Multi-objective Evolutionary Search of Variable-length Composite
Semantic Perturbations
- URL: http://arxiv.org/abs/2307.06548v2
- Date: Sun, 16 Jul 2023 05:39:14 GMT
- Title: Multi-objective Evolutionary Search of Variable-length Composite
Semantic Perturbations
- Authors: Jialiang Sun, Wen Yao, Tingsong Jiang, Xiaoqian Chen
- Abstract summary: We propose a novel method called multi-objective evolutionary search of variable-length composite semantic perturbations (MES-VCSP)
MES-VCSP can obtain adversarial examples with a higher attack success rate, more naturalness, and less time cost.
- Score: 1.9100854225243937
- License: http://creativecommons.org/publicdomain/zero/1.0/
- Abstract: Deep neural networks have proven to be vulnerable to adversarial attacks in
the form of adding specific perturbations on images to make wrong outputs.
Designing stronger adversarial attack methods can help more reliably evaluate
the robustness of DNN models. To release the harbor burden and improve the
attack performance, auto machine learning (AutoML) has recently emerged as one
successful technique to help automatically find the near-optimal adversarial
attack strategy. However, existing works about AutoML for adversarial attacks
only focus on $L_{\infty}$-norm-based perturbations. In fact, semantic
perturbations attract increasing attention due to their naturalnesses and
physical realizability. To bridge the gap between AutoML and semantic
adversarial attacks, we propose a novel method called multi-objective
evolutionary search of variable-length composite semantic perturbations
(MES-VCSP). Specifically, we construct the mathematical model of
variable-length composite semantic perturbations, which provides five
gradient-based semantic attack methods. The same type of perturbation in an
attack sequence is allowed to be performed multiple times. Besides, we
introduce the multi-objective evolutionary search consisting of NSGA-II and
neighborhood search to find near-optimal variable-length attack sequences.
Experimental results on CIFAR10 and ImageNet datasets show that compared with
existing methods, MES-VCSP can obtain adversarial examples with a higher attack
success rate, more naturalness, and less time cost.
Related papers
- MOREL: Enhancing Adversarial Robustness through Multi-Objective Representation Learning [1.534667887016089]
deep neural networks (DNNs) are vulnerable to slight adversarial perturbations.
We show that strong feature representation learning during training can significantly enhance the original model's robustness.
We propose MOREL, a multi-objective feature representation learning approach, encouraging classification models to produce similar features for inputs within the same class, despite perturbations.
arXiv Detail & Related papers (2024-10-02T16:05:03Z) - Meta Invariance Defense Towards Generalizable Robustness to Unknown Adversarial Attacks [62.036798488144306]
Current defense mainly focuses on the known attacks, but the adversarial robustness to the unknown attacks is seriously overlooked.
We propose an attack-agnostic defense method named Meta Invariance Defense (MID)
We show that MID simultaneously achieves robustness to the imperceptible adversarial perturbations in high-level image classification and attack-suppression in low-level robust image regeneration.
arXiv Detail & Related papers (2024-04-04T10:10:38Z) - Multi-granular Adversarial Attacks against Black-box Neural Ranking Models [111.58315434849047]
We create high-quality adversarial examples by incorporating multi-granular perturbations.
We transform the multi-granular attack into a sequential decision-making process.
Our attack method surpasses prevailing baselines in both attack effectiveness and imperceptibility.
arXiv Detail & Related papers (2024-04-02T02:08:29Z) - Boosting the Transferability of Adversarial Attacks with Reverse
Adversarial Perturbation [32.81400759291457]
adversarial examples can produce erroneous predictions by injecting imperceptible perturbations.
In this work, we study the transferability of adversarial examples, which is significant due to its threat to real-world applications.
We propose a novel attack method, dubbed reverse adversarial perturbation (RAP)
arXiv Detail & Related papers (2022-10-12T07:17:33Z) - A Multi-objective Memetic Algorithm for Auto Adversarial Attack
Optimization Design [1.9100854225243937]
Well-designed adversarial defense strategies can improve the robustness of deep learning models against adversarial examples.
Given the defensed model, the efficient adversarial attack with less computational burden and lower robust accuracy is needed to be further exploited.
We propose a multi-objective memetic algorithm for auto adversarial attack optimization design, which realizes the automatical search for the near-optimal adversarial attack towards defensed models.
arXiv Detail & Related papers (2022-08-15T03:03:05Z) - Meta Adversarial Perturbations [66.43754467275967]
We show the existence of a meta adversarial perturbation (MAP)
MAP causes natural images to be misclassified with high probability after being updated through only a one-step gradient ascent update.
We show that these perturbations are not only image-agnostic, but also model-agnostic, as a single perturbation generalizes well across unseen data points and different neural network architectures.
arXiv Detail & Related papers (2021-11-19T16:01:45Z) - Model-Agnostic Meta-Attack: Towards Reliable Evaluation of Adversarial
Robustness [53.094682754683255]
We propose a Model-Agnostic Meta-Attack (MAMA) approach to discover stronger attack algorithms automatically.
Our method learns the in adversarial attacks parameterized by a recurrent neural network.
We develop a model-agnostic training algorithm to improve the ability of the learned when attacking unseen defenses.
arXiv Detail & Related papers (2021-10-13T13:54:24Z) - Adaptive Feature Alignment for Adversarial Training [56.17654691470554]
CNNs are typically vulnerable to adversarial attacks, which pose a threat to security-sensitive applications.
We propose the adaptive feature alignment (AFA) to generate features of arbitrary attacking strengths.
Our method is trained to automatically align features of arbitrary attacking strength.
arXiv Detail & Related papers (2021-05-31T17:01:05Z) - A Hamiltonian Monte Carlo Method for Probabilistic Adversarial Attack
and Learning [122.49765136434353]
We present an effective method, called Hamiltonian Monte Carlo with Accumulated Momentum (HMCAM), aiming to generate a sequence of adversarial examples.
We also propose a new generative method called Contrastive Adversarial Training (CAT), which approaches equilibrium distribution of adversarial examples.
Both quantitative and qualitative analysis on several natural image datasets and practical systems have confirmed the superiority of the proposed algorithm.
arXiv Detail & Related papers (2020-10-15T16:07:26Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.