10,593 research outputs found
Introducing Competition to Boost the Transferability of Targeted Adversarial Examples through Clean Feature Mixup
Deep neural networks are widely known to be susceptible to adversarial
examples, which can cause incorrect predictions through subtle input
modifications. These adversarial examples tend to be transferable between
models, but targeted attacks still have lower attack success rates due to
significant variations in decision boundaries. To enhance the transferability
of targeted adversarial examples, we propose introducing competition into the
optimization process. Our idea is to craft adversarial perturbations in the
presence of two new types of competitor noises: adversarial perturbations
towards different target classes and friendly perturbations towards the correct
class. With these competitors, even if an adversarial example deceives a
network to extract specific features leading to the target class, this
disturbance can be suppressed by other competitors. Therefore, within this
competition, adversarial examples should take different attack strategies by
leveraging more diverse features to overwhelm their interference, leading to
improving their transferability to different models. Considering the
computational complexity, we efficiently simulate various interference from
these two types of competitors in feature space by randomly mixing up stored
clean features in the model inference and named this method Clean Feature Mixup
(CFM). Our extensive experimental results on the ImageNet-Compatible and
CIFAR-10 datasets show that the proposed method outperforms the existing
baselines with a clear margin. Our code is available at
https://github.com/dreamflake/CFM.Comment: CVPR 2023 camera-read
Improving Adversarial Transferability by Intermediate-level Perturbation Decay
Intermediate-level attacks that attempt to perturb feature representations
following an adversarial direction drastically have shown favorable performance
in crafting transferable adversarial examples. Existing methods in this
category are normally formulated with two separate stages, where a directional
guide is required to be determined at first and the scalar projection of the
intermediate-level perturbation onto the directional guide is enlarged
thereafter. The obtained perturbation deviates from the guide inevitably in the
feature space, and it is revealed in this paper that such a deviation may lead
to sub-optimal attack. To address this issue, we develop a novel
intermediate-level method that crafts adversarial examples within a single
stage of optimization. In particular, the proposed method, named
intermediate-level perturbation decay (ILPD), encourages the intermediate-level
perturbation to be in an effective adversarial direction and to possess a great
magnitude simultaneously. In-depth discussion verifies the effectiveness of our
method. Experimental results show that it outperforms state-of-the-arts by
large margins in attacking various victim models on ImageNet (+10.07% on
average) and CIFAR-10 (+3.88% on average). Our code is at
https://github.com/qizhangli/ILPD-attack.Comment: Revision of ICML '23 submission for better clarit
Reliable and structural deep neural networks
Deep neural networks have dominated a wide range of computer vision research recently. However, recent studies have shown that deep neural networks are sensitive to adversarial perturbations. The limitations of deep networks cause reliability concerns in real-world problems and demonstrate that computational behaviors differ from humans. In this dissertation, we focus on investigating the characteristic of deep neural networks. The first part of this dissertation proposed an effective defense method against adversarial examples. We introduced an ensemble generative network with feedback loops, which use the feature-level denoising modules to improve the defense capability for adversarial examples. We then discussed the vulnerability of deep neural networks. We explored a consistency and sensitivity-guided attack method in a low-dimensional space, which can effectively generate adversarial examples, even in a black-box manner. Our proposed approach illustrated that the adversarial examples are transferable across different networks and universal in deep networks. The last part of this dissertation focuses on rethinking the structure and behavior of deep neural networks. Rather than enhancing defense methods against attacks, we take a further step toward developing a new structure of neural networks, which provide a dynamic link between the feature map representation and their graph-based structural representation. In addition, we introduced a new feature interaction method based on the vision transformer. The new structure can learn to dynamically select the most discriminative features and help deep networks improve the generalization ability.Includes bibliographical references
Attacking Visual Language Grounding with Adversarial Examples: A Case Study on Neural Image Captioning
Visual language grounding is widely studied in modern neural image captioning
systems, which typically adopts an encoder-decoder framework consisting of two
principal components: a convolutional neural network (CNN) for image feature
extraction and a recurrent neural network (RNN) for language caption
generation. To study the robustness of language grounding to adversarial
perturbations in machine vision and perception, we propose Show-and-Fool, a
novel algorithm for crafting adversarial examples in neural image captioning.
The proposed algorithm provides two evaluation approaches, which check whether
neural image captioning systems can be mislead to output some randomly chosen
captions or keywords. Our extensive experiments show that our algorithm can
successfully craft visually-similar adversarial examples with randomly targeted
captions or keywords, and the adversarial examples can be made highly
transferable to other image captioning systems. Consequently, our approach
leads to new robustness implications of neural image captioning and novel
insights in visual language grounding.Comment: Accepted by 56th Annual Meeting of the Association for Computational
Linguistics (ACL 2018). Hongge Chen and Huan Zhang contribute equally to this
wor
- …