A Method for Computing Class-wise Universal Adversarial Perturbations

TL;DR

This paper introduces a fast, data-free method for generating class-specific universal adversarial perturbations for deep neural networks, achieving high fooling rates and transferability across models.

Contribution

The paper proposes a novel linear-based approach for computing class-wise universal adversarial perturbations without training data or hyper-parameters, significantly improving speed.

Findings

Achieves 34% to 51% fooling rate on ImageNet models.

Perturbations transfer effectively across different neural network architectures.

Provides insights into decision boundary characteristics of standard and adversarially trained models.

Abstract

We present an algorithm for computing class-specific universal adversarial perturbations for deep neural networks. Such perturbations can induce misclassification in a large fraction of images of a specific class. Unlike previous methods that use iterative optimization for computing a universal perturbation, the proposed method employs a perturbation that is a linear function of weights of the neural network and hence can be computed much faster. The method does not require any training data and has no hyper-parameters. The attack obtains 34% to 51% fooling rate on state-of-the-art deep neural networks on ImageNet and transfers across models. We also study the characteristics of the decision boundaries learned by standard and adversarially trained models to understand the universal adversarial perturbations.