Boosting Adversarial Attacks with Momentum

Dong, Yinpeng; Liao, Fei-Yu; Pang, Tianyu; Su, Hang; Zhu, Jun; Hu, Xiaolin; Li, Jianguo

doi:10.1109/cvpr.2018.00957

Cited by 2,230 publications

(1,960 citation statements)

References 12 publications

Supporting

Mentioning

1,946

Contrasting

Unclassified

Order By: Relevance

“…The development of AEVis was in collaboration with the machine learning team that won first place in the NIPS 2017 non-targeted adversarial attack and targeted adversarial attack competitions, which aimed at attacking CNNs [40], [41]. Despite the promising results they achieved, the experts found the research process inefficient and inconvenient, especially in terms of the explanation of the model outputs.…”

Section: The Design Of Aevismentioning

confidence: 99%

See 1 more Smart Citation

Analyzing the Noise Robustness of Deep Neural Networks

Cao

Liu

et al. 2021

IEEE Trans. Visual. Comput. Graphics

Self Cite

View full text Add to dashboard Cite

A B C D E (a) Input images (b) Datapath visualization at the network-and layer-levels (c) Neuron visualization Figure 1: Explanation why an adversarial panda image is not classified as a panda. The root cause is identified as the neurons in the feature map F A failing to detect the outline of the panda's ear (E) in the adversarial example, which further leads to the failure of detecting the panda's ear (B) in F C1 . Abstract-Adversarial examples, generated by adding small but intentionally imperceptible perturbations to normal examples, can mislead deep neural networks (DNNs) to make incorrect predictions. Although much work has been done on both adversarial attack and defense, a fine-grained understanding of adversarial examples is still lacking. To address this issue, we present a visual analysis method to explain why adversarial examples are misclassified. The key is to compare and analyze the datapaths of both the adversarial and normal examples. A datapath is a group of critical neurons along with their connections. We formulate the datapath extraction as a subset selection problem and solve it by constructing and training a neural network. A multi-level visualization consisting of a network-level visualization of data flows, a layer-level visualization of feature maps, and a neuron-level visualization of learned features, has been designed to help investigate how datapaths of adversarial and normal examples diverge and merge in the prediction process. A quantitative evaluation and a case study were conducted to demonstrate the promise of our method to explain the misclassification of adversarial examples.

show abstract

Section: The Design Of Aevismentioning

confidence: 99%

“…He would like to see whether AEVis could help him gain a better understanding of the misclassification of adversarial examples. The DEV dataset contains 1000 images of different classes, and for each image, we generated an adversarial image using the non-targeted attacking method developed by the winning team [40], [52].…”

Section: Case Studymentioning

confidence: 99%

Analyzing the Noise Robustness of Deep Neural Networks

Cao

Liu

et al. 2021

IEEE Trans. Visual. Comput. Graphics

Self Cite

View full text Add to dashboard Cite

show abstract

“…In [10], it was discovered that adding the momentum term into the iterative process for attacks lead to more stable optimization trajectory. It is determined that adversarial examples generated with the iterative method with the use of momentum are more suitable for white-box attacks than the ones generated without the use of momentum.…”

Section: B Related Workmentioning

confidence: 99%

On Adversarial Patches: Real-World Attack on ArcFace-100 Face Recognition System

Pautov¹,

Melnikov²,

Kaziakhmedov³

et al. 2019

2019 International Multi-Conference on Engineering, Computer and Information Sciences (SIBIRCON)

View full text Add to dashboard Cite

Recent works showed the vulnerability of image classifiers to adversarial attacks in the digital domain. However, the majority of attacks involve adding small perturbation to an image to fool the classifier. Unfortunately, such procedures can not be used to conduct a real-world attack, where adding an adversarial attribute to the photo is a more practical approach.In this paper, we study the problem of real-world attacks on face recognition systems. We examine security of one of the best public face recognition systems, LResNet100E-IR with ArcFace loss, and propose a simple method to attack it in the physical world. The method suggests creating an adversarial patch that can be printed, added as a face attribute and photographed; the photo of a person with such attribute is then passed to the classifier such that the classifier's recognized class changes from correct to the desired one. Proposed generating procedure allows projecting adversarial patches not only on different areas of the face, such as nose or forehead but also on some wearable accessory, such as eyeglasses.

show abstract

“…Our core idea is to incorporate an l 2 norm-based adversarial attack into the training process, and leverage its perturbation magnitude as an estimation of the geometric margin. Current stateof-the-art attacks typically achieve ∼100% success rate on powerful DNNs [3], [19], [20], while the norm of perturbation can be reasonably small and thus fairly close to the real margin values. Since the adversarial perturbation is also parameterized by the network parameters (including weights and biases), our AMM regularizer can be jointly learned with the original objective through back-propagation.…”

Section: Introductionmentioning

confidence: 99%

Adversarial Margin Maximization Networks

Yan

Guo²,

Zhang

2021

IEEE Trans. Pattern Anal. Mach. Intell.

View full text Add to dashboard Cite

The tremendous recent success of deep neural networks (DNNs) has sparked a surge of interest in understanding their predictive ability. Unlike the human visual system which is able to generalize robustly and learn with little supervision, DNNs normally require a massive amount of data to learn new concepts. In addition, research works also show that DNNs are vulnerable to adversarial examples-maliciously generated images which seem perceptually similar to the natural ones but are actually formed to fool learning models, which means the models have problem generalizing to unseen data with certain type of distortions. In this paper, we analyze the generalization ability of DNNs comprehensively and attempt to improve it from a geometric point of view. We propose adversarial margin maximization (AMM), a learning-based regularization which exploits an adversarial perturbation as a proxy. It encourages a large margin in the input space, just like the support vector machines. With a differentiable formulation of the perturbation, we train the regularized DNNs simply through back-propagation in an end-to-end manner. Experimental results on various datasets (including MNIST, CIFAR-10/100, SVHN and ImageNet) and different DNN architectures demonstrate the superiority of our method over previous state-of-the-arts. Code and models for reproducing our results will be made publicly available.

show abstract

Boosting Adversarial Attacks with Momentum

Cited by 2,230 publications

References 12 publications

Analyzing the Noise Robustness of Deep Neural Networks

Analyzing the Noise Robustness of Deep Neural Networks

On Adversarial Patches: Real-World Attack on ArcFace-100 Face Recognition System

Adversarial Margin Maximization Networks

Contact Info

Product

Resources

About