Low Frequency Adversarial Perturbation
Chuan Guo, Jared S. Frank, Kilian Q. Weinberger
TL;DR
This paper introduces a low frequency domain approach for black-box adversarial attacks that significantly reduces query costs and can bypass image transformation defenses, demonstrated by fooling Google Cloud Vision with minimal queries.
Contribution
It proposes restricting adversarial search to low frequency components, improving efficiency and robustness against defenses in black-box settings.
Findings
Reduces query complexity by 2 to 4 times
Circumvents image transformation defenses
Successfully fools Google Cloud Vision with few queries
Abstract
Adversarial images aim to change a target model's decision by minimally perturbing a target image. In the black-box setting, the absence of gradient information often renders this search problem costly in terms of query complexity. In this paper we propose to restrict the search for adversarial images to a low frequency domain. This approach is readily compatible with many existing black-box attack frameworks and consistently reduces their query cost by 2 to 4 times. Further, we can circumvent image transformation defenses even when both the model and the defense strategy are unknown. Finally, we demonstrate the efficacy of this technique by fooling the Google Cloud Vision platform with an unprecedented low number of model queries.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Anomaly Detection Techniques and Applications · Domain Adaptation and Few-Shot Learning