动机
Sparse adversarial attacks can fool deep neuralnetworks (DNNs) by only perturbing a few pixels (regularized by‘0norm). Recent efforts combine it with another‘∞imperceptible on the pertur-bation magnitudes. The resultant sparse and im- perceptible attacks are practically relevant, and indicate an even higher vulnerability of DNNs that we usually imagined. However, such attacks are more challenging to generate due to the opti-mization difficulty by coupling the‘0regularizer and box constraints with a non-convex objective
稀疏对抗式攻击可以通过只扰动几个像素来欺骗深度神经网络(DNNs)。与像素扰动相比,高度稀疏的对抗攻击是更加危险的,因为更加不易被侦测到。
什么是稀疏特征?高维稀疏特征 - 知乎
目标
In this paper, we address this challenge by propos-ing a homotopy algorithm, to jointly tackle the sparsity and the perturbation bound in one uni- fied framework. Each iteration, the main step of our algorithm is to optimize an‘0-regularized adversarial loss, by leveraging the nonmonotone Accelerated Proximal Gradient Method (nmAPG) for nonconvex programming; it is followed by an ‘0change control step, and an optional post-attack step designed to escape bad local minima. We also extend the algorithm to handling the structural sparsity regularizer.
在本文中,我们提出了一个同伦算法来解决这一挑战,在一个统一的框架内联合处理稀疏性和摄动界。每次迭代,算法的主要步骤是优化0正则化对抗损失,利用非单调加速近端梯度法(nmAPG)进行非凸规划;接下来是一个' 0change控制步骤,和一个可选的攻击后步骤,旨在逃离糟糕的局部极小值。我们还将该算法扩展到结构稀疏正则化的处理。
本文的研究中心在于最小化对抗样本与干净样本之间的距离?生成更“以假乱真”的样本吗?我什么都不知道
方法
homotopy attack
- 对分量微扰的附加边界进行积分
- 像素只在高变化率区域发生变化
- 避免沿轴对齐的边缘进行更改
- adv training (adapt the PGD attack to the
norm integrating componentwise constraints.
创新点
The core merit of our method is to enable a smooth relax-ation of the sparsity constraint, which eventually leads to a flexible yet compactly sparse solution.
我们方法的核心优点是使稀疏性约束平滑松弛,最终得到灵活而紧凑的稀疏解。
本文的做法提出要利用不同区域的特性,来施加不同程度的无穷范数扰动上限约束。该约束的计算依赖于不同轴向的像素饱和度等级(一般来说,某区域的色彩越纯,越是高度饱和。)
数据集
CIFAR-10
ImageNet
应用场景
In this paper, we have proposed a novel homotopy algorithm for sparse adversarial attack based on Nonmonotone Accelerated Proximal Gradient Methods for Nonconvex Programming, an additional control of maximum‘0updates and an optional post attack stage per iteration. Extensive experiments show that our algorithm can generate very sparse adversarial perturbations while maintaining relatively low perturbation magnitudes, compared to the state-of-the-art methods. Also, our proposed control of maximum‘0updates and the optional post attack stage greatly improve the sparsity level of the homotopy algorithm.
本文提出了一种新的稀疏对抗性攻击同伦算法,该算法基于非凸规划的非单调加速近端梯度法,增加了最大更新的控制和每次迭代攻击后的可选阶段。大量的实验表明,与最先进的方法相比,我们的算法可以产生非常稀疏的对抗扰动,同时保持相对较低的扰动幅度。同时,我们提出的最大更新和攻击后可选阶段的控制大大提高了同伦算法的稀疏性水平。
对干净图像添加噪声,生成更令机器迷惑的对抗样本来进行对抗性训练
开源地址
https://github.com/ VITA-Group/SparseADV_Homotopyhttps://github.com/ VITA-Group/SparseADV_Homotopy
https://github.com/%20VITA-Group/SparseADV_Homotopy
对比算法
GreedyFool
SAPF
评估
可用于模拟医学仪器在图像上产生的噪声和伪影
其他
天书
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
