Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Superpixel Attack: Enhancing Black-box Adversarial Attack with Image-driven Division Areas

Issa Oe, Keiichiro Yamamura, Hiroki Ishikura, Ryo Hamahira, Katsuki Fujisawa

TL;DR

The paper tackles the efficiency of black-box adversarial attacks by optimizing how perturbations are applied to image regions. It introduces Superpixel Attack, which uses SLIC-based superpixels as Update Areas and a versatile search strategy to focus perturbations on image segments, evaluated with CW loss. Across 5,000 ImageNet samples on 19 RobustBench models, the method yields an average 2.10% improvement in attack success rate at 1,000 iterations, indicating practical gains even on robust models. The work also analyzes the relationship between color variance, area compactness, and attack effectiveness, offering a principled design guideline for area selection and providing code for replication.

Abstract

Deep learning models are used in safety-critical tasks such as automated driving and face recognition. However, small perturbations in the model input can significantly change the predictions. Adversarial attacks are used to identify small perturbations that can lead to misclassifications. More powerful black-box adversarial attacks are required to develop more effective defenses. A promising approach to black-box adversarial attacks is to repeat the process of extracting a specific image area and changing the perturbations added to it. Existing attacks adopt simple rectangles as the areas where perturbations are changed in a single iteration. We propose applying superpixels instead, which achieve a good balance between color variance and compactness. We also propose a new search method, versatile search, and a novel attack method, Superpixel Attack, which applies superpixels and performs versatile search. Superpixel Attack improves attack success rates by an average of 2.10% compared with existing attacks. Most models used in this study are robust against adversarial attacks, and this improvement is significant for black-box adversarial attacks. The code is avilable at https://github.com/oe1307/SuperpixelAttack.git.

Superpixel Attack: Enhancing Black-box Adversarial Attack with Image-driven Division Areas

TL;DR

The paper tackles the efficiency of black-box adversarial attacks by optimizing how perturbations are applied to image regions. It introduces Superpixel Attack, which uses SLIC-based superpixels as Update Areas and a versatile search strategy to focus perturbations on image segments, evaluated with CW loss. Across 5,000 ImageNet samples on 19 RobustBench models, the method yields an average 2.10% improvement in attack success rate at 1,000 iterations, indicating practical gains even on robust models. The work also analyzes the relationship between color variance, area compactness, and attack effectiveness, offering a principled design guideline for area selection and providing code for replication.

Abstract

Deep learning models are used in safety-critical tasks such as automated driving and face recognition. However, small perturbations in the model input can significantly change the predictions. Adversarial attacks are used to identify small perturbations that can lead to misclassifications. More powerful black-box adversarial attacks are required to develop more effective defenses. A promising approach to black-box adversarial attacks is to repeat the process of extracting a specific image area and changing the perturbations added to it. Existing attacks adopt simple rectangles as the areas where perturbations are changed in a single iteration. We propose applying superpixels instead, which achieve a good balance between color variance and compactness. We also propose a new search method, versatile search, and a novel attack method, Superpixel Attack, which applies superpixels and performs versatile search. Superpixel Attack improves attack success rates by an average of 2.10% compared with existing attacks. Most models used in this study are robust against adversarial attacks, and this improvement is significant for black-box adversarial attacks. The code is avilable at https://github.com/oe1307/SuperpixelAttack.git.

Paper Structure

This paper contains 15 sections, 5 equations, 4 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Problem definition
  4. Related work
  5. Research on Update Areas
  6. Update Areas of existing methods
  7. Color variance of Update Areas
  8. Compactness of Update Areas
  9. Superpixel calculated by SLIC
  10. Analysis of color variance and compactness
  11. Superpixel Attack
  12. Update Areas using superpixels
  13. Procedure of versatile search
  14. Experiments
  15. Conclusion

Figures (4)

  • Figure 1: Relationship between ICV, CO and attack success rates
  • Figure 2: Flow of proposed method: Superpixel Attack
  • Figure 3: Transition of attack success rates of each attack method
  • Figure 4: Computational time of superpixels and forward propagation