Fast Feature Fool: A data independent approach to universal adversarial perturbations

TL;DR

This paper introduces a novel data-independent method for generating universal adversarial perturbations that fool CNNs across different architectures without requiring training data, demonstrating high fooling rates and transferability.

Contribution

The authors propose the first data-independent approach for creating universal adversarial perturbations, bypassing the need for training data and complex optimization procedures.

Findings

Achieves high fooling rates across multiple CNN architectures.

Perturbations transfer effectively between different networks.

Operates efficiently without access to training data.

Abstract

State-of-the-art object recognition Convolutional Neural Networks (CNNs) are shown to be fooled by image agnostic perturbations, called universal adversarial perturbations. It is also observed that these perturbations generalize across multiple networks trained on the same target data. However, these algorithms require training data on which the CNNs were trained and compute adversarial perturbations via complex optimization. The fooling performance of these approaches is directly proportional to the amount of available training data. This makes them unsuitable for practical attacks since its unreasonable for an attacker to have access to the training data. In this paper, for the first time, we propose a novel data independent approach to generate image agnostic perturbations for a range of CNNs trained for object recognition. We further show that these perturbations are transferable across multiple network architectures trained either on same or different data. In the absence of data, our method generates universal adversarial perturbations efficiently via fooling the features learned at multiple layers thereby causing CNNs to misclassify. Experiments demonstrate impressive fooling rates and surprising transferability for the proposed universal perturbations generated without any training data.