$\sigma$-zero: Gradient-based Optimization of $\ell_0$-norm Adversarial
Examples
- URL: http://arxiv.org/abs/2402.01879v1
- Date: Fri, 2 Feb 2024 20:08:11 GMT
- Title: $\sigma$-zero: Gradient-based Optimization of $\ell_0$-norm Adversarial
Examples
- Authors: Antonio Emanuele Cin\`a, Francesco Villani, Maura Pintor, Lea
Sch\"onherr, Battista Biggio, and Marcello Pelillo
- Abstract summary: We show that $sigma-zero finds minimum $ell_infty$-norm examples without requiring any time-consuming hyperell tuning, and that it outperforms all competing attacks in terms of success, size, and robustness.
- Score: 12.154652744262476
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Evaluating the adversarial robustness of deep networks to gradient-based
attacks is challenging. While most attacks consider $\ell_2$- and
$\ell_\infty$-norm constraints to craft input perturbations, only a few
investigate sparse $\ell_1$- and $\ell_0$-norm attacks. In particular,
$\ell_0$-norm attacks remain the least studied due to the inherent complexity
of optimizing over a non-convex and non-differentiable constraint. However,
evaluating adversarial robustness under these attacks could reveal weaknesses
otherwise left untested with more conventional $\ell_2$- and $\ell_\infty$-norm
attacks. In this work, we propose a novel $\ell_0$-norm attack, called
$\sigma$-zero, which leverages an ad hoc differentiable approximation of the
$\ell_0$ norm to facilitate gradient-based optimization, and an adaptive
projection operator to dynamically adjust the trade-off between loss
minimization and perturbation sparsity. Extensive evaluations using MNIST,
CIFAR10, and ImageNet datasets, involving robust and non-robust models, show
that $\sigma$-zero finds minimum $\ell_0$-norm adversarial examples without
requiring any time-consuming hyperparameter tuning, and that it outperforms all
competing sparse attacks in terms of success rate, perturbation size, and
scalability.
Related papers
- $L_p$-norm Distortion-Efficient Adversarial Attack [13.03797700146213]
Current adversarial attack methods only consider one of the distortions among $L$-norm, $L$-norm, and $L_infty$-norm.
We propose a novel $L_p$-norm distortion-efficient adversarial attack, which not only owns the least $L$-norm but also significantly reduces the $L_infty$-norm distortion.
arXiv Detail & Related papers (2024-07-03T14:00:33Z) - Group-wise Sparse and Explainable Adversarial Attacks [22.554728415868574]
Sparse adversarial attacks fool deep neural networks (DNNs) through minimal pixel perturbations.
Recent efforts have replaced this norm with a sparsity regularizer as the nuclear adversarial norm.
We present an algorithm that simultaneously generates group-wise attacks within sparseally meaningful areas of an image.
arXiv Detail & Related papers (2023-11-29T08:26:18Z) - Towards Compositional Adversarial Robustness: Generalizing Adversarial
Training to Composite Semantic Perturbations [70.05004034081377]
We first propose a novel method for generating composite adversarial examples.
Our method can find the optimal attack composition by utilizing component-wise projected gradient descent.
We then propose generalized adversarial training (GAT) to extend model robustness from $ell_p$-ball to composite semantic perturbations.
arXiv Detail & Related papers (2022-02-09T02:41:56Z) - Sparse and Imperceptible Adversarial Attack via a Homotopy Algorithm [93.80082636284922]
Sparse adversarial attacks can fool deep networks (DNNs) by only perturbing a few pixels.
Recent efforts combine it with another l_infty perturbation on magnitudes.
We propose a homotopy algorithm to tackle the sparsity and neural perturbation framework.
arXiv Detail & Related papers (2021-06-10T20:11:36Z) - PDPGD: Primal-Dual Proximal Gradient Descent Adversarial Attack [92.94132883915876]
State-of-the-art deep neural networks are sensitive to small input perturbations.
Many defence methods have been proposed that attempt to improve robustness to adversarial noise.
evaluating adversarial robustness has proven to be extremely challenging.
arXiv Detail & Related papers (2021-06-03T01:45:48Z) - Fast Minimum-norm Adversarial Attacks through Adaptive Norm Constraints [29.227720674726413]
We propose a fast minimum-norm (FMN) attack that works with different $ell_p$-norm perturbation models.
Experiments show that FMN significantly outperforms existing attacks in terms of convergence speed and time.
arXiv Detail & Related papers (2021-02-25T12:56:26Z) - Understanding Frank-Wolfe Adversarial Training [1.2183405753834557]
Adversarial Training (AT) is a technique that approximately solves a robust optimization problem to minimize the worst-case loss.
A Frank-Wolfe adversarial training approach is presented and is shown to provide competitive level of robustness as PGD-AT.
arXiv Detail & Related papers (2020-12-22T21:36:52Z) - Towards Defending Multiple $\ell_p$-norm Bounded Adversarial
Perturbations via Gated Batch Normalization [120.99395850108422]
Existing adversarial defenses typically improve model robustness against individual specific perturbations.
Some recent methods improve model robustness against adversarial attacks in multiple $ell_p$ balls, but their performance against each perturbation type is still far from satisfactory.
We propose Gated Batch Normalization (GBN) to adversarially train a perturbation-invariant predictor for defending multiple $ell_p bounded adversarial perturbations.
arXiv Detail & Related papers (2020-12-03T02:26:01Z) - Sparse-RS: a versatile framework for query-efficient sparse black-box
adversarial attacks [64.03012884804458]
We propose a versatile framework based on random search, Sparse-RS, for sparse targeted and untargeted attacks in the black-box setting.
Sparse-RS does not rely on substitute models and achieves state-of-the-art success rate and query efficiency for multiple sparse attack models.
arXiv Detail & Related papers (2020-06-23T08:50:37Z) - Toward Adversarial Robustness via Semi-supervised Robust Training [93.36310070269643]
Adrial examples have been shown to be the severe threat to deep neural networks (DNNs)
We propose a novel defense method, the robust training (RT), by jointly minimizing two separated risks ($R_stand$ and $R_rob$)
arXiv Detail & Related papers (2020-03-16T02:14:08Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.