Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

$σ$-zero: Gradient-based Optimization of $\ell_0$-norm Adversarial Examples (2402.01879v3)

Published 2 Feb 2024 in cs.LG, cs.CV, and cs.CR

Abstract: Evaluating the adversarial robustness of deep networks to gradient-based attacks is challenging. While most attacks consider $\ell_2$- and $\ell_\infty$-norm constraints to craft input perturbations, only a few investigate sparse $\ell_1$- and $\ell_0$-norm attacks. In particular, $\ell_0$-norm attacks remain the least studied due to the inherent complexity of optimizing over a non-convex and non-differentiable constraint. However, evaluating adversarial robustness under these attacks could reveal weaknesses otherwise left untested with more conventional $\ell_2$- and $\ell_\infty$-norm attacks. In this work, we propose a novel $\ell_0$-norm attack, called $\sigma$-zero, which leverages a differentiable approximation of the $\ell_0$ norm to facilitate gradient-based optimization, and an adaptive projection operator to dynamically adjust the trade-off between loss minimization and perturbation sparsity. Extensive evaluations using MNIST, CIFAR10, and ImageNet datasets, involving robust and non-robust models, show that $\sigma$\texttt{-zero} finds minimum $\ell_0$-norm adversarial examples without requiring any time-consuming hyperparameter tuning, and that it outperforms all competing sparse attacks in terms of success rate, perturbation size, and efficiency.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (49)
  1. B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Srndic, P. Laskov, G. Giacinto, and F. Roli, “Evasion attacks against machine learning at test time,” in Machine Learning and Knowledge Discovery in Databases - European Conference, ECML PKDD, ser. Lecture Notes in Computer Science, vol. 8190.   Springer, 2013, pp. 387–402.
  2. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” in International Conference on Learning Representations (ICLR), 2014.
  3. P. Chen, Y. Sharma, H. Zhang, J. Yi, and C. Hsieh, “EAD: elastic-net attacks to deep neural networks via adversarial examples,” in Proceedings of the Thirty-Second AAAI Conference on Artificial Intelligence, (AAAI-18), the 30th innovative Applications of Artificial Intelligence (IAAI-18), and the 8th AAAI Symposium on Educational Advances in Artificial Intelligence (EAAI-18).   AAAI Press, 2018, pp. 10–17.
  4. F. Croce and M. Hein, “Mind the box: l11{}_{\mbox{1}}start_FLOATSUBSCRIPT 1 end_FLOATSUBSCRIPT-apgd for sparse adversarial attacks on image classifiers,” in Proceedings of the 38th International Conference on Machine Learning, ICML, ser. Proceedings of Machine Learning Research, M. Meila and T. Zhang, Eds., vol. 139.   PMLR, 2021, pp. 2201–2211.
  5. N. Carlini and D. A. Wagner, “Towards evaluating the robustness of neural networks,” in 2017 IEEE Symposium on Security and Privacy SP.   IEEE Computer Society, 2017, pp. 39–57.
  6. W. Brendel, J. Rauber, M. Kümmerer, I. Ustyuzhaninov, and M. Bethge, “Accurate, reliable and fast robustness evaluation,” in Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems, NeurIPS, 2019.
  7. M. Césaire, L. Schott, H. Hajri, S. Lamprier, and P. Gallinari, “Stochastic sparse adversarial attacks,” in 33rd IEEE International Conference on Tools with Artificial Intelligence, ICTAI.   IEEE, 2021, pp. 1247–1254.
  8. A. Matyasko and L. Chau, “PDPGD: primal-dual proximal gradient descent adversarial attack,” CoRR, vol. abs/2106.01538, 2021. [Online]. Available: https://arxiv.org/abs/2106.01538
  9. M. Pintor, F. Roli, W. Brendel, and B. Biggio, “Fast minimum-norm adversarial attacks through adaptive norm constraints,” in Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems, NeurIPS, 2021, pp. 20 052–20 062.
  10. M. R. Osborne, B. Presnell, and B. A. Turlach, “On the lasso and its dual,” Journal of Computational and Graphical Statistics, vol. 9, pp. 319–337, 2000.
  11. F. Croce, M. Andriushchenko, V. Sehwag, E. Debenedetti, N. Flammarion, M. Chiang, P. Mittal, and M. Hein, “Robustbench: a standardized adversarial robustness benchmark,” in Proceedings of the Neural Information Processing Systems Track on Datasets and Benchmarks 1, NeurIPS Datasets and Benchmarks, 2021.
  12. B. Biggio and F. Roli, “Wild patterns: Ten years after the rise of adversarial machine learning,” Pattern Recognition, vol. 84, pp. 317–331, 2018.
  13. W. Brendel, J. Rauber, M. Kümmerer, I. Ustyuzhaninov, and M. Bethge, “Accurate, reliable and fast robustness evaluation,” in Conference on Neural Information Processing Systems (NeurIPS)), 2019.
  14. J. Rony, L. G. Hafemann, L. Oliveira, I. B. Ayed, R. Sabourin, and E. Granger, “Decoupling direction and norm for efficient gradient-based l2 adversarial attacks and defenses,” 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 4317–4325, 2018.
  15. Y. LeCun and C. Cortes, “The mnist database of handwritten digits,” 2005.
  16. A. Krizhevsky, “Learning multiple layers of features from tiny images,” 2009.
  17. A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” Communications of the ACM, vol. 60, pp. 84 – 90, 2012.
  18. J. Rony, E. Granger, M. Pedersoli, and I. B. Ayed, “Augmented lagrangian adversarial attacks,” in 2021 IEEE/CVF International Conference on Computer Vision, ICCV.   IEEE, 2021, pp. 7718–7727.
  19. Y. Carmon, A. Raghunathan, L. Schmidt, J. C. Duchi, and P. S. Liang, “Unlabeled data improves adversarial robustness,” in Conference on Neural Information Processing Systems (NeurIPS)), 2019.
  20. M. Augustin, A. Meinke, and M. Hein, “Adversarial robustness on in- and out-distribution improves explainability,” in Computer Vision - ECCV 2020 - 16th European Conference, ser. Lecture Notes in Computer Science, vol. 12371.   Springer, 2020, pp. 228–245.
  21. L. Engstrom, A. Ilyas, H. Salman, S. Santurkar, and D. Tsipras, “Robustness (python library),” 2019. [Online]. Available: https://github.com/MadryLab/robustness
  22. S. Gowal, S. Rebuffi, O. Wiles, F. Stimberg, D. A. Calian, and T. A. Mann, “Improving robustness using generated data,” in Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS, 2021, pp. 4218–4233.
  23. T. Chen, S. Liu, S. Chang, Y. Cheng, L. Amini, and Z. Wang, “Adversarial robustness: From self-supervised pre-training to fine-tuning,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR.   Computer Vision Foundation / IEEE, 2020, pp. 696–705.
  24. Y. Xu, Y. Sun, M. Goldblum, T. Goldstein, and F. Huang, “Exploring and exploiting decision boundary dynamics for adversarial robustness,” in International Conference on Learning Representations (ICLR), 2023.
  25. S. Addepalli, S. Jain, and V. B. R., “Efficient and effective augmentation strategy for adversarial training,” in NeurIPS, 2022.
  26. F. Croce and M. Hein, “Mind the box: l⁢_⁢1𝑙_1l\_1italic_l _ 1-apgd for sparse adversarial attacks on image classifiers,” in International Conference on Machine Learning (ICML), 2021.
  27. Y. Jiang, C. Liu, Z. Huang, M. Salzmann, and S. Süsstrunk, “Towards stable and efficient adversarial training against l1 bounded adversarial attacks,” in International Conference on Machine Learning, 2023.
  28. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 770–778, 2015.
  29. E. Wong, L. Rice, and J. Z. Kolter, “Fast is better than free: Revisiting adversarial training,” in 8th International Conference on Learning Representations, ICLR.   OpenReview.net, 2020.
  30. H. Salman, A. Ilyas, L. Engstrom, A. Kapoor, and A. Madry, “Do adversarially robust imagenet models transfer better?” in Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS, 2020.
  31. D. Hendrycks, S. Basart, N. Mu, S. Kadavath, F. Wang, E. Dorundo, R. Desai, T. Zhu, S. Parajuli, M. Guo, D. Song, J. Steinhardt, and J. Gilmer, “The many faces of robustness: A critical analysis of out-of-distribution generalization,” in 2021 IEEE/CVF International Conference on Computer Vision, ICCV.   IEEE, 2021, pp. 8320–8329.
  32. A. Modas, S.-M. Moosavi-Dezfooli, and P. Frossard, “Sparsefool: a few pixels make a big difference,” in Conference on computer vision and pattern recognition (CVPR), 2019.
  33. F. Croce and M. Hein, “Sparse and imperceivable adversarial attacks,” 2019 IEEE/CVF International Conference on Computer Vision (ICCV), pp. 4723–4731, 2019.
  34. F. Croce, M. Andriushchenko, N. D. Singh, N. Flammarion, and M. Hein, “Sparse-rs: A versatile framework for query-efficient sparse black-box adversarial attacks,” in Thirty-Sixth AAAI Conference on Artificial Intelligence, AAAI.   AAAI Press, 2022, pp. 6437–6445.
  35. J. Rony, E. Granger, M. Pedersoli, and I. Ben Ayed, “Augmented lagrangian adversarial attacks,” in Conference on computer vision and pattern recognition (CVPR), 2021.
  36. J. Rony and I. Ben Ayed, “Adversarial Library.” [Online]. Available: https://github.com/jeromerony/adversarial-library
  37. J. Rauber, W. Brendel, and M. Bethge, “Foolbox: A python toolbox to benchmark the robustness of machine learning models,” 2017. [Online]. Available: https://github.com/bethgelab/foolbox
  38. M. Pintor, L. Demetrio, A. Sotgiu, A. Demontis, N. Carlini, B. Biggio, and F. Roli, “Indicators of attack failure: Debugging and improving optimization of adversarial examples,” in Advances in Neural Information Processing Systems, S. Koyejo, S. Mohamed, A. Agarwal, D. Belgrave, K. Cho, and A. Oh, Eds., vol. 35.   Curran Associates, Inc., 2022, pp. 23 063–23 076.
  39. N. Carlini, A. Athalye, N. Papernot, W. Brendel, J. Rauber, D. Tsipras, I. J. Goodfellow, A. Madry, and A. Kurakin, “On evaluating adversarial robustness,” CoRR, vol. abs/1902.06705, 2019.
  40. F. R. Bach, R. Jenatton, J. Mairal, and G. Obozinski, “Optimization with sparsity-inducing penalties,” Found. Trends Mach. Learn., vol. 4, no. 1, pp. 1–106, 2012.
  41. J. Weston, A. Elisseeff, B. Schölkopf, and M. E. Tipping, “Use of the zero-norm with linear models and kernel methods,” J. Mach. Learn. Res., vol. 3, pp. 1439–1461, 2003.
  42. T. Zhang, “Multi-stage convex relaxation for learning with sparse regularization,” in NIPS, 2008.
  43. M. R. Osborne, B. Presnell, and B. A. Turlach, “On the lasso and its dual,” Journal of Computational and Graphical Statistics, vol. 9, pp. 319 – 337, 2000.
  44. A. E. Cinà, A. Demontis, B. Biggio, F. Roli, and M. Pelillo, “Energy-latency attacks via sponge poisoning,” CoRR, vol. abs/2203.08147, 2022.
  45. D. Lazzaro, A. E. Cinà, M. Pintor, A. Demontis, B. Biggio, F. Roli, and M. Pelillo, “Minimizing energy consumption of deep learning models by energy-aware training,” in International Conference on Image Analysis and Processing.   Springer, 2023, pp. 515–526.
  46. B. Runwal, T. Pedapati, and P.-Y. Chen, “Parameter efficient finetuning for reducing activation density in transformers,” in Annual Conference on Neural Information Processing Systems, 2023.
  47. E. Debenedetti, V. Sehwag, and P. Mittal, “A light recipe to train robust vision transformers,” in First IEEE Conference on Secure and Trustworthy Machine Learning, 2023. [Online]. Available: https://openreview.net/forum?id=IztT98ky0cKs
  48. N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in IEEE Symposium on Security and Privacy (S&P), 2017.
  49. J. Gilmer, R. P. Adams, I. J. Goodfellow, D. Andersen, and G. E. Dahl, “Motivating the rules of the game for adversarial example research,” CoRR, vol. abs/1807.06732, 2018.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now