This paper introduces stochastic sparse adversarial attacks (SSAA), simple, fast and purely noise-based targeted and untargeted $L_0$ attacks of neural network classifiers (NNC). SSAA are devised by exploiting a simple small-time expansion idea widely used for Markov processes and offer new examples of $L_0$ attacks whose studies have been limited. They are designed to solve the known scalability issue of the family of Jacobian-based saliency maps attacks to large datasets and they succeed in solving it. Experiments on small and large datasets (CIFAR-10 and ImageNet) illustrate further advantages of SSAA in comparison with the-state-of-the-art methods. For instance, in the untargeted case, our method called Voting Folded Gaussian Attack (VFGA) scales efficiently to ImageNet and achieves a significantly lower $L_0$ score than SparseFool (up to $\frac{2}{5}$ lower) while being faster. Moreover, VFGA achieves better $L_0$ scores on ImageNet than Sparse-RS when both attacks are fully successful on a large number of samples. Codes are publicly available through the link https://github.com/SSAA3/stochastic-sparse-adv-attacks
翻译:本文介绍了简单、快速和纯粹的以噪音为对象和不针对目标的神经网络分类器(NNC)攻击(SSAA)的简单零星的对抗性攻击(SSAA)、简单、快速和纯粹的以噪音为对象和无目标的以0.0美元为对象的攻击(SSAA)。 SSAA的设计方法是利用一个在Markov工艺中广泛使用的简单小时间扩大概念,并提供了研究范围有限的以0.0美元为单位的攻击新例子,目的是解决已知的以Jacobian为基地的突出地图攻击家庭对大型数据集的可缩放性问题,并成功地解决了这些攻击。此外,对小型和大型数据集(CIFAR-10和图像网)的实验(CIFAR-10和图像网)显示了SSAA在与艺术状态方法相比的进一步优势。例如,在非目标情况下,我们称为FGO Fold Gaussian攻击(VFGA) 规模的投票方法,其价值大大低于SARFO(最高值为$_0美元),同时在图像网络上比SMA-SAA/SAAsqual compeal 之间的大代码中,它们都是成功的。
相关内容
微信扫码咨询专知VIP会员