Double Targeted Universal Adversarial Perturbations

TL;DR

This paper introduces double targeted universal adversarial perturbations (DT-UAPs) that enable precise, low-suspicion attacks on deep neural networks by targeting specific source and sink classes simultaneously, bridging the gap between image-dependent and universal perturbations.

Contribution

The paper proposes a novel double targeted attack method that effectively fools DNNs with minimal non-targeted disruption, enhancing attack precision and stealth.

Findings

DT-UAPs successfully fool DNNs across various datasets.

The method demonstrates potential as a physical attack.

It achieves targeted misclassification with limited impact on non-target classes.

Abstract

Despite their impressive performance, deep neural networks (DNNs) are widely known to be vulnerable to adversarial attacks, which makes it challenging for them to be deployed in security-sensitive applications, such as autonomous driving. Image-dependent perturbations can fool a network for one specific image, while universal adversarial perturbations are capable of fooling a network for samples from all classes without selection. We introduce a double targeted universal adversarial perturbations (DT-UAPs) to bridge the gap between the instance-discriminative image-dependent perturbations and the generic universal perturbations. This universal perturbation attacks one targeted source class to sink class, while having a limited adversarial effect on other non-targeted source classes, for avoiding raising suspicions. Targeting the source and sink class simultaneously, we term it double targeted attack (DTA). This provides an attacker with the freedom to perform precise attacks on a DNN model while raising little suspicion. We show the effectiveness of the proposed DTA algorithm on a wide range of datasets and also demonstrate its potential as a physical attack.