Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Sparse patches adversarial attacks via extrapolating point-wise information

Yaniv Nemcovsky, Avi Mendelson, Chaim Baskin

TL;DR

This work suggests a novel approach for sparse patches adversarial attacks via point-wise trimming dense adversarial perturbations that enables simultaneous optimization of multiple sparse patches' locations and perturbations for any given number and shape.

Abstract

Sparse and patch adversarial attacks were previously shown to be applicable in realistic settings and are considered a security risk to autonomous systems. Sparse adversarial perturbations constitute a setting in which the adversarial perturbations are limited to affecting a relatively small number of points in the input. Patch adversarial attacks denote the setting where the sparse attacks are limited to a given structure, i.e., sparse patches with a given shape and number. However, previous patch adversarial attacks do not simultaneously optimize multiple patches' locations and perturbations. This work suggests a novel approach for sparse patches adversarial attacks via point-wise trimming dense adversarial perturbations. Our approach enables simultaneous optimization of multiple sparse patches' locations and perturbations for any given number and shape. Moreover, our approach is also applicable for standard sparse adversarial attacks, where we show that it significantly improves the state-of-the-art over multiple extensive settings. A reference implementation of the proposed method and the reported experiments is provided at \url{https://github.com/yanemcovsky/SparsePatches.git}

Sparse patches adversarial attacks via extrapolating point-wise information

TL;DR

This work suggests a novel approach for sparse patches adversarial attacks via point-wise trimming dense adversarial perturbations that enables simultaneous optimization of multiple sparse patches' locations and perturbations for any given number and shape.

Abstract

Sparse and patch adversarial attacks were previously shown to be applicable in realistic settings and are considered a security risk to autonomous systems. Sparse adversarial perturbations constitute a setting in which the adversarial perturbations are limited to affecting a relatively small number of points in the input. Patch adversarial attacks denote the setting where the sparse attacks are limited to a given structure, i.e., sparse patches with a given shape and number. However, previous patch adversarial attacks do not simultaneously optimize multiple patches' locations and perturbations. This work suggests a novel approach for sparse patches adversarial attacks via point-wise trimming dense adversarial perturbations. Our approach enables simultaneous optimization of multiple sparse patches' locations and perturbations for any given number and shape. Moreover, our approach is also applicable for standard sparse adversarial attacks, where we show that it significantly improves the state-of-the-art over multiple extensive settings. A reference implementation of the proposed method and the reported experiments is provided at \url{https://github.com/yanemcovsky/SparsePatches.git}

Paper Structure

This paper contains 12 sections, 6 equations, 5 figures, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Method
  4. TrimStep
  5. PGDTrim and PGDTrimKernel
  6. Experiments
  7. Experimental settings.
  8. Experimental results
  9. Discussion
  10. Adversarial attacks
  11. Optimization scheme
  12. Attacks Algorithms

Figures (5)

  • Figure 1: Flowchart of our sparse (top) and $2\times2$ patch (bottom) adversarial attacks trim process on Imagenet standard $Resnet50$ model, for attacks bounded to $\epsilon_0=224$. We present the adversarial inputs produced for distinct $\epsilon_0$ bounds during the process and the predicted label for each, compared to the true label.
  • Figure 2: We compare our method to previous sparse attack works(left) and with various patch sizes (right) on the Imagenet dataset $InceptionV3$ model. We report the ASR as a function of $l_0$ for all attacks.
  • Figure 3: We compare our method to previous sparse attack works(left) and with various patch sizes (right) on the Imagenet dataset Resnet50 standard model. We report the ASR as a function of $l_0$ for all attacks.
  • Figure 4: We compare our method to previous sparse attack works(left) and with various patch sizes (right) on the Imagenet dataset Resnet50 robust model. We report the ASR as a function of $l_0$ for all attacks.
  • Figure 5: We compare our method to previous works on the Imagenet dataset, visual transformer-based SwinB model (left), and ConvNextB model (right). We report the ASR as a function of $l_0$ over sparse adversarial attacks.