Superpixel Attack: Enhancing Black-box Adversarial Attack with Image-driven Division Areas

TL;DR

This paper introduces Superpixel Attack, a novel black-box adversarial attack method that uses image-driven superpixels and a versatile search strategy to improve attack success rates against robust models.

Contribution

It proposes replacing rectangular regions with superpixels and introduces a versatile search method for more effective black-box adversarial attacks.

Findings

Superpixel Attack increases success rates by 2.10% on average.

Superpixels balance color variance and compactness effectively.

Most models show robustness, making improvements significant.

Abstract

Deep learning models are used in safety-critical tasks such as automated driving and face recognition. However, small perturbations in the model input can significantly change the predictions. Adversarial attacks are used to identify small perturbations that can lead to misclassifications. More powerful black-box adversarial attacks are required to develop more effective defenses. A promising approach to black-box adversarial attacks is to repeat the process of extracting a specific image area and changing the perturbations added to it. Existing attacks adopt simple rectangles as the areas where perturbations are changed in a single iteration. We propose applying superpixels instead, which achieve a good balance between color variance and compactness. We also propose a new search method, versatile search, and a novel attack method, Superpixel Attack, which applies superpixels and performs versatile search. Superpixel Attack improves attack success rates by an average of 2.10% compared with existing attacks. Most models used in this study are robust against adversarial attacks, and this improvement is significant for black-box adversarial attacks. The code is avilable at https://github.com/oe1307/SuperpixelAttack.git.