DMS: Addressing Information Loss with More Steps for Pragmatic Adversarial Attacks

TL;DR

This paper introduces the DMS algorithm, which improves the robustness of adversarial attacks against neural networks by addressing information loss caused by file format discretization, through gradient-guided pixel integerization and attribution-based pixel selection.

Contribution

The paper proposes the DMS algorithm with two novel techniques, DMS-AI and DMS-AS, to mitigate information loss in adversarial samples caused by digital storage formats, enhancing attack effectiveness.

Findings

DMS-AI outperforms rounding and truncation in preserving attack success.

DMS-AS effectively selects pixels to maintain attack integrity.

Experiments on large datasets validate the superiority of DMS methods.

Abstract

Despite the exceptional performance of deep neural networks (DNNs) across different domains, they are vulnerable to adversarial samples, in particular for tasks related to computer vision. Such vulnerability is further influenced by the digital container formats used in computers, where the discrete numerical values are commonly used for storing the pixel values. This paper examines how information loss in file formats impacts the effectiveness of adversarial attacks. Notably, we observe a pronounced hindrance to the adversarial attack performance due to the information loss of the non-integer pixel values. To address this issue, we explore to leverage the gradient information of the attack samples within the model to mitigate the information loss. We introduce the Do More Steps (DMS) algorithm, which hinges on two core techniques: gradient ascent-based \textit{adversarial integerization} (DMS-AI) and integrated gradients-based \textit{attribution selection} (DMS-AS). Our goal is to alleviate such lossy process to retain the attack performance when storing these adversarial samples digitally. In particular, DMS-AI integerizes the non-integer pixel values according to the gradient direction, and DMS-AS selects the non-integer pixels by comparing attribution results. We conduct thorough experiments to assess the effectiveness of our approach, including the implementations of the DMS-AI and DMS-AS on two large-scale datasets with various latest gradient-based attack methods. Our empirical findings conclusively demonstrate the superiority of our proposed DMS-AI and DMS-AS pixel integerization methods over the standardised methods, such as rounding, truncating and upper approaches, in maintaining attack integrity.