Trace-Norm Adversarial Examples

TL;DR

This paper investigates structured adversarial examples constrained by various norms, highlighting their implications for robustness certification, attack effectiveness, and potential for more perceptible or controllable perturbations.

Contribution

It introduces structured distortion sets for adversarial attacks, challenging existing certification methods and enabling more controllable and potentially larger perturbations.

Findings

Structured attacks can bypass $l_p$ based certification.

Different norms produce diverse adversarial example structures.

Structured perturbations may be more perceptible or controllable.

Abstract

White box adversarial perturbations are sought via iterative optimization algorithms most often minimizing an adversarial loss on a $l_p$ neighborhood of the original image, the so-called distortion set. Constraining the adversarial search with different norms results in disparately structured adversarial examples. Here we explore several distortion sets with structure-enhancing algorithms. These new structures for adversarial examples, yet pervasive in optimization, are for instance a challenge for adversarial theoretical certification which again provides only $l_p$ certificates. Because adversarial robustness is still an empirical field, defense mechanisms should also reasonably be evaluated against differently structured attacks. Besides, these structured adversarial perturbations may allow for larger distortions size than their $l_p$ counter-part while remaining imperceptible or perceptible as natural slight distortions of the image. Finally, they allow some control on the generation of the adversarial perturbation, like (localized) bluriness.