Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
129 tokens/sec
GPT-4o
28 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Sparse and Transferable Universal Singular Vectors Attack (2401.14031v1)

Published 25 Jan 2024 in cs.LG, cs.CR, and cs.CV

Abstract: The research in the field of adversarial attacks and models' vulnerability is one of the fundamental directions in modern machine learning. Recent studies reveal the vulnerability phenomenon, and understanding the mechanisms behind this is essential for improving neural network characteristics and interpretability. In this paper, we propose a novel sparse universal white-box adversarial attack. Our approach is based on truncated power iteration providing sparsity to $(p,q)$-singular vectors of the hidden layers of Jacobian matrices. Using the ImageNet benchmark validation subset, we analyze the proposed method in various settings, achieving results comparable to dense baselines with more than a 50% fooling rate while damaging only 5% of pixels and utilizing 256 samples for perturbation fitting. We also show that our algorithm admits higher attack magnitude without affecting the human ability to solve the task. Furthermore, we investigate that the constructed perturbations are highly transferable among different models without significantly decreasing the fooling rate. Our findings demonstrate the vulnerability of state-of-the-art models to sparse attacks and highlight the importance of developing robust machine learning systems.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (60)
  1. An image is worth 16x16 words: Transformers for image recognition at scale, 2021a.
  2. Llama: Open and efficient foundation language models, 2023.
  3. Scaling instruction-finetuned language models, 2022.
  4. From machine learning to robotics: Challenges and opportunities for embodied intelligence, 2021.
  5. wav2vec 2.0: A framework for self-supervised learning of speech representations, 2020.
  6. Intriguing properties of neural networks. In International Conference on Learning Representations, 2014. URL http://arxiv.org/abs/1312.6199.
  7. Explaining and harnessing adversarial examples, 2014. URL https://arxiv.org/abs/1412.6572.
  8. Universal adversarial perturbations. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), July 2017.
  9. Art of singular vectors and universal adversarial perturbations. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), June 2018.
  10. David W Boyd. The power method for lp norms. Linear Algebra and its Applications, 9:95–101, 1974.
  11. Constructing unrestricted adversarial examples with generative models. In S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 31. Curran Associates, Inc., 2018. URL https://proceedings.neurips.cc/paper_files/paper/2018/file/8cea559c47e4fbdb73b23e0223d04e79-Paper.pdf.
  12. Unrestricted adversarial examples. arXiv preprint arXiv:1809.08352, 2018.
  13. Adversarial color film: Effective physical-world attack to dnns. arXiv preprint arXiv:2209.02430, 2022.
  14. Adversarial camera stickers: A physical camera-based attack on deep learning systems. In International Conference on Machine Learning, pages 3896–3904. PMLR, 2019.
  15. On adversarial patches: real-world attack on arcface-100 face recognition system. In 2019 International Multi-Conference on Engineering, Computer and Information Sciences (SIBIRCON), pages 0391–0396. IEEE, 2019.
  16. Real-world attack on mtcnn face detection system. In 2019 International Multi-Conference on Engineering, Computer and Information Sciences (SIBIRCON), pages 0422–0427. IEEE, 2019.
  17. Sparse and imperceivable adversarial attacks. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 4724–4732, 2019.
  18. Sparsefool: a few pixels make a big difference, 2019.
  19. Meta gradient adversarial attack. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 7748–7757, 2021.
  20. Greedyfool: Distortion-aware sparse adversarial attack. Advances in Neural Information Processing Systems, 33:11226–11236, 2020.
  21. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples, 2016.
  22. Transferable sparse adversarial attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14963–14972, 2022.
  23. Improving adversarial transferability with scheduled step size and dual example. arXiv preprint arXiv:2301.12968, 2023.
  24. Universal adversarial training. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 34, pages 5636–5643, 2020.
  25. Sparse-rs: A versatile framework for query-efficient sparse black-box adversarial attacks. Proceedings of the AAAI Conference on Artificial Intelligence, 36(6):6437–6445, Jun. 2022. doi:10.1609/aaai.v36i6.20595. URL https://ojs.aaai.org/index.php/AAAI/article/view/20595.
  26. Learning universal adversarial perturbations with generative models. In 2018 IEEE Security and Privacy Workshops (SPW), pages 43–49. IEEE, 2018.
  27. Nag: Network for adversary generation. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 742–751, 2018.
  28. Imagenet: A large-scale hierarchical image database. In 2009 IEEE Conference on Computer Vision and Pattern Recognition, pages 248–255, 2009a. doi:10.1109/CVPR.2009.5206848.
  29. Deepfool: A simple and accurate method to fool deep neural networks. In 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 2574–2582, 2016a. doi:10.1109/CVPR.2016.282.
  30. Truncated power method for sparse eigenvalue problems. Journal of Machine Learning Research, 14(4), 2013.
  31. Imagenet: A large-scale hierarchical image database. In 2009 IEEE conference on computer vision and pattern recognition, pages 248–255. Ieee, 2009b.
  32. Densely connected convolutional networks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 4700–4708, 2017.
  33. Efficientnet: Rethinking model scaling for convolutional neural networks. In International conference on machine learning, pages 6105–6114. PMLR, 2019.
  34. Going deeper with convolutions. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1–9, 2015.
  35. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016.
  36. Very deep convolutional networks for large-scale image recognition. In Yoshua Bengio and Yann LeCun, editors, 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings, 2015. URL http://arxiv.org/abs/1409.1556.
  37. Wide residual networks. In Richard C. Wilson, Edwin R. Hancock, and William A. P. Smith, editors, Proceedings of the British Machine Vision Conference 2016, BMVC 2016, York, UK, September 19-22, 2016. BMVA Press, 2016. URL http://www.bmva.org/bmvc/2016/papers/paper087/index.html.
  38. Training data-efficient image transformers & distillation through attention. In International conference on machine learning, pages 10347–10357. PMLR, 2021.
  39. An image is worth 16x16 words: Transformers for image recognition at scale. ICLR, 2021b.
  40. Il’ya Meerovich Sobol’. On the distribution of points in a cube and the approximate evaluation of integrals. Zhurnal Vychislitel’noi Matematiki i Matematicheskoi Fiziki, 7(4):784–802, 1967.
  41. Visual transformers: Token-based image representation and processing for computer vision, 2020.
  42. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
  43. Generative adversarial perturbations. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 4422–4431, 2018.
  44. Content-based unrestricted adversarial attack. arXiv preprint arXiv:2305.10665, 2023.
  45. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 2574–2582, 2016b.
  46. Layerwise universal adversarial attack on nlp models. In Findings of the Association for Computational Linguistics: ACL 2023, pages 129–143, 2023.
  47. Wasserstein adversarial examples via projected sinkhorn iterations. In International Conference on Machine Learning, pages 6808–6817. PMLR, 2019.
  48. Learning perturbation sets for robust machine learning. arXiv preprint arXiv:2007.08450, 2020.
  49. Subspace attack: Exploiting promising subspaces for query-efficient black-box attacks. Advances in Neural Information Processing Systems, 32, 2019a.
  50. Query-efficient hard-label black-box attack: An optimization-based approach. arXiv preprint arXiv:1807.04457, 2018.
  51. Spanning attack: Reinforce black-box attacks with unlabeled data. Machine Learning, 109:2349–2368, 2020.
  52. Simple black-box adversarial attacks. In International Conference on Machine Learning, pages 2484–2493. PMLR, 2019b.
  53. Square attack: a query-efficient black-box adversarial attack via random search. In European conference on computer vision, pages 484–501. Springer, 2020.
  54. Hopskipjumpattack: A query-efficient decision-based attack. In 2020 ieee symposium on security and privacy (sp), pages 1277–1294. IEEE, 2020.
  55. Upset and angri: Breaking high performance image classifiers. arXiv preprint arXiv:1707.01159, 2017.
  56. Gap++: Learning to generate target-conditioned adversarial examples. arXiv preprint arXiv:2006.05097, 2020.
  57. Understanding adversarial examples from the mutual influence of images and perturbations. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14521–14530, 2020.
  58. Learning universal adversarial perturbation by adversarial example. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 36, pages 1350–1358, 2022.
  59. Distributed optimization and statistical learning via the alternating direction method of multipliers. Foundations and Trends® in Machine learning, 3(1):1–122, 2011.
  60. Universal adversarial robustness of texture and shape-biased models. In 2021 IEEE International Conference on Image Processing (ICIP), pages 799–803. IEEE, 2021.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now