TEAM: We Need More Powerful Adversarial Examples for DNNs

TL;DR

This paper introduces TEAM, a novel Taylor expansion-based method for generating more powerful adversarial examples that achieve higher success rates with smaller perturbations, challenging existing defenses against DNN attacks.

Contribution

The paper proposes a new adversarial attack method using second-order Taylor expansion and optimization techniques, outperforming previous methods in effectiveness and efficiency.

Findings

Achieves 100% attack success rate with smaller perturbations.

Effectively defeats gradient masking defenses like defensive distillation.

Uses second-order Taylor expansion for more powerful adversarial examples.

Abstract

Although deep neural networks (DNNs) have achieved success in many application fields, it is still vulnerable to imperceptible adversarial examples that can lead to misclassification of DNNs easily. To overcome this challenge, many defensive methods are proposed. Indeed, a powerful adversarial example is a key benchmark to measure these defensive mechanisms. In this paper, we propose a novel method (TEAM, Taylor Expansion-Based Adversarial Methods) to generate more powerful adversarial examples than previous methods. The main idea is to craft adversarial examples by minimizing the confidence of the ground-truth class under untargeted attacks or maximizing the confidence of the target class under targeted attacks. Specifically, we define the new objective functions that approximate DNNs by using the second-order Taylor expansion within a tiny neighborhood of the input. Then the Lagrangian multiplier method is used to obtain the optimize perturbations for these objective functions. To decrease the amount of computation, we further introduce the Gauss-Newton (GN) method to speed it up. Finally, the experimental result shows that our method can reliably produce adversarial examples with 100% attack success rate (ASR) while only by smaller perturbations. In addition, the adversarial example generated with our method can defeat defensive distillation based on gradient masking.