Ask, Acquire, and Attack: Data-free UAP Generation using Class Impressions

TL;DR

This paper introduces a novel data-free method for generating universal adversarial perturbations by using class impressions to emulate data samples, achieving state-of-the-art success rates comparable to data-driven approaches.

Contribution

The paper proposes a new approach that uses class impressions to enable data-free UAP generation with high success rates, bridging the gap with data-driven methods.

Findings

Achieves state-of-the-art success rates in data-free UAP generation.

Uses a neural network to generate UAPs efficiently via class impressions.

Performs comparably to data-driven methods without using actual data samples.

Abstract

Deep learning models are susceptible to input specific noise, called adversarial perturbations. Moreover, there exist input-agnostic noise, called Universal Adversarial Perturbations (UAP) that can affect inference of the models over most input samples. Given a model, there exist broadly two approaches to craft UAPs: (i) data-driven: that require data, and (ii) data-free: that do not require data samples. Data-driven approaches require actual samples from the underlying data distribution and craft UAPs with high success (fooling) rate. However, data-free approaches craft UAPs without utilizing any data samples and therefore result in lesser success rates. In this paper, for data-free scenarios, we propose a novel approach that emulates the effect of data samples with class impressions in order to craft UAPs using data-driven objectives. Class impression for a given pair of category and model is a generic representation (in the input space) of the samples belonging to that category. Further, we present a neural network based generative model that utilizes the acquired class impressions to learn crafting UAPs. Experimental evaluation demonstrates that the learned generative model, (i) readily crafts UAPs via simple feed-forwarding through neural network layers, and (ii) achieves state-of-the-art success rates for data-free scenario and closer to that for data-driven setting without actually utilizing any data samples.