Table of Contents
Fetching ...

Adaptive Perturbation for Adversarial Attack

Zheng Yuan, Jie Zhang, Zhaoyan Jiang, Liangliang Li, Shiguang Shan

TL;DR

This work identifies a fundamental limitation of sign-based gradient normalization in gradient-based adversarial attacks under the $L_\infty$ budget. It introduces Adaptive Perturbation for Adversarial Attack (APAA), which multiplies the exact loss gradient by a scaling factor $\gamma$ instead of normalizing with the sign function, enabling more accurate update directions and more aggressive early steps. APAA has two variants: a fixed-scaling version and an adaptive-scaling version that uses a per-step scaling-factor generator to tailor $\gamma_t$ to each image, with theoretical analysis (via Shapley interaction) arguing improved black-box transferability. Empirical results on CIFAR-10 and ImageNet show that APAA significantly improves transferability and attack success rates with fewer update steps and smaller perturbations across white-box and black-box settings, outperforming state-of-the-art gradient-based attacks and compatible with multiple baselines.

Abstract

In recent years, the security of deep learning models achieves more and more attentions with the rapid development of neural networks, which are vulnerable to adversarial examples. Almost all existing gradient-based attack methods use the sign function in the generation to meet the requirement of perturbation budget on $L_\infty$ norm. However, we find that the sign function may be improper for generating adversarial examples since it modifies the exact gradient direction. Instead of using the sign function, we propose to directly utilize the exact gradient direction with a scaling factor for generating adversarial perturbations, which improves the attack success rates of adversarial examples even with fewer perturbations. At the same time, we also theoretically prove that this method can achieve better black-box transferability. Moreover, considering that the best scaling factor varies across different images, we propose an adaptive scaling factor generator to seek an appropriate scaling factor for each image, which avoids the computational cost for manually searching the scaling factor. Our method can be integrated with almost all existing gradient-based attack methods to further improve their attack success rates. Extensive experiments on the CIFAR10 and ImageNet datasets show that our method exhibits higher transferability and outperforms the state-of-the-art methods.

Adaptive Perturbation for Adversarial Attack

TL;DR

This work identifies a fundamental limitation of sign-based gradient normalization in gradient-based adversarial attacks under the budget. It introduces Adaptive Perturbation for Adversarial Attack (APAA), which multiplies the exact loss gradient by a scaling factor instead of normalizing with the sign function, enabling more accurate update directions and more aggressive early steps. APAA has two variants: a fixed-scaling version and an adaptive-scaling version that uses a per-step scaling-factor generator to tailor to each image, with theoretical analysis (via Shapley interaction) arguing improved black-box transferability. Empirical results on CIFAR-10 and ImageNet show that APAA significantly improves transferability and attack success rates with fewer update steps and smaller perturbations across white-box and black-box settings, outperforming state-of-the-art gradient-based attacks and compatible with multiple baselines.

Abstract

In recent years, the security of deep learning models achieves more and more attentions with the rapid development of neural networks, which are vulnerable to adversarial examples. Almost all existing gradient-based attack methods use the sign function in the generation to meet the requirement of perturbation budget on norm. However, we find that the sign function may be improper for generating adversarial examples since it modifies the exact gradient direction. Instead of using the sign function, we propose to directly utilize the exact gradient direction with a scaling factor for generating adversarial perturbations, which improves the attack success rates of adversarial examples even with fewer perturbations. At the same time, we also theoretically prove that this method can achieve better black-box transferability. Moreover, considering that the best scaling factor varies across different images, we propose an adaptive scaling factor generator to seek an appropriate scaling factor for each image, which avoids the computational cost for manually searching the scaling factor. Our method can be integrated with almost all existing gradient-based attack methods to further improve their attack success rates. Extensive experiments on the CIFAR10 and ImageNet datasets show that our method exhibits higher transferability and outperforms the state-of-the-art methods.
Paper Structure (22 sections, 2 theorems, 25 equations, 7 figures, 14 tables, 2 algorithms)

This paper contains 22 sections, 2 theorems, 25 equations, 7 figures, 14 tables, 2 algorithms.

Key Result

Proposition 1

The adversarial perturbation generated by MIFGSM with APAA at $m$-th step is given as: where $\bm{g}$ and $\bm{H}$ are the first and second order gradients of $L(\bm{x})$ with respect to $\bm{x}$, respectively,

Figures (7)

  • Figure 1: A two-dimensional toy example to illustrate the difference between our proposed APAA and existing sign-based methods, e.g., BIM kurakin2017adversarial. The loss function is composed of a mixture of Gaussian distributions, as described in \ref{['eqn:example']}. The orange path and blue path represent the update process of BIM and our APAA when generating adversarial examples, respectively. The background color represents the contour of the loss function. During the adversarial attack, we aim to achieve an adversarial example with a larger loss value. Due to the limitation of the sign function, there are only eight possible update directions in the case of a two-dimensional space ((0, 1), (0, -1), (1, 1), (1, -1), (1, 0), (-1, -1), (-1, 0), (-1, 1)). The update direction of BIM is limited and not accurate enough, resulting in only reaching the sub-optimal end-point. Our method can not only obtain a more accurate update direction, but also adjust the step size adaptively. As a result, our APAA may reach the global optimum with a larger probability in fewer steps.
  • Figure 2: The overview of the scaling factor generator. In each step $t$, the gradient of one randomly selected model $C_x$ is first calculated. Simultaneously, the adversarial example from the previous step together with the gradient information are fed into the generator $G_t$ to generate the scaling factor $\gamma_t$. Then the scaling factor and the gradient information are used to generate the adversarial perturbation. The adversarial examples generated in all steps are all fed into another classifier $C_y$ to optimize the parameters of generator $G_t$ through maximizing the cross-entropy loss between the output classification probability and the ground truth label.
  • Figure 3: The comparison of histograms of the interaction inside perturbations generated by our APAA and that of MIFGSM dong2018boosting. Smaller interaction values correspond to better black-box transferability. The experiment is conducted on 1000 images of CIFAR10 testset.
  • Figure 4: The attack success rates vs. perturbation budget curve on CIFAR10. The curves with dotted lines are the results of baseline methods, and those with solid lines are the results of our method. Three subfigures are the average attack success rates of different methods on the white-box model, the black-box normally trained models and the defense models, respectively. The experiment chooses RegNet as the white-box model.
  • Figure 5: Visualization of adversarial examples crafted on IncRes-v2 by MIFGSM dong2018boosting with our proposed APAA$_f$.
  • ...and 2 more figures

Theorems & Definitions (4)

  • Proposition 1: The perturbations generated by MIFGSM with APAA
  • Proposition 2: The interaction inside perturbations generated by MIFGSM with APAA
  • proof
  • proof