Learning to Attack with Fewer Pixels: A Probabilistic Post-hoc Framework for Refining Arbitrary Dense Adversarial Attacks

TL;DR

This paper introduces a probabilistic post-hoc framework that refines dense adversarial attacks by reducing pixel perturbations while maintaining attack effectiveness, resulting in more realistic and less detectable adversarial images with faster attack speed.

Contribution

It presents a novel probabilistic framework that refines dense attacks to produce sparser, more efficient adversarial examples without sacrificing attack success.

Findings

Reduces the number of perturbed pixels significantly.

Maintains attack success rate comparable to dense attacks.

Speeds up adversarial attack generation compared to existing sparse methods.

Abstract

Deep neural network image classifiers are reported to be susceptible to adversarial evasion attacks, which use carefully crafted images created to mislead a classifier. Many adversarial attacks belong to the category of dense attacks, which generate adversarial examples by perturbing all the pixels of a natural image. To generate sparse perturbations, sparse attacks have been recently developed, which are usually independent attacks derived by modifying a dense attack's algorithm with sparsity regularisations, resulting in reduced attack efficiency. In this paper, we aim to tackle this task from a different perspective. We select the most effective perturbations from the ones generated from a dense attack, based on the fact we find that a considerable amount of the perturbations on an image generated by dense attacks may contribute little to attacking a classifier. Accordingly, we propose a probabilistic post-hoc framework that refines given dense attacks by significantly reducing the number of perturbed pixels but keeping their attack power, trained with mutual information maximisation. Given an arbitrary dense attack, the proposed model enjoys appealing compatibility for making its adversarial images more realistic and less detectable with fewer perturbations. Moreover, our framework performs adversarial attacks much faster than existing sparse attacks.