Improving Generalization of Universal Adversarial Perturbation via Dynamic Maximin Optimization

TL;DR

The paper addresses the challenge that universal adversarial perturbations often fail to generalize across models due to optimization against static parameter states. It introduces DM-UAP, a dynamic maximin framework that jointly optimizes over evolving model and data neighborhoods through an iterative max-min-min scheme and curriculum learning, updating the perturbation with Adam while constraining it to $\|\delta\|_\infty \le \epsilon$. Across ImageNet experiments, DM-UAP achieves superior cross-sample universality and cross-model transferability compared with state-of-the-art baselines, notably showing a $12.108\%$ average fooling-ratio improvement with as few as $500$ training samples. The work demonstrates that exposing UAP generation to dynamic model landscapes substantially strengthens perturbations, with practical implications for robustness research and defense development, albeit with higher computational costs.

Abstract

Deep neural networks (DNNs) are susceptible to universal adversarial perturbations (UAPs). These perturbations are meticulously designed to fool the target model universally across all sample classes. Unlike instance-specific adversarial examples (AEs), generating UAPs is more complex because they must be generalized across a wide range of data samples and models. Our research reveals that existing universal attack methods, which optimize UAPs using DNNs with static model parameter snapshots, do not fully leverage the potential of DNNs to generate more effective UAPs. Rather than optimizing UAPs against static DNN models with a fixed training set, we suggest using dynamic model-data pairs to generate UAPs. In particular, we introduce a dynamic maximin optimization strategy, aiming to optimize the UAP across a variety of optimal model-data pairs. We term this approach DM-UAP. DM-UAP utilizes an iterative max-min-min optimization framework that refines the model-data pairs, coupled with a curriculum UAP learning algorithm to examine the combined space of model parameters and data thoroughly. Comprehensive experiments on the ImageNet dataset demonstrate that the proposed DM-UAP markedly enhances both cross-sample universality and cross-model transferability of UAPs. Using only 500 samples for UAP generation, DM-UAP outperforms the state-of-the-art approach with an average increase in fooling ratio of 12.108%.

Figures (3)

• Figure 1: The illustration of different optimization flows: a) \ref{['eq:averaged-maximizing']} use the original data and model for UAP generation; b) \ref{['eq:adversarial-input-maximizing']} use the model and original inputs to obtain optimized inputs, then use model and optimized inputs for UAP generation; c) \ref{['eq:dual-maximizing']} use original model and original inputs to obtain optimized models and inputs, then use them for UAP generation.
• Figure 2: Average fooling ratio (%) on five models in the diverse-sample training scenarios. The UAPs are crafted by UAP, GAP, SPGD, and SGA, and our DM-UAP on VGG19.
• Figure 3: Ablation study on model and data optimization. (a) Fooling ratios of DM-UAP with/without curriculum learning, i.e, increasing neighborhood sizes. (b) Fooling ratio by different optimization orders in white-box setting for five models. (c) Fooling ratios of DM-UAP with/without data optimization for different model neighborhood sizes. (d) Fooling ratios of DM-UAP with/without model optimization for different data neighborhood sizes.