Minimally distorted Adversarial Examples with a Fast Adaptive Boundary Attack

TL;DR

This paper introduces a fast, adaptive white-box adversarial attack that efficiently finds minimally distorted examples across multiple norms, outperforming or matching state-of-the-art methods and resisting gradient masking effects.

Contribution

The paper presents a novel attack method with geometric intuition that quickly generates high-quality, minimally perturbed adversarial examples for multiple norms, improving robustness evaluation.

Findings

Performs better or similar to existing attacks across $l_p$-norms.

Efficiently computes minimal perturbations with a single run.

Resistant to gradient masking phenomena.

Abstract

The evaluation of robustness against adversarial manipulation of neural networks-based classifiers is mainly tested with empirical attacks as methods for the exact computation, even when available, do not scale to large networks. We propose in this paper a new white-box adversarial attack wrt the $l_p$-norms for $p \in \{1,2,\infty\}$ aiming at finding the minimal perturbation necessary to change the class of a given input. It has an intuitive geometric meaning, yields quickly high quality results, minimizes the size of the perturbation (so that it returns the robust accuracy at every threshold with a single run). It performs better or similar to state-of-the-art attacks which are partially specialized to one $l_p$-norm, and is robust to the phenomenon of gradient masking.