Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PGD-Imp: Rethinking and Unleashing Potential of Classic PGD with Dual Strategies for Imperceptible Adversarial Attacks

Jin Li, Zitong Yu, Ziqiang He, Z. Jane Wang, Xiangui Kang

TL;DR

This work reframes imperceptible adversarial attacks as an optimization problem focused on crossing the model's decision boundary with minimal perturbation. It introduces PGD-Imp, two simple strategies—Dynamic Step Size and Adaptive Early Stop—that enhance the classical PGD framework without external perceptual modules. Empirically, PGD-Imp achieves state-of-the-art imperceptible performance in both untargeted and targeted settings, including 100% ASR on ResNet-50 with strong image quality metrics and reduced runtime. The approach highlights that efficient, cost-minimized boundary crossing can yield highly imperceptible attacks and offers a basis for further exploration of decision-boundary interpretations and defenses.

Abstract

Imperceptible adversarial attacks have recently attracted increasing research interests. Existing methods typically incorporate external modules or loss terms other than a simple $l_p$-norm into the attack process to achieve imperceptibility, while we argue that such additional designs may not be necessary. In this paper, we rethink the essence of imperceptible attacks and propose two simple yet effective strategies to unleash the potential of PGD, the common and classical attack, for imperceptibility from an optimization perspective. Specifically, the Dynamic Step Size is introduced to find the optimal solution with minimal attack cost towards the decision boundary of the attacked model, and the Adaptive Early Stop strategy is adopted to reduce the redundant strength of adversarial perturbations to the minimum level. The proposed PGD-Imperceptible (PGD-Imp) attack achieves state-of-the-art results in imperceptible adversarial attacks for both untargeted and targeted scenarios. When performing untargeted attacks against ResNet-50, PGD-Imp attains 100$\%$ (+0.3$\%$) ASR, 0.89 (-1.76) $l_2$ distance, and 52.93 (+9.2) PSNR with 57s (-371s) running time, significantly outperforming existing methods.

PGD-Imp: Rethinking and Unleashing Potential of Classic PGD with Dual Strategies for Imperceptible Adversarial Attacks

TL;DR

This work reframes imperceptible adversarial attacks as an optimization problem focused on crossing the model's decision boundary with minimal perturbation. It introduces PGD-Imp, two simple strategies—Dynamic Step Size and Adaptive Early Stop—that enhance the classical PGD framework without external perceptual modules. Empirically, PGD-Imp achieves state-of-the-art imperceptible performance in both untargeted and targeted settings, including 100% ASR on ResNet-50 with strong image quality metrics and reduced runtime. The approach highlights that efficient, cost-minimized boundary crossing can yield highly imperceptible attacks and offers a basis for further exploration of decision-boundary interpretations and defenses.

Abstract

Imperceptible adversarial attacks have recently attracted increasing research interests. Existing methods typically incorporate external modules or loss terms other than a simple -norm into the attack process to achieve imperceptibility, while we argue that such additional designs may not be necessary. In this paper, we rethink the essence of imperceptible attacks and propose two simple yet effective strategies to unleash the potential of PGD, the common and classical attack, for imperceptibility from an optimization perspective. Specifically, the Dynamic Step Size is introduced to find the optimal solution with minimal attack cost towards the decision boundary of the attacked model, and the Adaptive Early Stop strategy is adopted to reduce the redundant strength of adversarial perturbations to the minimum level. The proposed PGD-Imperceptible (PGD-Imp) attack achieves state-of-the-art results in imperceptible adversarial attacks for both untargeted and targeted scenarios. When performing untargeted attacks against ResNet-50, PGD-Imp attains 100 (+0.3) ASR, 0.89 (-1.76) distance, and 52.93 (+9.2) PSNR with 57s (-371s) running time, significantly outperforming existing methods.

Paper Structure

This paper contains 11 sections, 5 equations, 3 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Methodology
  3. Preliminary
  4. Proposed PGD-Imp: Dynamic Step Size
  5. Proposed PGD-Imp: Adaptive Early Stop
  6. Experiments
  7. Experimental Setup
  8. Comparison with State-of-the-arts
  9. Ablation Study
  10. Discussion
  11. Conclusion

Figures (3)

  • Figure 1: Illustration of our key idea and the proposed method. The essence of imperceptible adversarial attacks lies in pushing the image across the decision boundary of the attacked model with minimal cost. To fulfill this, we propose two simple yet ingenious strategies, Dynamic Step Size and Adaptive Early Stop, to unleash the potential of classic PGD for imperceptibility.
  • Figure 2: Visualization of four imperceptible attacks for untargeted scenario. Perturbations within the images are amplified as marked for better observation.
  • Figure 3: Experimental results on the effect of Step $T$ and $\epsilon$ on the proposed PGD-Imp. The attacked model is ResNet-50.