Sparse and Imperceivable Adversarial Attacks

Croce, Francesco; Hein, Matthias

doi:10.1109/iccv.2019.00482

Cited by 200 publications

(253 citation statements)

References 19 publications

Supporting

Mentioning

211

Contrasting

Order By: Relevance

“…CornerSearch [36] proposes a black-box attack based on finding an adversarial example with respect to the l 0 norm. Abandoning norm based constraints completely, Patch Attack [37] replaces a certain area of the image with an adversarial patch.…”

Section: B Black-box Attack Categorizationmentioning

confidence: 99%

“…We cover three non-traditional norm attacks in this section. The first attack we summarize is the sparse and imperceivable attack [36] which focuses on black-box attacks with respect to the l 0 norm. The second non-traditional norm attack we survey is Patch Attack [37].…”

Section: Non-traditional Norm Attacksmentioning

confidence: 99%

“…The Sparse and Imperceivable attacks proposed in [36] are l 0 , black-box attacks that produce adversarial inputs while minimizing the number of perturbed pixels. The attacks come in multiple forms, but the general goal and scheme remains the same.…”

Section: A Sparse and Imperceivable Attackmentioning

confidence: 99%

“…Score based Attacks qMeta [24] wc = 1, wq = 0, wϵ = 0 P-RGF [25] wc = 1, wq = 0, wϵ = 1 ZO-ADMM [26] wc = 1, wq = 0, wϵ = 0 TREMBA [27] wc = 1, wq = 0, wϵ = 1 Square [28] wc = 1, wq = 0, wϵ = 1 ZO-NGD [26] wc = 1, wq = 0, wϵ = 1 PPBA [30] wc = 1, wq = 0, wϵ = 1 Decision based Attacks qFool [31] wc = 0, wq = 1, wϵ = 0 HSJA [10] wc = 1, wq = 1, wϵ = 0 GeoDA [32] wc = 0, wq = 1, wϵ = 0 QEBA [33] wc = 1, wq = 1, wϵ = 1 RayS [34] wc = 1, wq = 0, wϵ = 1 SurFree [12] wc = 1, wq = 1, wϵ = 1 NonLinear-BA [35] wc = 1, wq = 0, wϵ = 0 Transfer based Attacks Adaptive [22] wc = 1, wq = 0, wϵ = 1 DaST [9] wc = 1, wq = 0, wϵ = 1 PO-TI [23] wc = 1, wq = 0, wϵ = 1 Non-traditional Attacks CornerSearch [36] wc = 1, wq = 0, wϵ = 0 ColorFool [38] wc = 1, wq = 0, wϵ = 0 Patch [37] wc = 1, wq = 0, wϵ = 0 scenario. Likewise, for black-box transfer attacks using our framework can also yield insights.…”

Section: Attack Success Rate Analysismentioning

confidence: 99%

See 3 more Smart Citations

Back in Black: A Comparative Evaluation of Recent State-Of-The-Art Black-Box Attacks

Mahmood

Rathbun

et al. 2022

IEEE Access

View full text Add to dashboard Cite

The field of adversarial machine learning has experienced a near exponential growth in the amount of papers being produced since 2018. This massive information output has yet to be properly processed and categorized. In this paper, we seek to help alleviate this problem by systematizing the recent advances in adversarial machine learning black-box attacks since 2019. Our survey summarizes and categorizes 20 recent black-box attacks. We also present a new analysis for understanding the attack success rate with respect to the adversarial model used in each paper. Overall, our paper surveys a wide body of literature to highlight recent attack developments and organizes them into four attack categories: score based attacks, decision based attacks, transfer attacks and non-traditional attacks. Further, we provide a new mathematical framework to show exactly how attack results can fairly be compared. INDEX TERMSAdversarial machine learning, adversarial examples, adversarial defense, black-box attack, security, deep learning. Score based Attacks Attack Name Date Author qMeta 6-Jun-19 Du et al. [24] P-RGF 17-Jun-19 Cheng et al. [25] ZO-ADMM 26-Jul-19 Zhao et al. [26] TREMBA 17-Nov-19 Huang et al. [27] Square 29-Nov-19 Andriushchenko et al. [28] ZO-NGD 18-Feb-20 Zhao et al. [29] PPBA 8-May-20 Liu et al. [30] Decision based Attacks Attack Name Date Author qFool 26-Mar-19 Liu et al. [31] HSJA 3-Apr-19 Chen et al. [10] GeoDA 13-Mar-20 Rahmati et al. [32] QEBA 28-May-20 Li et al. [33] RayS 23-Jun-20 Chen et al. [34] SurFree 25-Nov-20 Maho et al. [12] NonLinear-BA 25-Feb-21 Li et al. [35] Transfer based Attacks Attack Name Date Author Adaptive 3-Oct-19 Mahmood et al. [22] DaST 28-Mar-20 Zhou et al. [9] PO-TI 13-Jun-20 Li et al. [23] Non-traditional Attacks Attack Name Date Author CornerSearch 11-Sep-19 Croce et al. [36] ColorFool 25-Nov-19 Shamsabadi et al. [38] Patch 12-Apr-20 Yang et al. [37]

show abstract

Section: B Black-box Attack Categorizationmentioning

confidence: 99%

Section: Non-traditional Norm Attacksmentioning

confidence: 99%

Section: A Sparse and Imperceivable Attackmentioning

confidence: 99%

Section: Attack Success Rate Analysismentioning

confidence: 99%

See 2 more Smart Citations

Back in Black: A Comparative Evaluation of Recent State-Of-The-Art Black-Box Attacks

Mahmood

Rathbun

et al. 2022

IEEE Access

View full text Add to dashboard Cite

show abstract

“…They were initially shown to be effective in causing classification errors throughout different machine learning models [5,6,7]. Following this, a lot of effort has been put into generating increasingly more complex attack models that can utilize a small amount of semantic-preserving modifications, while still being able to fool a classifier [8,9,10]. Typically, this is done by constraining the perturbations with an p -norm, where the most common settings use either ∞ [11,12,9,8,13,14,15], 2 [16,9,17,18,19], or 1 [20,21].…”

Section: Introductionmentioning

confidence: 99%

Efficient and Robust Classification for Sparse Attacks

Beliaev¹,

Delgosha²,

Hassani³

et al. 2022

Preprint

View full text Add to dashboard Cite

In the past two decades we have seen the popularity of neural networks increase in conjunction with their classification accuracy. Parallel to this, we have also witnessed how fragile the very same prediction models are: tiny perturbations to the inputs can cause misclassification errors throughout entire datasets. In this paper, we consider perturbations bounded by the 0 -norm, which have been shown as effective attacks in the domains of image-recognition, natural language processing, and malware-detection. To this end, we propose a novel defense method that consists of "truncation" and "adversarial training". We then theoretically study the Gaussian mixture setting and prove the asymptotic optimality of our proposed classifier. Motivated by the insights we obtain, we extend these components to neural network classifiers. We conduct numerical experiments in the domain of computer vision using the MNIST and CIFAR datasets, demonstrating significant improvement for the robust classification error of neural networks.

show abstract