Low Rank Adaptation for Adversarial Perturbation

TL;DR

This paper reveals that adversarial perturbations in machine learning models have a low-rank structure and leverages this property to enhance black-box attack efficiency and effectiveness.

Contribution

The paper provides theoretical and empirical evidence of low-rank structure in adversarial perturbations and introduces a low-rank based method to improve black-box attack performance.

Findings

Adversarial perturbations exhibit an inherent low-rank structure.

Using low-rank projections improves attack efficiency and success rates.

The method outperforms conventional black-box attack techniques across various models and datasets.

Abstract

Low-Rank Adaptation (LoRA), which leverages the insight that model updates typically reside in a low-dimensional space, has significantly improved the training efficiency of Large Language Models (LLMs) by updating neural network layers using low-rank matrices. Since the generation of adversarial examples is an optimization process analogous to model training, this naturally raises the question: Do adversarial perturbations exhibit a similar low-rank structure? In this paper, we provide both theoretical analysis and extensive empirical investigation across various attack methods, model architectures, and datasets to show that adversarial perturbations indeed possess an inherently low-rank structure. This insight opens up new opportunities for improving both adversarial attacks and defenses. We mainly focus on leveraging this low-rank property to improve the efficiency and effectiveness of black-box adversarial attacks, which often suffer from excessive query requirements. Our method follows a two-step approach. First, we use a reference model and auxiliary data to guide the projection of gradients into a low-dimensional subspace. Next, we confine the perturbation search in black-box attacks to this low-rank subspace, significantly improving the efficiency and effectiveness of the adversarial attacks. We evaluated our approach across a range of attack methods, benchmark models, datasets, and threat models. The results demonstrate substantial and consistent improvements in the performance of our low-rank adversarial attacks compared to conventional methods.