Sparse-RS: A Versatile Framework for Query-Efficient Sparse Black-Box Adversarial Attacks

Croce, Francesco; Andriushchenko, Maksym; Singh, Naman Deep; Flammarion, Nicolas; Hein, Matthias

doi:10.1609/aaai.v36i6.20595

Cited by 50 publications

(44 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We also train a set of 3 models with standard training (no attack). For 1 threat model, we train using adversarial examples generated via APGD (Croce & Hein, 2021). For 2 and ∞ threat models, we use PGD-adversarial training.…”

Section: C2 Additional Evaluation Detailsmentioning

confidence: 99%

“…For all other threat models, we the same attack generation method during training as used for evaluation as described in the previous section. For all threat models (with the exception of 1 threat model which uses settings from Croce & Hein (2021) and UAR attacks which use default settings from Kang et al ( 2019)), we use 20 iterations to find adversarial examples with step size /18. We train all models with batch size of 256 for 100 epochs and evaluate the model saved at the epoch which achieves highest robust accuracy on the test set.…”

Section: C2 Additional Evaluation Detailsmentioning

confidence: 99%

“…Learning rate drops to 0.01 after half of the training epochs and drops to 0.001 after 3/4 of the training epochs. For all evaluations, we use the same set of attacks as described in Apendix C.1, but for ∞ and 2 attacks, we use 10 step PGD to find adversarial examples (with step size /8), and for 1 attacks we use APGD (Croce & Hein, 2021). Training epoch experiments We train ResNet-18 models with batch size of 256 for 200 epochs and save a copy of the model every 5 epochs.…”

Section: G Experimental Setup For Adversarially Trained Modelsmentioning

confidence: 99%

See 2 more Smart Citations

Parameterizing Activation Functions for Adversarial Robustness

Dai

Mahloujifar

Mittal

2022

2022 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

The bulk of existing research in defending against adversarial examples focuses on defending against a single (typically bounded p -norm) attack, but for a practical setting, machine learning (ML) models should be robust to a wide variety of attacks. In this paper, we present the first unified framework for considering multiple attacks against ML models. Our framework is able to model different levels of learner's knowledge about the test-time adversary, allowing us to model robustness against unforeseen attacks and robustness against unions of attacks. Using our framework, we present the first leaderboard, MultiRobustBench, for benchmarking multiattack evaluation which captures performance across attack types and attack strengths. We evaluate the performance of 16 defended models for robustness against a set of 9 different attack types, including p -based threat models, spatial transformations, and color changes, at 20 different attack strengths (180 attacks total). Additionally, we analyze the state of current defenses against multiple attacks. Our analysis shows that while existing defenses have made progress in terms of average robustness across the set of attacks used, robustness against the worst-case attack is still a big open problem as all existing models perform worse than random guessing.

show abstract

Section: C2 Additional Evaluation Detailsmentioning

confidence: 99%

Section: C2 Additional Evaluation Detailsmentioning

confidence: 99%

Section: G Experimental Setup For Adversarially Trained Modelsmentioning

confidence: 99%

See 1 more Smart Citation

Parameterizing Activation Functions for Adversarial Robustness

Dai

Mahloujifar

Mittal

2022

2022 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

show abstract

“…Following the settings in DiffPure [24], we use a fixed subset of 512 randomly sampled images. We use a naturally pretrained WideResNet-28-10 [40] as an underlying classifier provided by Robustbench [7]. For diffusion models, we use pretrained DDPM++ [35].…”

Section: Experimental Settingsmentioning

confidence: 99%

Masking Adversarial Damage: Finding Adversarial Saliency for Robust and Sparse Network

Lee

Kim

2022

2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)

View full text Add to dashboard Cite

We question the current evaluation practice on diffusionbased purification methods. Diffusion-based purification methods aim to remove adversarial effects from an input data point at test time. The approach gains increasing attention as an alternative to adversarial training due to the disentangling between training and testing. Well-known white-box attacks are often employed to measure the robustness of the purification. However, it is unknown whether these attacks are the most effective for the diffusion-based purification since the attacks are often tailored for adversarial training. We analyze the current practices and provide a new guideline for measuring the robustness of purification methods against adversarial attacks. Based on our analysis, we further propose a new purification strategy showing competitive results against the state-of-the-art adversarial training approaches.

show abstract

“…For instance, patchbased adversarial attacks, which usually extend into the physical world, do not limit the intensity of perturbation but the range scope. Such as adversarial-Yolo (Thys et al, 2019), DPatch , AdvCam (Duan et al, 2020), Sparse-RS (Croce et al, 2022). To obtain more human harmonious adversarial examples with acceptable attack success rate in the digital world, Xiao et al (2018) proposed the stAdv to generate adversarial examples by spatial transform to modify each pixel's position in the whole image.…”

mentioning

confidence: 99%

DualFlow: Generating imperceptible adversarial examples by flow field and normalize flow-based model

Liu

Jin²,

Hu³

et al. 2023

Front. Neurorobot.

View full text Add to dashboard Cite

Recent adversarial attack research reveals the vulnerability of learning-based deep learning models (DNN) against well-designed perturbations. However, most existing attack methods have inherent limitations in image quality as they rely on a relatively loose noise budget, i.e., limit the perturbations by Lp-norm. Resulting that the perturbations generated by these methods can be easily detected by defense mechanisms and are easily perceptible to the human visual system (HVS). To circumvent the former problem, we propose a novel framework, called DualFlow, to craft adversarial examples by disturbing the image's latent representations with spatial transform techniques. In this way, we are able to fool classifiers with human imperceptible adversarial examples and step forward in exploring the existing DNN's fragility. For imperceptibility, we introduce the flow-based model and spatial transform strategy to ensure the calculated adversarial examples are perceptually distinguishable from the original clean images. Extensive experiments on three computer vision benchmark datasets (CIFAR-10, CIFAR-100 and ImageNet) indicate that our method can yield superior attack performance in most situations. Additionally, the visualization results and quantitative performance (in terms of six different metrics) show that the proposed method can generate more imperceptible adversarial examples than the existing imperceptible attack methods.

show abstract

Sparse-RS: A Versatile Framework for Query-Efficient Sparse Black-Box Adversarial Attacks

Cited by 50 publications

References 40 publications

Parameterizing Activation Functions for Adversarial Robustness

Parameterizing Activation Functions for Adversarial Robustness

Masking Adversarial Damage: Finding Adversarial Saliency for Robust and Sparse Network

DualFlow: Generating imperceptible adversarial examples by flow field and normalize flow-based model

Contact Info

Product

Resources

About