16 research outputs found
Procedural Noise Adversarial Examples for Black-Box Attacks on Deep Convolutional Networks
Deep Convolutional Networks (DCNs) have been shown to be vulnerable to
adversarial examples---perturbed inputs specifically designed to produce
intentional errors in the learning algorithms at test time. Existing
input-agnostic adversarial perturbations exhibit interesting visual patterns
that are currently unexplained. In this paper, we introduce a structured
approach for generating Universal Adversarial Perturbations (UAPs) with
procedural noise functions. Our approach unveils the systemic vulnerability of
popular DCN models like Inception v3 and YOLO v3, with single noise patterns
able to fool a model on up to 90% of the dataset. Procedural noise allows us to
generate a distribution of UAPs with high universal evasion rates using only a
few parameters. Additionally, we propose Bayesian optimization to efficiently
learn procedural noise parameters to construct inexpensive untargeted black-box
attacks. We demonstrate that it can achieve an average of less than 10 queries
per successful attack, a 100-fold improvement on existing methods. We further
motivate the use of input-agnostic defences to increase the stability of models
to adversarial perturbations. The universality of our attacks suggests that DCN
models may be sensitive to aggregations of low-level class-agnostic features.
These findings give insight on the nature of some universal adversarial
perturbations and how they could be generated in other applications.Comment: 16 pages, 10 figures. In Proceedings of the 2019 ACM SIGSAC
Conference on Computer and Communications Security (CCS '19
Adaptive and Safe Bayesian Optimization in High Dimensions via One-Dimensional Subspaces
Bayesian optimization is known to be difficult to scale to high dimensions,
because the acquisition step requires solving a non-convex optimization problem
in the same search space. In order to scale the method and keep its benefits,
we propose an algorithm (LineBO) that restricts the problem to a sequence of
iteratively chosen one-dimensional sub-problems that can be solved efficiently.
We show that our algorithm converges globally and obtains a fast local rate
when the function is strongly convex. Further, if the objective has an
invariant subspace, our method automatically adapts to the effective dimension
without changing the algorithm. When combined with the SafeOpt algorithm to
solve the sub-problems, we obtain the first safe Bayesian optimization
algorithm with theoretical guarantees applicable in high-dimensional settings.
We evaluate our method on multiple synthetic benchmarks, where we obtain
competitive performance. Further, we deploy our algorithm to optimize the beam
intensity of the Swiss Free Electron Laser with up to 40 parameters while
satisfying safe operation constraints