On the Effectiveness of Low Frequency Perturbations

@article{Sharma2019OnTE,
  title={On the Effectiveness of Low Frequency Perturbations},
  author={Yash Sharma and Gavin Weiguang Ding and Marcus A. Brubaker},
  journal={ArXiv},
  year={2019},
  volume={abs/1903.00073}
}
Carefully crafted, often imperceptible, adversarial perturbations have been shown to cause state-of-the-art models to yield extremely inaccurate outputs, rendering them unsuitable for safety-critical application domains. In addition, recent work has shown that constraining the attack space to a low frequency regime is particularly effective. Yet, it remains unclear whether this is due to generally constraining the attack search space or specifically removing high frequency components from… Expand
A Frequency Perspective of Adversarial Robustness
TLDR
This analysis shows that adversarial examples are neither in high-frequency nor in low-frequency components, but are simply dataset dependent, and proposes a frequency-based explanation for the commonly observed accuracy vs. robustness trade-off. Expand
A FREQUENCY DOMAIN ANALYSIS OF GRADIENT-BASED ADVERSARIAL EXAMPLES
  • 2020
It is well known that deep neural networks are vulnerable to adversarial examples. We attempt to understand adversarial examples from the perspective of frequency analysis. Several works haveExpand
BlurNet: Defense by Filtering the Feature Maps
  • Ravi Raju, M. Lipasti
  • Computer Science, Mathematics
  • 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)
  • 2020
TLDR
This paper proposes BlurNet, a defense against the RP2 attack, and motivates the defense with a frequency analysis of the first layer feature maps of the network on the LISA dataset, which shows that high frequency noise is introduced into the input image by theRP2 algorithm. Expand
Impact of Spatial Frequency Based Constraints on Adversarial Robustness
TLDR
The robustness to adversarial perturbations of models enforced during training to leverage information corresponding to different spatial frequency ranges is investigated and it is shown that it is tightly linked to the spatial frequency characteristics of the data at stake. Expand
Meta Adversarial Training
TLDR
Meta adversarial training (MAT) is proposed, a novel combination of adversarialTraining with meta-learning, which overcomes this challenge by meta- learning universal perturbations along with model training and considerably increases robustness against universal patch attacks. Expand
Generating Black-Box Adversarial Examples in Sparse Domain
TLDR
This paper proposes a novel approach to generate a black-box attack in sparse domain whereas the most important information of an image can be observed and presents a theoretical proof to connect mean squared error and peak signal to noise ratio to the level of perturbation in the sparse domain. Expand
Projection & Probability-Driven Black-Box Attack
  • Jie Li, Rongrong Ji, +4 authors Q. Tian
  • Computer Science
  • 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
  • 2020
TLDR
This paper proposes Projection & Probability-driven Black-box Attack (PPBA), a method to tackle the problem of generating adversarial examples in a black-box setting by reducing the solution space and providing better optimization. Expand
You Only Query Once: Effective Black Box Adversarial Attacks with Minimal Repeated Queries
TLDR
It is shown that it is possible to craft (universal) adversarial perturbations in the black-box setting by querying a sequence of different images only once, which prevents detection from high number of similar queries and produces a perturbation that causes misclassification when applied to any input to the classifier. Expand
On the Exploitability of Audio Machine Learning Pipelines to Surreptitious Adversarial Examples
TLDR
Surreptitious adversarial examples are introduced, a new class of attacks that evades both human and pipeline controls and are shown to be more surreptition than previous attacks that aim solely for imperceptibility. Expand
Perception Improvement for Free: Exploring Imperceptible Black-box Adversarial Attacks on Image Classification
TLDR
To improve the image quality of black-box adversarial examples perceptually, this study proposes structure-aware adversarial attacks by generating adversarial images based on psychological perceptual models that allow higher perturbations on perceptually insignificant regions, while assigning lower or no perturbation on visually sensitive regions. Expand
...
1
2
3
4
...

References

SHOWING 1-10 OF 41 REFERENCES
Defense Against Adversarial Attacks Using High-Level Representation Guided Denoiser
TLDR
High-level representation guided denoiser (HGD) is proposed as a defense for image classification by using a loss function defined as the difference between the target model's outputs activated by the clean image and denoised image. Expand
Transferable Adversarial Perturbations
TLDR
It is shown that maximizing distance between natural images and their adversarial examples in the intermediate feature maps can improve both white-box attacks (with knowledge of the model parameters) and black- box attacks and smooth regularization on adversarial perturbations enables transferring across models. Expand
Mitigating adversarial effects through randomization
TLDR
This paper proposes to utilize randomization at inference time to mitigate adversarial effects, and uses two randomization operations: random resizing, which resizes the input images to a random size, and random padding, which pads zeros around the input image in a random manner. Expand
GenAttack: practical black-box attacks with gradient-free optimization
TLDR
GenAttack is introduced, a gradient-free optimization technique that uses genetic algorithms for synthesizing adversarial examples in the black-box setting and can successfully attack some state-of-the-art ImageNet defenses, including ensemble adversarial training and non-differentiable or randomized input transformations. Expand
Towards the first adversarially robust neural network model on MNIST
TLDR
A novel robust classification model that performs analysis by synthesis using learned class-conditional data distributions is presented and it is demonstrated that most adversarial examples are strongly perturbed towards the perceptual boundary between the original and the adversarial class. Expand
Towards Deep Learning Models Resistant to Adversarial Attacks
TLDR
This work studies the adversarial robustness of neural networks through the lens of robust optimization, and suggests the notion of security against a first-order adversary as a natural and broad security guarantee. Expand
ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models
TLDR
An effective black-box attack that also only has access to the input (images) and the output (confidence scores) of a targeted DNN is proposed, sparing the need for training substitute models and avoiding the loss in attack transferability. Expand
Towards Evaluating the Robustness of Neural Networks
TLDR
It is demonstrated that defensive distillation does not significantly increase the robustness of neural networks, and three new attack algorithms are introduced that are successful on both distilled and undistilled neural networks with 100% probability are introduced. Expand
Ensemble Adversarial Training: Attacks and Defenses
TLDR
This work finds that adversarial training remains vulnerable to black-box attacks, where perturbations computed on undefended models are transferred to a powerful novel single-step attack that escapes the non-smooth vicinity of the input data via a small random step. Expand
Boosting Adversarial Attacks with Momentum
TLDR
A broad class of momentum-based iterative algorithms to boost adversarial attacks by integrating the momentum term into the iterative process for attacks, which can stabilize update directions and escape from poor local maxima during the iterations, resulting in more transferable adversarial examples. Expand
...
1
2
3
4
5
...