Sparse and Transferable Universal Singular Vectors Attack

TL;DR

This work tackles the vulnerability of deep networks to universal adversarial perturbations under sparsity constraints. It introduces a sparse universal white-box attack based on truncated power iteration to estimate sparse directions from hidden-layer Jacobians, solved via alternating maximization. On ImageNet, the method achieves a fooling rate exceeding 50% while altering only about 5% of pixels, using as few as 256 training samples, and demonstrates strong transferability across diverse architectures including transformers and CNNs. The findings reveal that even highly sparse perturbations can reliably degrade state-of-the-art models, motivating the development of robust defenses and transferability-aware evaluation strategies.

Abstract

The research in the field of adversarial attacks and models' vulnerability is one of the fundamental directions in modern machine learning. Recent studies reveal the vulnerability phenomenon, and understanding the mechanisms behind this is essential for improving neural network characteristics and interpretability. In this paper, we propose a novel sparse universal white-box adversarial attack. Our approach is based on truncated power iteration providing sparsity to $(p,q)$-singular vectors of the hidden layers of Jacobian matrices. Using the ImageNet benchmark validation subset, we analyze the proposed method in various settings, achieving results comparable to dense baselines with more than a 50% fooling rate while damaging only 5% of pixels and utilizing 256 samples for perturbation fitting. We also show that our algorithm admits higher attack magnitude without affecting the human ability to solve the task. Furthermore, we investigate that the constructed perturbations are highly transferable among different models without significantly decreasing the fooling rate. Our findings demonstrate the vulnerability of state-of-the-art models to sparse attacks and highlight the importance of developing robust machine learning systems.

Figures (9)

• Figure 1: Sparse UAPs obtained using the TPower algorithm and corresponding examples of attacked images. Perturbations were computed using the best-performed layers on gridsearch.
• Figure 2: Dependence of Fooling Rate (FR) on $q$ for TPower Attack. For sparse attacks, optimal parameters from gridsearch were frozen except for $q$ (see Table \ref{['table:1']}) and reused for the dense one.
• Figure 3: Universal adversarial perturbations constructed for the VGG19 model.
• Figure 4: \ref{['fig:layer_1']} and \ref{['fig:layer_2']}: Fooling Rate (FR) dependence on layer ratio for examined models. \ref{['fig:train_size']}: The example of fooling rate saturation depending on training set size for optimal hyperparameters; here, one can observe that 256 is the worst case amount among most vulnerable models.
• Figure 5: UAPs and corresponding attacked images obtained using our TPower approach. The $k$ parameter was manually selected such that sparse UAPs reach approximately the same validation Fooling Rate (FR) as SV attacks.