from the original dataset by models, we propose the concepts of salient feature(SF) and trivial feature(TF)
We put forward a novel detection and defense method named salient feature extractor (SFE) to defend against adversarial attacks.
arXiv Detail & Related papers (2021-05-14T12:56:06Z) - Selective and Features based Adversarial Example Detection [12.443388374869745]
Security-sensitive applications that relay on Deep Neural Networks (DNNs) are vulnerable to small perturbations crafted to generate Adversarial Examples (AEs)
We propose a novel unsupervised detection mechanism that uses the selective prediction, processing model layers outputs, and knowledge transfer concepts in a multi-task learning setting.
Experimental results show that the proposed approach achieves comparable results to the state-of-the-art methods against tested attacks in white box scenario and better results in black and gray boxes scenarios.
arXiv Detail & Related papers (2021-03-09T11:06:15Z) - Universal Adversarial Perturbations Through the Lens of Deep
Steganography: Towards A Fourier Perspective [78.05383266222285]
A human imperceptible perturbation can be generated to fool a deep neural network (DNN) for most images.
A similar phenomenon has been observed in the deep steganography task, where a decoder network can retrieve a secret image back from a slightly perturbed cover image.
We propose two new variants of universal perturbations: (1) Universal Secret Adversarial Perturbation (USAP) that simultaneously achieves attack and hiding; (2) high-pass UAP (HP-UAP) that is less visible to the human eye.
arXiv Detail & Related papers (2021-02-12T12:26:39Z) - Robustness and Transferability of Universal Attacks on Compressed Models [3.187381965457262]
Neural network compression methods like pruning and quantization are very effective at efficiently deploying Deep Neural Networks (DNNs) on edge devices.
In particular, Universal Adversarial Perturbations (UAPs), are a powerful class of adversarial attacks.
We show that, in some scenarios, quantization can produce gradient-masking, giving a false sense of security.
arXiv Detail & Related papers (2020-12-10T23:40:23Z) - Double Targeted Universal Adversarial Perturbations [83.60161052867534]
We introduce a double targeted universal adversarial perturbations (DT-UAPs) to bridge the gap between the instance-discriminative image-dependent perturbations and the generic universal perturbations.
We show the effectiveness of the proposed DTA algorithm on a wide range of datasets and also demonstrate its potential as a physical attack.
arXiv Detail & Related papers (2020-10-07T09:08:51Z) - Neural Networks with Recurrent Generative Feedback [61.90658210112138]
We instantiate this design on convolutional neural networks (CNNs)
In the experiments, CNN-F shows considerably improved adversarial robustness over conventional feedforward CNNs on standard benchmarks.
arXiv Detail & Related papers (2020-07-17T19:32:48Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.