Multi-objective Evolutionary Search of Variable-length Composite Semantic Perturbations

TL;DR

This paper introduces MES-VCSP, a multi-objective evolutionary approach to generate variable-length, composite semantic adversarial perturbations, improving attack success rate and naturalness over existing methods.

Contribution

It proposes a novel AutoML framework for semantic adversarial attacks using multi-objective evolutionary search, addressing the gap in existing $L_{ ext{infinity}}$-norm-based methods.

Findings

Higher attack success rate on CIFAR10 and ImageNet

More natural adversarial examples

Reduced time cost in attack generation

Abstract

Deep neural networks have proven to be vulnerable to adversarial attacks in the form of adding specific perturbations on images to make wrong outputs. Designing stronger adversarial attack methods can help more reliably evaluate the robustness of DNN models. To release the harbor burden and improve the attack performance, auto machine learning (AutoML) has recently emerged as one successful technique to help automatically find the near-optimal adversarial attack strategy. However, existing works about AutoML for adversarial attacks only focus on $L_{\infty}$-norm-based perturbations. In fact, semantic perturbations attract increasing attention due to their naturalnesses and physical realizability. To bridge the gap between AutoML and semantic adversarial attacks, we propose a novel method called multi-objective evolutionary search of variable-length composite semantic perturbations (MES-VCSP). Specifically, we construct the mathematical model of variable-length composite semantic perturbations, which provides five gradient-based semantic attack methods. The same type of perturbation in an attack sequence is allowed to be performed multiple times. Besides, we introduce the multi-objective evolutionary search consisting of NSGA-II and neighborhood search to find near-optimal variable-length attack sequences. Experimental results on CIFAR10 and ImageNet datasets show that compared with existing methods, MES-VCSP can obtain adversarial examples with a higher attack success rate, more naturalness, and less time cost.