Carpet-bombing patch: attacking a deep network without usual requirements
Pol Labarbarie, Adrien Chan-Hon-Tong, St\'ephane Herbin, Milad, Leyli-Abadi
TL;DR
This paper introduces a novel patch attack method called carpet-bombing that effectively reduces deep network performance across various tasks without requiring task-specific knowledge or constraints.
Contribution
It presents a new universal patch attack that targets feature representations, removing the need for task-specific information or assumptions.
Findings
Decreases accuracy on ImageNet
Reduces mAP on Pascal VOC
Lowers IoU on Cityscapes
Abstract
Although deep networks have shown vulnerability to evasion attacks, such attacks have usually unrealistic requirements. Recent literature discussed the possibility to remove or not some of these requirements. This paper contributes to this literature by introducing a carpet-bombing patch attack which has almost no requirement. Targeting the feature representations, this patch attack does not require knowing the network task. This attack decreases accuracy on Imagenet, mAP on Pascal Voc, and IoU on Cityscapes without being aware that the underlying tasks involved classification, detection or semantic segmentation, respectively. Beyond the potential safety issues raised by this attack, the impact of the carpet-bombing attack highlights some interesting property of deep network layer dynamic.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Advanced Malware Detection Techniques · Anomaly Detection Techniques and Applications
MethodsAttentive Walk-Aggregating Graph Neural Network