Traversing the Subspace of Adversarial Patches
Jens Bayer, Stefan Becker, David M\"unch, Michael Arens, J\"urgen, Beyerer
TL;DR
This paper investigates the nature of adversarial patches in deep learning, analyzing their structure through dimensionality reduction and assessing their effectiveness in attacks on person detection datasets.
Contribution
It provides an analysis of adversarial patches using various dimensionality reduction techniques and evaluates their attack performance and training impact.
Findings
Sophisticated reduction methods do not outperform PCA.
Reconstructed patches maintain attack effectiveness.
Sampling from latent space influences adversarial training.
Abstract
Despite ongoing research on the topic of adversarial examples in deep learning for computer vision, some fundamentals of the nature of these attacks remain unclear. As the manifold hypothesis posits, high-dimensional data tends to be part of a low-dimensional manifold. To verify the thesis with adversarial patches, this paper provides an analysis of a set of adversarial patches and investigates the reconstruction abilities of three different dimensionality reduction methods. Quantitatively, the performance of reconstructed patches in an attack setting is measured and the impact of sampled patches from the latent space during adversarial training is investigated. The evaluation is performed on two publicly available datasets for person detection. The results indicate that more sophisticated dimensionality reduction methods offer no advantages over a simple principal component analysis.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPhysical Unclonable Functions (PUFs) and Hardware Security
MethodsSparse Evolutionary Training