Data-free Universal Adversarial Perturbation and Black-box Attack

2021 IEEE/CVF International Conference on Computer Vision (ICCV) Pub Date : 2021-10-01 DOI:10.1109/ICCV48922.2021.00777

Chaoning Zhang, Philipp Benz, Adil Karjauv, In-So Kweon

{"title":"Data-free Universal Adversarial Perturbation and Black-box Attack","authors":"Chaoning Zhang, Philipp Benz, Adil Karjauv, In-So Kweon","doi":"10.1109/ICCV48922.2021.00777","DOIUrl":null,"url":null,"abstract":"Universal adversarial perturbation (UAP), i.e. a single perturbation to fool the network for most images, is widely recognized as a more practical attack because the UAP can be generated beforehand and applied directly during the at-tack stage. One intriguing phenomenon regarding untargeted UAP is that most images are misclassified to a dominant label. This phenomenon has been reported in previous works while lacking a justified explanation, for which our work attempts to provide an alternative explanation. For a more practical universal attack, our investigation of untargeted UAP focuses on alleviating the dependence on the original training samples, from removing the need for sample labels to limiting the sample size. Towards strictly data-free untargeted UAP, our work proposes to exploit artificial Jigsaw images as the training samples, demonstrating competitive performance. We further investigate the possibility of exploiting the UAP for a data-free black-box attack which is arguably the most practical yet challenging threat model. We demonstrate that there exists optimization-free repetitive patterns which can successfully attack deep models. Code is available at https://bit.ly/3y0ZTIC.","PeriodicalId":6820,"journal":{"name":"2021 IEEE/CVF International Conference on Computer Vision (ICCV)","volume":"1 1","pages":"7848-7857"},"PeriodicalIF":0.0000,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"26","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE/CVF International Conference on Computer Vision (ICCV)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCV48922.2021.00777","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 26

Abstract

Universal adversarial perturbation (UAP), i.e. a single perturbation to fool the network for most images, is widely recognized as a more practical attack because the UAP can be generated beforehand and applied directly during the at-tack stage. One intriguing phenomenon regarding untargeted UAP is that most images are misclassified to a dominant label. This phenomenon has been reported in previous works while lacking a justified explanation, for which our work attempts to provide an alternative explanation. For a more practical universal attack, our investigation of untargeted UAP focuses on alleviating the dependence on the original training samples, from removing the need for sample labels to limiting the sample size. Towards strictly data-free untargeted UAP, our work proposes to exploit artificial Jigsaw images as the training samples, demonstrating competitive performance. We further investigate the possibility of exploiting the UAP for a data-free black-box attack which is arguably the most practical yet challenging threat model. We demonstrate that there exists optimization-free repetitive patterns which can successfully attack deep models. Code is available at https://bit.ly/3y0ZTIC.

查看原文本刊更多论文

无数据通用对抗性摄动和黑盒攻击

普遍对抗摄动(UAP)，即对大多数图像进行单一扰动来欺骗网络，被广泛认为是一种更实用的攻击，因为UAP可以事先生成并在攻击阶段直接应用。关于非目标UAP，一个有趣的现象是，大多数图像被错误地分类到一个主导标签。这种现象在以前的作品中已经报道过，但缺乏合理的解释，为此我们的工作试图提供另一种解释。对于更实际的通用攻击，我们对非目标UAP的调查侧重于减轻对原始训练样本的依赖，从消除对样本标签的需要到限制样本大小。对于严格无数据的非目标UAP，我们的工作提出利用人工拼图图像作为训练样本，展示竞争性能。我们进一步研究了利用UAP进行无数据黑盒攻击的可能性，这可以说是最实用但最具挑战性的威胁模型。我们证明了存在可以成功攻击深度模型的无优化重复模式。代码可从https://bit.ly/3y0ZTIC获得。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 IEEE/CVF International Conference on Computer Vision (ICCV)

自引率

0.00%

发文量