Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks

Dong, Yinpeng; Pang, Tianyu; Su, Hang; Zhu, Jun

doi:10.1109/cvpr.2019.00444

Cited by 543 publications

(499 citation statements)

References 19 publications

(56 reference statements)

Supporting

Mentioning

495

Contrasting

Order By: Relevance

“…As mentioned above, we have used three state-of-the-art ReID methods as victim models, attacked them with the proposed DR attack, and evaluated the performance drop on four different datasets. Moreover, we attacked the same victim models with two other state-of-the-art attack approaches, namely TI-FGSM and TI-DIM [56], [71]. We compared the effectiveness of our DR attack with these other attack methods as well.…”

Section: Experiments Results and Discussionmentioning

confidence: 99%

“…In one of the earlier works, Goodfellow et al [53] proposed fast gradient sign method (FGSM), which generates AEs in one step. Several works extended this by iteratively updating the AEs with multistep attacks including the basic iterative method (BIM) [10], deep fool [54], momentum iterative method [11], Diverse Inputs Method (DIM) [55] and Translation-Invariant (TI) attacks [56]. Compared with FGSM, the iterative methods generate a smaller perturbation, which makes the adversarial examples even more imperceptible to human eye.…”

Section: B Adversarial Attack Methodsmentioning

confidence: 99%

“…Translation-Invariant (TI) attack methods have been proposed by Dong et al [56] to further improve the transferability on white-box models. The authors notice the difference between the discriminative regions used by defenses to identify object categories and the normal trained models.…”

Section: ) Translation-invariant Attack Methodsmentioning

confidence: 99%

“…We follow the data preparation process described in [68], [69]. After pre-processing, we apply the TI-FGSM and TI-DIM attacks as described in [56], and detailed in the source code on Github page [71].…”

Section: Victim Reid Models and Implementation Details Of Attacksmentioning

confidence: 99%

“…Content may change prior to final publication. [51] 88.9 77.2 81.2 -TI-FGSM-DG [1], [53], [75] 51.2 31.9 48.3 32.1 TI-FGSM-AR [3], [53], [75] 58.7 29.4 49.5 30.8 TI-FGSM-OS [51], [53], [75] 55.9 32.1 51.2 -TI-DIM-DG [1], [55], [75] 45. 4 14.2 32.7 25.4 TI-DIM-AR [3], [55], [75] 44.9 16.5 29.4 22.6 TI-DIM-OS [51], [55], [75] 47…”

Section: A Datasetsmentioning

confidence: 99%

See 4 more Smart Citations

An Effective Adversarial Attack on Person Re-Identification in Video Surveillance via Dispersion Reduction

Zheng

Velipasalar

2020

IEEE Access

View full text Add to dashboard Cite

Person re-identification across a network of cameras, with disjoint views, has been studied extensively due to its importance in wide-area video surveillance. This is a challenging task due to several reasons including changes in illumination and target appearance, and variations in camera viewpoint and camera intrinsic parameters. The approaches developed to re-identify a person across different camera views need to address these challenges. More recently, neural network-based methods have been proposed to solve the person re-identification problem across different camera views, achieving state-of-the-art performance. In this paper, we present an effective and generalizable attack model that generates adversarial images of people, and results in very significant drop in the performance of the existing state-of-the-art person reidentification models. The results demonstrate the extreme vulnerability of the existing models to adversarial examples, and draw attention to the potential security risks that might arise due to this in video surveillance. Our proposed attack is developed by decreasing the dispersion of the internal feature map of a neural network to degrade the performance of several different state-of-the-art person re-identification models. We also compare our proposed attack with other state-of-the-art attack models on different person reidentification approaches, and by using four different commonly used benchmark datasets. The experimental results show that our proposed attack outperforms the state-of-art attack models on the best performing person re-identification approaches by a large margin, and results in the most drop in the mean average precision values.

show abstract

Section: Experiments Results and Discussionmentioning

confidence: 99%

Section: B Adversarial Attack Methodsmentioning

confidence: 99%

Section: ) Translation-invariant Attack Methodsmentioning

confidence: 99%

Section: Victim Reid Models and Implementation Details Of Attacksmentioning

confidence: 99%

Section: A Datasetsmentioning

confidence: 99%

See 3 more Smart Citations

An Effective Adversarial Attack on Person Re-Identification in Video Surveillance via Dispersion Reduction

Zheng

Velipasalar

2020

IEEE Access

View full text Add to dashboard Cite

show abstract

An efficient framework for generating robust adversarial examples

et al. 2020

View full text Add to dashboard Cite

ELAA: An efficient local adversarial attack using model interpreters

Guo

Geng

Xiang

et al. 2021

Int J of Intelligent Sys

View full text Add to dashboard Cite

Modern deep neural networks are highly vulnerable to adversarial examples, which attracts more and more researchers' attention to craft powerful adversarial examples. Most of these generation algorithms create global perturbations that would affect the visual quality of adversarial examples. To mitigate such drawbacks, some attacks attempt to generate local perturbations. However, existing local adversarial attacks are time‐consuming and the generated adversarial examples are still distinguishable from clean images. In this paper, we propose a novel efficient local adversarial attack (ELAA) using model interpreters to generate severe local perturbations and improve the imperceptibly of the generated adversarial examples. Specifically, we take advantage of model interpretation methods to search the discriminative regions of clean images. Then, we generate local adversarial examples by adding masks to original clean images. We also propose a new optimization method to reduce the redundancy of local perturbations. Through extensive experiments, we show our ELAA can maintain a high attack ability while preserving the visual quality of clean images. Experimental results also demonstrate our local attack outperforms state‐of‐the‐art local attack methods under various system settings.

show abstract

Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks

Cited by 543 publications

References 19 publications

An Effective Adversarial Attack on Person Re-Identification in Video Surveillance via Dispersion Reduction

An Effective Adversarial Attack on Person Re-Identification in Video Surveillance via Dispersion Reduction

An efficient framework for generating robust adversarial examples

ELAA: An efficient local adversarial attack using model interpreters

Contact Info

Product

Resources

About