JMA: a General Algorithm to Craft Nearly Optimal Targeted Adversarial
Example
- URL: http://arxiv.org/abs/2401.01199v1
- Date: Tue, 2 Jan 2024 13:03:29 GMT
- Title: JMA: a General Algorithm to Craft Nearly Optimal Targeted Adversarial
Example
- Authors: Benedetta Tondi, Wei Guo, Mauro Barni
- Abstract summary: We propose a more general, theoretically sound, targeted attack that resorts to the minimization of a Jacobian-induced MAhalanobis distance term.
The proposed algorithm provides an optimal solution to a linearized version of the adversarial example problem originally introduced by Szegedy et al.
- Score: 24.953032059932525
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Most of the approaches proposed so far to craft targeted adversarial examples
against Deep Learning classifiers are highly suboptimal and typically rely on
increasing the likelihood of the target class, thus implicitly focusing on
one-hot encoding settings. In this paper, we propose a more general,
theoretically sound, targeted attack that resorts to the minimization of a
Jacobian-induced MAhalanobis distance (JMA) term, taking into account the
effort (in the input space) required to move the latent space representation of
the input sample in a given direction. The minimization is solved by exploiting
the Wolfe duality theorem, reducing the problem to the solution of a
Non-Negative Least Square (NNLS) problem. The proposed algorithm provides an
optimal solution to a linearized version of the adversarial example problem
originally introduced by Szegedy et al. \cite{szegedy2013intriguing}. The
experiments we carried out confirm the generality of the proposed attack which
is proven to be effective under a wide variety of output encoding schemes.
Noticeably, the JMA attack is also effective in a multi-label classification
scenario, being capable to induce a targeted modification of up to half the
labels in a complex multilabel classification scenario with 20 labels, a
capability that is out of reach of all the attacks proposed so far. As a
further advantage, the JMA attack usually requires very few iterations, thus
resulting more efficient than existing methods.
Related papers
- Jacobian Descent for Multi-Objective Optimization [0.6138671548064355]
gradient descent is limited to single-objective optimization.
Jacobian descent (JD) iteratively updates parameters using the Jacobian matrix of a vector-valued objective function.
arXiv Detail & Related papers (2024-06-23T22:06:25Z) - Advancing Generalized Transfer Attack with Initialization Derived Bilevel Optimization and Dynamic Sequence Truncation [49.480978190805125]
Transfer attacks generate significant interest for black-box applications.
Existing works essentially directly optimize the single-level objective w.r.t. surrogate model.
We propose a bilevel optimization paradigm, which explicitly reforms the nested relationship between the Upper-Level (UL) pseudo-victim attacker and the Lower-Level (LL) surrogate attacker.
arXiv Detail & Related papers (2024-06-04T07:45:27Z) - Refine, Discriminate and Align: Stealing Encoders via Sample-Wise Prototypes and Multi-Relational Extraction [57.16121098944589]
RDA is a pioneering approach designed to address two primary deficiencies prevalent in previous endeavors aiming at stealing pre-trained encoders.
It is accomplished via a sample-wise prototype, which consolidates the target encoder's representations for a given sample's various perspectives.
For more potent efficacy, we develop a multi-relational extraction loss that trains the surrogate encoder to Discriminate mismatched embedding-prototype pairs.
arXiv Detail & Related papers (2023-12-01T15:03:29Z) - Strong Transferable Adversarial Attacks via Ensembled Asymptotically Normal Distribution Learning [24.10329164911317]
We propose an approach named Multiple Asymptotically Normal Distribution Attacks (MultiANDA)
We approximate the posterior distribution over the perturbations by taking advantage of the normality property of gradient ascent (SGA)
Our proposed method outperforms ten state-of-the-art black-box attacks on deep learning models with or without defenses.
arXiv Detail & Related papers (2022-09-24T08:57:10Z) - A Large-scale Multiple-objective Method for Black-box Attack against
Object Detection [70.00150794625053]
We propose to minimize the true positive rate and maximize the false positive rate, which can encourage more false positive objects to block the generation of new true positive bounding boxes.
We extend the standard Genetic Algorithm with Random Subset selection and Divide-and-Conquer, called GARSDC, which significantly improves the efficiency.
Compared with the state-of-art attack methods, GARSDC decreases by an average 12.0 in the mAP and queries by about 1000 times in extensive experiments.
arXiv Detail & Related papers (2022-09-16T08:36:42Z) - Versatile Weight Attack via Flipping Limited Bits [68.45224286690932]
We study a novel attack paradigm, which modifies model parameters in the deployment stage.
Considering the effectiveness and stealthiness goals, we provide a general formulation to perform the bit-flip based weight attack.
We present two cases of the general formulation with different malicious purposes, i.e., single sample attack (SSA) and triggered samples attack (TSA)
arXiv Detail & Related papers (2022-07-25T03:24:58Z) - Proximal Splitting Adversarial Attacks for Semantic Segmentation [33.53113858999438]
We show that a whitebox attack can fool adversarial segmentation models based on proximal Lagrangian norms.
Our attack significantly outperforms previously proposed ones, as well as classification attacks that we adapted for segmentation.
arXiv Detail & Related papers (2022-06-14T21:23:02Z) - Sparse and Imperceptible Adversarial Attack via a Homotopy Algorithm [93.80082636284922]
Sparse adversarial attacks can fool deep networks (DNNs) by only perturbing a few pixels.
Recent efforts combine it with another l_infty perturbation on magnitudes.
We propose a homotopy algorithm to tackle the sparsity and neural perturbation framework.
arXiv Detail & Related papers (2021-06-10T20:11:36Z) - Targeted Attack for Deep Hashing based Retrieval [57.582221494035856]
We propose a novel method, dubbed deep hashing targeted attack (DHTA), to study the targeted attack on such retrieval.
We first formulate the targeted attack as a point-to-set optimization, which minimizes the average distance between the hash code of an adversarial example and those of a set of objects with the target label.
To balance the performance and perceptibility, we propose to minimize the Hamming distance between the hash code of the adversarial example and the anchor code under the $ellinfty$ restriction on the perturbation.
arXiv Detail & Related papers (2020-04-15T08:36:58Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.