Sparse and Imperceivable Adversarial Attacks

TL;DR

This paper introduces a novel black-box adversarial attack method that minimizes $l_0$-distance and componentwise perturbations, producing sparse, nearly imperceivable adversarial examples, and enhances classifier robustness through adapted adversarial training.

Contribution

It presents a new $l_0$-norm based attack with componentwise constraints and adapts PGD for sparse, imperceivable attacks, improving robustness training.

Findings

Our attack outperforms or matches state-of-the-art methods.

Incorporating componentwise bounds produces nearly imperceivable adversarial examples.

Adversarial training with our method enhances classifier robustness against sparse attacks.

Abstract

Neural networks have been proven to be vulnerable to a variety of adversarial attacks. From a safety perspective, highly sparse adversarial attacks are particularly dangerous. On the other hand the pixelwise perturbations of sparse attacks are typically large and thus can be potentially detected. We propose a new black-box technique to craft adversarial examples aiming at minimizing $l_0$-distance to the original image. Extensive experiments show that our attack is better or competitive to the state of the art. Moreover, we can integrate additional bounds on the componentwise perturbation. Allowing pixels to change only in region of high variation and avoiding changes along axis-aligned edges makes our adversarial examples almost non-perceivable. Moreover, we adapt the Projected Gradient Descent attack to the $l_0$-norm integrating componentwise constraints. This allows us to do adversarial training to enhance the robustness of classifiers against sparse and imperceivable adversarial manipulations.