Generalizable Data-free Objective for Crafting Universal Adversarial Perturbations

TL;DR

This paper introduces a novel, data-free method for creating universal adversarial perturbations that can fool multiple vision models across various tasks without needing training data, highlighting increased risks for deep learning models.

Contribution

The paper proposes a generalizable, data-free approach for crafting universal adversarial perturbations that work across multiple vision tasks and in black-box scenarios, outperforming data-dependent methods.

Findings

Achieves high fooling rates across multiple vision tasks.

Outperforms data-dependent objectives in black-box settings.

Generalizes without requiring training data.

Abstract

Machine learning models are susceptible to adversarial perturbations: small changes to input that can cause large changes in output. It is also demonstrated that there exist input-agnostic perturbations, called universal adversarial perturbations, which can change the inference of target model on most of the data samples. However, existing methods to craft universal perturbations are (i) task specific, (ii) require samples from the training data distribution, and (iii) perform complex optimizations. Additionally, because of the data dependence, fooling ability of the crafted perturbations is proportional to the available training data. In this paper, we present a novel, generalizable and data-free approaches for crafting universal adversarial perturbations. Independent of the underlying task, our objective achieves fooling via corrupting the extracted features at multiple layers. Therefore, the proposed objective is generalizable to craft image-agnostic perturbations across multiple vision tasks such as object recognition, semantic segmentation, and depth estimation. In the practical setting of black-box attack scenario (when the attacker does not have access to the target model and it's training data), we show that our objective outperforms the data dependent objectives to fool the learned models. Further, via exploiting simple priors related to the data distribution, our objective remarkably boosts the fooling ability of the crafted perturbations. Significant fooling rates achieved by our objective emphasize that the current deep learning models are now at an increased risk, since our objective generalizes across multiple tasks without the requirement of training data for crafting the perturbations. To encourage reproducible research, we have released the codes for our proposed algorithm.