Superpixel Attack: Enhancing Black-box Adversarial Attack with Image-driven Division Areas
- URL: http://arxiv.org/abs/2512.02062v1
- Date: Sat, 29 Nov 2025 05:28:52 GMT
- Title: Superpixel Attack: Enhancing Black-box Adversarial Attack with Image-driven Division Areas
- Authors: Issa Oe, Keiichiro Yamamura, Hiroki Ishikura, Ryo Hamahira, Katsuki Fujisawa,
- Abstract summary: Adversarial attacks are used to identify small perturbations that can lead to misclassifications.<n>A promising approach to black-box adversarial attacks is to repeat the process of extracting a specific image area and changing the perturbations added to it.<n>We propose applying superpixels instead, which achieve a good balance between color variance and compactness.
- Score: 1.1417805445492082
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Deep learning models are used in safety-critical tasks such as automated driving and face recognition. However, small perturbations in the model input can significantly change the predictions. Adversarial attacks are used to identify small perturbations that can lead to misclassifications. More powerful black-box adversarial attacks are required to develop more effective defenses. A promising approach to black-box adversarial attacks is to repeat the process of extracting a specific image area and changing the perturbations added to it. Existing attacks adopt simple rectangles as the areas where perturbations are changed in a single iteration. We propose applying superpixels instead, which achieve a good balance between color variance and compactness. We also propose a new search method, versatile search, and a novel attack method, Superpixel Attack, which applies superpixels and performs versatile search. Superpixel Attack improves attack success rates by an average of 2.10% compared with existing attacks. Most models used in this study are robust against adversarial attacks, and this improvement is significant for black-box adversarial attacks. The code is avilable at https://github.com/oe1307/SuperpixelAttack.git.
Related papers
- Out-of-the-box: Black-box Causal Attacks on Object Detectors [4.3331379059769395]
This paper presents BlackCAtt, a black-box algorithm and a tool to construct explainable, imperceptible, reproducible, architecture-agnostic attacks on object detectors.<n>BlackCAtt works across different object detectors of different sizes and architectures, treating the detector as a black box.<n>Our approach is 2.7 times better than the baseline in removing a detection, 3.86 times better in changing a detection, and 5.75 times better in triggering new, spurious, detections.
arXiv Detail & Related papers (2025-12-03T12:17:35Z) - Parallel Rectangle Flip Attack: A Query-based Black-box Attack against
Object Detection [89.08832589750003]
We propose a Parallel Rectangle Flip Attack (PRFA) via random search to avoid sub-optimal detection near the attacked region.
Our method can effectively and efficiently attack various popular object detectors, including anchor-based and anchor-free, and generate transferable adversarial examples.
arXiv Detail & Related papers (2022-01-22T06:00:17Z) - Delving into the pixels of adversarial samples [0.10152838128195464]
Knowing how image pixels are affected by adversarial attacks has the potential to lead us to better adversarial defenses.
We consider several ImageNet architectures, InceptionV3, VGG19 and ResNet50, as well as several strong attacks.
In particular, input pre-processing plays a previously overlooked role in the effect that attacks have on pixels.
arXiv Detail & Related papers (2021-06-21T11:28:06Z) - Black-box adversarial attacks using Evolution Strategies [3.093890460224435]
We study the generation of black-box adversarial attacks for image classification tasks.
Our results show that the attacked neural networks can be, in most cases, easily fooled by all the algorithms under comparison.
Some black-box optimization algorithms may be better in "harder" setups, both in terms of attack success rate and efficiency.
arXiv Detail & Related papers (2021-04-30T15:33:07Z) - Local Black-box Adversarial Attacks: A Query Efficient Approach [64.98246858117476]
Adrial attacks have threatened the application of deep neural networks in security-sensitive scenarios.
We propose a novel framework to perturb the discriminative areas of clean examples only within limited queries in black-box attacks.
We conduct extensive experiments to show that our framework can significantly improve the query efficiency during black-box perturbing with a high attack success rate.
arXiv Detail & Related papers (2021-01-04T15:32:16Z) - Learning to Attack with Fewer Pixels: A Probabilistic Post-hoc Framework
for Refining Arbitrary Dense Adversarial Attacks [21.349059923635515]
adversarial evasion attacks are reported to be susceptible to deep neural network image classifiers.
We propose a probabilistic post-hoc framework that refines given dense attacks by significantly reducing the number of perturbed pixels.
Our framework performs adversarial attacks much faster than existing sparse attacks.
arXiv Detail & Related papers (2020-10-13T02:51:10Z) - Online Alternate Generator against Adversarial Attacks [144.45529828523408]
Deep learning models are notoriously sensitive to adversarial examples which are synthesized by adding quasi-perceptible noises on real images.
We propose a portable defense method, online alternate generator, which does not need to access or modify the parameters of the target networks.
The proposed method works by online synthesizing another image from scratch for an input image, instead of removing or destroying adversarial noises.
arXiv Detail & Related papers (2020-09-17T07:11:16Z) - Patch-wise Attack for Fooling Deep Neural Network [153.59832333877543]
We propose a patch-wise iterative algorithm -- a black-box attack towards mainstream normally trained and defense models.
We significantly improve the success rate by 9.2% for defense models and 3.7% for normally trained models on average.
arXiv Detail & Related papers (2020-07-14T01:50:22Z) - RayS: A Ray Searching Method for Hard-label Adversarial Attack [99.72117609513589]
We present the Ray Searching attack (RayS), which greatly improves the hard-label attack effectiveness as well as efficiency.
RayS attack can also be used as a sanity check for possible "falsely robust" models.
arXiv Detail & Related papers (2020-06-23T07:01:50Z) - Spanning Attack: Reinforce Black-box Attacks with Unlabeled Data [96.92837098305898]
Black-box attacks aim to craft adversarial perturbations by querying input-output pairs of machine learning models.
Black-box attacks often suffer from the issue of query inefficiency due to the high dimensionality of the input space.
We propose a novel technique called the spanning attack, which constrains adversarial perturbations in a low-dimensional subspace via spanning an auxiliary unlabeled dataset.
arXiv Detail & Related papers (2020-05-11T05:57:15Z) - Using an ensemble color space model to tackle adversarial examples [22.732023268348787]
We propose a 3 step method for defending such attacks.
First, we denoise the image using statistical methods.
Second, we show that adopting multiple color spaces in the same model can help us to fight these adversarial attacks further.
arXiv Detail & Related papers (2020-03-10T21:20:53Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.