An ADMM-Based Universal Framework for Adversarial Attacks on Deep Neural Networks

Zhao, Pu; Liu, Sijia; Wang, Yanzhi; Lin, Xue

doi:10.1145/3240508.3240639

Cited by 25 publications

(18 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…SparseFool [27] converts the 0 constraint problem into an 1 constraint problem and exploits the boundaries' low mean curvature to compute adversarial perturbations. ADMM 0 [44] utilizes the alternating direction method of multipliers method [42] to separate the 0 norm and the adversarial loss and facilitate the optimization of the sparse attack. SAPF [14] formulates the sparse attack problem as a mixed integer programming to jointly optimize the binary selection factors and continuous perturbation magnitudes of all pixels, with a cardinality constraint on selection factors to explicitly control the degree of sparsity.…”

Section: Related Workmentioning

confidence: 99%

Transferable Sparse Adversarial Attack

He,

Wang,

Dong

et al. 2021

Preprint

View full text Add to dashboard Cite

Deep neural networks have shown their vulnerability to adversarial attacks. In this paper, we focus on sparse adversarial attack based on the 0 norm constraint, which can succeed by only modifying a few pixels of an image. Despite a high attack success rate, prior sparse attack methods achieve a low transferability under the black-box protocol due to overfitting the target model. Therefore, we introduce a generator architecture to alleviate the overfitting issue and thus efficiently craft transferable sparse adversarial examples. Specifically, the generator decouples the sparse perturbation into amplitude and position components. We carefully design a random quantization operator to optimize these two components jointly in an end-to-end way. The experiment shows that our method has improved the transferability by a large margin under a similar sparsity setting compared with state-of-the-art methods. Moreover, our method achieves superior inference speed, 700× faster than other optimization-based methods. The code is available at https://github.com/shaguopohuaizhe/TSAA.

show abstract

Section: Related Workmentioning

confidence: 99%

Transferable Sparse Adversarial Attack

He,

Wang,

Dong

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…[44] also proposes a framework based on ADMM to generate ℓ p adversarial examples. However, we note that our proposed attack is completely different from theirs in two aspects: First, the constraints we consider in this paper are much more complicated than the ℓ p -norm constraints in [44]. Second, we formulate the problem in a very different manner.…”

Section: Adversarial Attacksmentioning

confidence: 99%

Towards Understanding the Adversarial Vulnerability of Skeleton-based Action Recognition

Zheng,

Liu,

Chen

et al. 2020

Preprint

View full text Add to dashboard Cite

Skeleton-based action recognition has attracted increasing attention due to its potentially broad applications such as autonomous and anonymous surveillance. With the help of deep learning techniques, it has also witnessed substantial progress and achieved excellent accuracy in non-adversarial environments. However, in practice, potential adversaries might easily deceive an action recognition model by performing actions with imperceptible perturbations. Deploying such a model without understanding its adversarial vulnerability might lead to severe consequences, e.g., recognizing a violent action as a normal one. Despite these security concerns, research on the vulnerability of skeleton-based action recognition remains scant, partly due to the challenges caused by the unique nature of human skeletons and actions. Specifically, we argue that for imperceptible and reproducible adversarial skeleton actions: 1) the bone lengths should be maintained roughly the same as the original bone lengths; 2) the changes of joint angles should be small; 3) the adversarial motion speeds should be restricted. These unique constraints hinder direct applications of existing attack methods to adversarial skeleton actions.In this paper, we conduct a thorough study towards understanding the adversarial vulnerability of skeleton-based action recognition. We first formulate the generation of adversarial skeleton actions as a constrained optimization problem by representing or approximating the constraints with mathematical equations. To deal with the intractable primal optimization problem with equality constraints, we propose to optimize its unconstrained dual problem using ADMM. We further design an efficient plug-in defense, inspired by recent theories and empirical observations, against adversarial skeleton actions. Extensive evaluations demonstrate the effectiveness of our attack and defense, and reveal the properties of adversarial skeleton actions. * The only parallel work is detailed in section 2.3.

show abstract

“…This work mainly investigates the first category to build the groundwork towards developing potential defensive measures in reliable ML. However, most of preliminary studies on this topic focus on the white-box setting where the target DNN model is completely available to the attacker (Goodfellow, Shlens, and Szegedy 2015;Carlini and Wagner 2017;Zhao et al 2018). More specifically, the adversary can compute the gradients of the output with respect to the input to identify the effect of perturbing certain input pixels, with complete knowledge about the DNN model's internal structure, parameters and configurations.…”

Section: Introductionmentioning

confidence: 99%

Towards Query-Efficient Black-Box Adversary with Zeroth-Order Natural Gradient Descent

Zhao

Chen²,

Wang

et al. 2020

AAAI

Self Cite

View full text Add to dashboard Cite

Despite the great achievements of the modern deep neural networks (DNNs), the vulnerability/robustness of state-of-the-art DNNs raises security concerns in many application domains requiring high reliability. Various adversarial attacks are proposed to sabotage the learning performance of DNN models. Among those, the black-box adversarial attack methods have received special attentions owing to their practicality and simplicity. Black-box attacks usually prefer less queries in order to maintain stealthy and low costs. However, most of the current black-box attack methods adopt the first-order gradient descent method, which may come with certain deficiencies such as relatively slow convergence and high sensitivity to hyper-parameter settings. In this paper, we propose a zeroth-order natural gradient descent (ZO-NGD) method to design the adversarial attacks, which incorporates the zeroth-order gradient estimation technique catering to the black-box attack scenario and the second-order natural gradient descent to achieve higher query efficiency. The empirical evaluations on image classification datasets demonstrate that ZO-NGD can obtain significantly lower model query complexities compared with state-of-the-art attack methods.

show abstract

An ADMM-Based Universal Framework for Adversarial Attacks on Deep Neural Networks

Cited by 25 publications

References 27 publications

Transferable Sparse Adversarial Attack

Transferable Sparse Adversarial Attack

Towards Understanding the Adversarial Vulnerability of Skeleton-based Action Recognition

Towards Query-Efficient Black-Box Adversary with Zeroth-Order Natural Gradient Descent

Contact Info

Product

Resources

About