Patch-Fool: Are Vision Transformers Always Robust Against Adversarial Perturbations?

Fu, Yonggan; Zhang, Shunyao; Wang, Shang; Wei, Cheng; Lin, Yingyan

doi:10.48550/arxiv.2203.08392

Cited by 6 publications

(13 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…After obtaining the bias-only model, the following procedure in Step 2 of the DSA framework localizes and masks the spurious (sensitive) features via adversarial attacks that are generated using the Patch-Fool construction proposed in [13]. Specifically, Patch-Fool is designed to fool the self-attention mechanism in ViTs by attacking their basic component (i.e., a single patch) with a series of attentionaware optimization techniques, demonstrating that the ViTs are more vulnerable to adversarial attacks than the CNNs.…”

Section: Adversarial Attack Against the Bias-only Modelmentioning

confidence: 99%

“…Specifically, Patch-Fool is designed to fool the self-attention mechanism in ViTs by attacking their basic component (i.e., a single patch) with a series of attentionaware optimization techniques, demonstrating that the ViTs are more vulnerable to adversarial attacks than the CNNs. However, in contrast to [13], instead of applying Patch-Fool as an adversarial attack method to evaluate the robustness of ViT, we utilize it to efficiently localize and mask the sensitive features in the inputs. To this end, we adapt the objective function of Patch-Fool in order to attack the bias-only model on the sensitive labels instead of the target labels.…”

Section: Adversarial Attack Against the Bias-only Modelmentioning

confidence: 99%

“…where E denotes the adversarial perturbation; 1 ∈ R n is the identifying one-hot vector demonstrating whether current pth patch is selected or not; represents the penetrating face product [13]. Thus, the Patch-Fool needs to (1) select the adversarial patch p, and (2) optimize the corresponding adversarial attack, E. Selection of p: For encoder blocks in the ViT, we define:…”

Section: Adversarial Attack Against the Bias-only Modelmentioning

confidence: 99%

“…Studying the robustness of ViT has recently attracted a growing interest [2,13,38,50,68]. It is critical to improve ViT's robustness in order to deploy them safely in the realworld.…”

Section: Introductionmentioning

confidence: 99%

“…DSA relies on the intuitive hypothesis that the adversarial attacks initially designed to evaluate and understand the robustness of ViT can also be a viable approach for identifying and removing the spurious features towards training the fair ViT models. Meanwhile, whether the approaches that generate adversarial examples for CNN are transferable to ViT remains a matter of contention [17,41,44,45,53], the work in [13] propose Patch-Fool as one of the first approaches to fool the self-attention mechanism by attacking image patches (as opposed to pixels) during ViT's selfattention computations. In this work, we apply Patch-Fool to attack the bias-only model with the goal of capturing the most important patches for learning the sensitive attributes.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Fairness-aware Vision Transformer via Debiased Self-Attention

Yao¹,

Li²,

Khanduri³

et al. 2023

Preprint

View full text Add to dashboard Cite

Vision Transformer (ViT) has recently gained significant interest in solving computer vision (CV) problems due to its capability of extracting informative features and modeling long-range dependencies through the self-attention mechanism. To fully realize the advantages of ViT in realworld applications, recent works have explored the trustworthiness of ViT, including its robustness and explainability. However, another desiderata, fairness has not yet been adequately addressed in the literature. We establish that the existing fairness-aware algorithms (primarily designed for CNNs) do not perform well on ViT. This necessitates the need for developing our novel framework via Debiased Self-Attention (DSA). DSA is a fairness-through-blindness approach that enforces ViT to eliminate spurious features correlated with the sensitive attributes for bias mitigation. Notably, adversarial examples are leveraged to locate and mask the spurious features in the input image patches. In addition, DSA utilizes an attention weights alignment regularizer in the training objective to encourage learning informative features for target prediction. Importantly, our DSA framework leads to improved fairness guarantees over prior works on multiple prediction tasks without compromising target prediction performance.

show abstract

Section: Adversarial Attack Against the Bias-only Modelmentioning

confidence: 99%

Section: Adversarial Attack Against the Bias-only Modelmentioning

confidence: 99%

Section: Adversarial Attack Against the Bias-only Modelmentioning

confidence: 99%

“…Studying the robustness of ViT has recently attracted a growing interest [2,13,38,50,68]. It is critical to improve ViT's robustness in order to deploy them safely in the realworld.…”

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Fairness-aware Vision Transformer via Debiased Self-Attention

Yao¹,

Li²,

Khanduri³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

Open-Set Adversarial Defense

Shao

Perera

Yuen

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Previous studies have shown the vulnerability of vision transformers to adversarial patches, but these studies all rely on a critical assumption: the attack patches must be perfectly aligned with the patches used for linear projection in vision transformers. Due to this stringent requirement, deploying adversarial patches for vision transformers in the physical world becomes impractical, unlike their effectiveness on CNNs. This paper proposes a novel method for generating an adversarial patch (G-Patch) that overcomes the alignment constraint, allowing the patch to launch a targeted attack at any position within the field of view. Specifically, instead of directly optimizing the patch using gradients, we employ a GAN-like structure to generate the adversarial patch. Our experiments show the effectiveness of the adversarial patch in achieving universal attacks on vision transformers, both in digital and physical-world scenarios. Additionally, further analysis reveals that the generated adversarial patch exhibits robustness to brightness restriction, color transfer, and random noise. Real-world attack experiments validate the effectiveness of the G-Patch to launch robust attacks even under some very challenging conditions.

show abstract

Securing Tiny Transformer-Based Computer Vision Models: Evaluating Real-World Patch Attacks

Mattei,

Scherer,

Cioflan

et al. 2023

2023 IEEE 9th World Forum on Internet of Things (WF-IoT)

View full text Add to dashboard Cite

Transformers have significantly impacted the field of Computer Vision (CV) and the Internet of Things (IoT), surpassing Convolutional Neural Networks (CNN) in various tasks. However, ensuring the security of CV models for critical realworld IoT applications such as autonomous driving, surveillance, and biomedical technologies is crucial. The adversarial robustness of these models has become a key research area, especially for edge processing. This work evaluates the robustness of Swin tiny and ConvNeXt tiny, specifically focusing on real-world patch attacks in Object Detection scenarios. To ensure a fair comparison, we establish a level playing field between Transformerbased and CNN architectures, examining their vulnerabilities and potential defenses. Experimental results demonstrate the susceptibility of the Swin tiny and ConvNeXt tiny models to patch attacks, resulting in a significant decrease in average precision (AP) for the "Person" class. When trained adversarial patches were applied, the AP drops to 12.8% and 15.2% for Swin tiny and ConvNeXt tiny models, respectively, highlighting their vulnerability to these attacks. This paper contributes to securing CV models on IoT vision devices, providing insights into the robustness of transformer-based architectures against realworld attacks, and advancing the field of adversarial robustness in embedded computer vision.

show abstract

Patch-Fool: Are Vision Transformers Always Robust Against Adversarial Perturbations?

Cited by 6 publications

References 44 publications

Fairness-aware Vision Transformer via Debiased Self-Attention

Fairness-aware Vision Transformer via Debiased Self-Attention

Open-Set Adversarial Defense

Securing Tiny Transformer-Based Computer Vision Models: Evaluating Real-World Patch Attacks

Contact Info

Product

Resources

About