Sparse-PGD: A Unified Framework for Sparse Adversarial Perturbations Generation

TL;DR

This paper introduces Sparse-PGD, a unified white-box and black-box framework for generating and defending against sparse adversarial perturbations, significantly improving model robustness.

Contribution

We propose Sparse-PGD, a novel efficient attack method for sparse perturbations, and demonstrate its effectiveness in evaluating and enhancing model robustness.

Findings

Sparse-PGD outperforms existing attack methods in various scenarios.

Adversarial training with Sparse-PGD improves robustness against sparse attacks.

Our robust models achieve state-of-the-art performance against sparse perturbations.

Abstract

This work studies sparse adversarial perturbations, including both unstructured and structured ones. We propose a framework based on a white-box PGD-like attack method named Sparse-PGD to effectively and efficiently generate such perturbations. Furthermore, we combine Sparse-PGD with a black-box attack to comprehensively and more reliably evaluate the models' robustness against unstructured and structured sparse adversarial perturbations. Moreover, the efficiency of Sparse-PGD enables us to conduct adversarial training to build robust models against various sparse perturbations. Extensive experiments demonstrate that our proposed attack algorithm exhibits strong performance in different scenarios. More importantly, compared with other robust models, our adversarially trained model demonstrates state-of-the-art robustness against various sparse attacks. Codes are available at https://github.com/CityU-MLO/sPGD.