Towards Transferable Adversarial Attacks with Centralized Perturbation

Wu, Shangbo; Tan, Yu-an; Wang, Yajie; Ma, Ruinan; Ma, Wencong; Li, Yuanzhang

doi:10.1609/aaai.v38i6.28427

AAAI

2024

DOI: 10.1609/aaai.v38i6.28427

|View full text |Cite

Towards Transferable Adversarial Attacks with Centralized Perturbation

Shangbo Wu,

Yu-an Tan,

Yajie Wang

et al.

Abstract: Adversarial transferability enables black-box attacks on unknown victim deep neural networks (DNNs), rendering attacks viable in real-world scenarios. Current transferable attacks create adversarial perturbation over the entire image, resulting in excessive noise that overfit the source model. Concentrating perturbation to dominant image regions that are model-agnostic is crucial to improving adversarial efficacy. However, limiting perturbation to local regions in the spatial domain proves inadequate in augmen… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...

Citation Types

Supporting

Mentioning

Contrasting

Year Published

2024

Publication Types

Select...

Article3

Relationship

Self Cite0

Independent3

Authors

Journals

Cited by 3 publications

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Boosting the transferability of adversarial attacks with global momentum initialization

Wang,

Chen,

Jiang

et al. 2024

Expert Systems with Applications

View full text Add to dashboard Cite

Boosting the transferability of adversarial attacks with global momentum initialization

Wang,

Chen,

Jiang

et al. 2024

Expert Systems with Applications

View full text Add to dashboard Cite

D-BADGE: Decision-Based Adversarial Batch Attack With Directional Gradient Estimation

Yu,

Jeon,

Hwang

2024

IEEE Access

View full text Add to dashboard Cite

The susceptibility of deep neural networks (DNNs) to adversarial examples has prompted an increase in the deployment of adversarial attacks. Image-agnostic universal adversarial perturbations (UAPs) are much more threatening, but many limitations exist to implementing UAPs in real-world scenarios where only binary decisions are returned. In this research, we propose D-BADGE, a novel method to craft universal adversarial perturbations for executing decision-To primarily optimize perturbation by focusing on decisions, we consider the direction of these updates as the primary factor and the magnitude of updates as the secondary factor. First, we employ Hamming loss that measures the distance from distributions of ground truth and accumulating decisions in batches to determine the magnitude of the gradient. This magnitude is applied in the direction of the revised simultaneous perturbation stochastic approximation (SPSA) to update the perturbation. This simple yet efficient decision-based method functions similarly to a score-based attack, enabling the generation of UAPs in real-world scenarios, and can be easily extended to targeted attacks. Experimental validation across multiple victim models demonstrates that the D-BADGE outperforms existing attack methods, even image-specific and score-based attacks. In particular, our proposed method shows a superior attack success rate with less training time. The research also shows that D-BADGE can successfully deceive unseen victim models and accurately target specific classes.INDEX TERMS Deep neural networks, universal decision-based adversarial attack, image classification, representation learning, vulnerability, zeroth-order optimization.

show abstract

FFA: Foreground Feature Approximation Digitally against Remote Sensing Object Detection

Zhu,

Ma,

et al. 2024

Remote Sensing

View full text Add to dashboard Cite

In recent years, research on adversarial attack techniques for remote sensing object detection (RSOD) has made great progress. Still, most of the research nowadays is on end-to-end attacks, which mainly design adversarial perturbations based on the prediction information of the object detectors (ODs) to achieve the attack. These methods do not discover the common vulnerabilities of the ODs and, thus, the transferability is weak. Based on this, this paper proposes a foreground feature approximation (FFA) method to generate adversarial examples (AEs) that discover the common vulnerabilities of the ODs by changing the feature information carried by the image itself to implement the attack. Specifically, firstly, the high-quality predictions are filtered as attacked objects using the detector, after which a hybrid image without any target is made, and the hybrid foreground is created based on the attacked targets. The images’ shallow features are extracted using the backbone network, and the features of the input foreground are approximated towards the hybrid foreground to implement the attack. In contrast, the model predictions are used to assist in realizing the attack. In addition, we have found the effectiveness of FFA for targeted attacks, and replacing the hybrid foreground with the targeted foreground can realize targeted attacks. Extensive experiments are conducted on the remote sensing target detection datasets DOTA and UCAS-AOD with seven rotating target detectors. The results show that the mAP of FFA under the IoU threshold of 0.5 untargeted attack is 3.4% lower than that of the advanced method, and the mAP of FFA under targeted attack is 1.9% lower than that of the advanced process.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Towards Transferable Adversarial Attacks with Centralized Perturbation

Cited by 3 publications

References 9 publications

Boosting the transferability of adversarial attacks with global momentum initialization

Boosting the transferability of adversarial attacks with global momentum initialization

D-BADGE: Decision-Based Adversarial Batch Attack With Directional Gradient Estimation

FFA: Foreground Feature Approximation Digitally against Remote Sensing Object Detection

Contact Info

Product

Resources

About