Sparse patches adversarial attacks via extrapolating point-wise information

TL;DR

This paper introduces a novel method for generating sparse and patch adversarial attacks by extrapolating from dense perturbations, allowing simultaneous optimization of multiple patches and improving state-of-the-art results.

Contribution

It proposes a new approach that extrapolates from dense adversarial perturbations to optimize multiple sparse patches simultaneously, enhancing attack effectiveness.

Findings

Significantly improves state-of-the-art sparse patch attacks

Applicable to both patch and standard sparse adversarial attacks

Demonstrates effectiveness across multiple extensive settings

Abstract

Sparse and patch adversarial attacks were previously shown to be applicable in realistic settings and are considered a security risk to autonomous systems. Sparse adversarial perturbations constitute a setting in which the adversarial perturbations are limited to affecting a relatively small number of points in the input. Patch adversarial attacks denote the setting where the sparse attacks are limited to a given structure, i.e., sparse patches with a given shape and number. However, previous patch adversarial attacks do not simultaneously optimize multiple patches' locations and perturbations. This work suggests a novel approach for sparse patches adversarial attacks via point-wise trimming dense adversarial perturbations. Our approach enables simultaneous optimization of multiple sparse patches' locations and perturbations for any given number and shape. Moreover, our approach is also applicable for standard sparse adversarial attacks, where we show that it significantly improves the state-of-the-art over multiple extensive settings. A reference implementation of the proposed method and the reported experiments is provided at \url{https://github.com/yanemcovsky/SparsePatches.git}