Walking on the Edge: Fast, Low-Distortion Adversarial Examples

TL;DR

This paper introduces a new adversarial attack method called boundary projection (BP) that efficiently finds low-distortion adversarial examples by quickly reaching the classification boundary and optimizing on it, balancing speed and effectiveness.

Contribution

The paper proposes the boundary projection (BP) attack, a novel method that improves the speed-distortion trade-off in generating adversarial examples by leveraging the manifold structure of the classification boundary.

Findings

BP significantly outperforms existing attacks in speed and distortion.

The method effectively balances attack speed with low perturbation levels.

Experimental results demonstrate improved attack success rates.

Abstract

Adversarial examples of deep neural networks are receiving ever increasing attention because they help in understanding and reducing the sensitivity to their input. This is natural given the increasing applications of deep neural networks in our everyday lives. When white-box attacks are almost always successful, it is typically only the distortion of the perturbations that matters in their evaluation. In this work, we argue that speed is important as well, especially when considering that fast attacks are required by adversarial training. Given more time, iterative methods can always find better solutions. We investigate this speed-distortion trade-off in some depth and introduce a new attack called boundary projection (BP) that improves upon existing methods by a large margin. Our key idea is that the classification boundary is a manifold in the image space: we therefore quickly reach the boundary and then optimize distortion on this manifold.