Constructing adversarial perturbations for deep neural networks is an important direction of research. Crafting image-dependent adversarial perturbations using white-box feedback has hitherto been the norm for such adversarial attacks. However, black-box attacks are much more practical for real-world applications. Universal perturbations applicable across multiple images are gaining popularity due to their innate generalizability. There have also been efforts to restrict the perturbations to a few pixels in the image. This helps to retain visual similarity with the original images making such attacks hard to detect. This paper marks an important step which combines all these directions of research. We propose the DEceit algorithm for constructing effective universal pixel-restricted perturbations using only black-box feedback from the target network. We conduct empirical investigations using the ImageNet validation set on the state-of-the-art deep neural classifiers by varying the number of pixels to be perturbed from a meagre 10 pixels to as high as all pixels in the image. We find that perturbing only about 10% of the pixels in an image using DEceit achieves a commendable and highly transferable Fooling Rate while retaining the visual quality. We further demonstrate that DEceit can be successfully applied to image dependent attacks as well. In both sets of experiments, we outperformed several state-of-the-art methods.
翻译:构建深神经网络的对立扰动是一个重要的研究方向。 使用白色框反馈进行基于图像的对立反扰动迄今一直是这种对抗性攻击的规范。 但是, 黑盒袭击对于现实应用来说更加实用。 多图像的通用扰动因其本质上的可概括性而越来越受欢迎。 还努力将扰动限制在图像中的一些像素上。 这有助于保持与原始图像的视觉相似性, 使得这类袭击难以检测。 本文标志着将所有这些研究方向结合起来的重要一步。 我们建议使用 Descepit 算法来构建有效的通用像素限制的对调动。 我们使用目标网络的黑盒反馈来进行实证性调查。 我们使用最先进的深神经分级图像的图像网络验证器进行实证性调查, 将微小的10 像素数量与图像中所有像素一样难检测。 我们发现, 只能将所有这些研究方向结合起来。 我们只能使用 Depurberber 算出10 % 的图像质量, 而我们只能使用高可转让的图像率来成功展示。