CD-UAP: Class Discriminative Universal Adversarial Perturbation

TL;DR

This paper introduces CD-UAP, a novel universal adversarial perturbation method that selectively targets specific classes while sparing others, enhancing attack flexibility and effectiveness.

Contribution

It proposes a new class discriminative universal adversarial perturbation method with an effective algorithm framework for targeted class attacks.

Findings

Achieves state-of-the-art performance on UAP attack tasks.

Effectively discriminates between targeted and non-targeted classes.

Demonstrates robustness across various benchmark datasets.

Abstract

A single universal adversarial perturbation (UAP) can be added to all natural images to change most of their predicted class labels. It is of high practical relevance for an attacker to have flexible control over the targeted classes to be attacked, however, the existing UAP method attacks samples from all classes. In this work, we propose a new universal attack method to generate a single perturbation that fools a target network to misclassify only a chosen group of classes, while having limited influence on the remaining classes. Since the proposed attack generates a universal adversarial perturbation that is discriminative to targeted and non-targeted classes, we term it class discriminative universal adversarial perturbation (CD-UAP). We propose one simple yet effective algorithm framework, under which we design and compare various loss function configurations tailored for the class discriminative universal attack. The proposed approach has been evaluated with extensive experiments on various benchmark datasets. Additionally, our proposed approach achieves state-of-the-art performance for the original task of UAP attacking all classes, which demonstrates the effectiveness of our approach.