DMS: Addressing Information Loss with More Steps for Pragmatic Adversarial Attacks
Zhiyu Zhu, Jiayu Zhang, Xinyi Wang, Zhibo Jin, Huaming Chen
TL;DR
This work addresses the practical challenge that information loss during image storage can substantially reduce adversarial attack effectiveness, especially for transferable attacks. It introduces Do More Steps (DMS), a two-part framework consisting of DMS-AI (gradient-guided adversarial integerization) and DMS-AS (integrated-gradients-based attribution selection), to preserve attack potency after non-integer pixel values are stored as integers. The paper formalizes the problem, details the algorithms, and demonstrates through extensive experiments on CIFAR-100 and ImageNet across ten models and fourteen attack methods that DMS consistently outperforms traditional integerization approaches (e.g., truncating, rounding, upper) and yields minimal precision loss. The results establish the method’s effectiveness for pragmatic adversarial attacks in real-world storage-constrained environments and offer open-source replication, highlighting a meaningful advance in the robustness and transferability of adversarial examples in practical settings.
Abstract
Despite the exceptional performance of deep neural networks (DNNs) across different domains, they are vulnerable to adversarial samples, in particular for tasks related to computer vision. Such vulnerability is further influenced by the digital container formats used in computers, where the discrete numerical values are commonly used for storing the pixel values. This paper examines how information loss in file formats impacts the effectiveness of adversarial attacks. Notably, we observe a pronounced hindrance to the adversarial attack performance due to the information loss of the non-integer pixel values. To address this issue, we explore to leverage the gradient information of the attack samples within the model to mitigate the information loss. We introduce the Do More Steps (DMS) algorithm, which hinges on two core techniques: gradient ascent-based \textit{adversarial integerization} (DMS-AI) and integrated gradients-based \textit{attribution selection} (DMS-AS). Our goal is to alleviate such lossy process to retain the attack performance when storing these adversarial samples digitally. In particular, DMS-AI integerizes the non-integer pixel values according to the gradient direction, and DMS-AS selects the non-integer pixels by comparing attribution results. We conduct thorough experiments to assess the effectiveness of our approach, including the implementations of the DMS-AI and DMS-AS on two large-scale datasets with various latest gradient-based attack methods. Our empirical findings conclusively demonstrate the superiority of our proposed DMS-AI and DMS-AS pixel integerization methods over the standardised methods, such as rounding, truncating and upper approaches, in maintaining attack integrity.