Transferable Perturbations of Deep Feature Distributions
This work addresses the vulnerability of CNN classifiers to adversarial attacks, with a focus on explainability and transferability, though it is incremental in building upon existing attack methods.
The paper tackles the problem of adversarial attacks on CNN classifiers by modeling and exploiting deep feature distributions, achieving state-of-the-art targeted blackbox transfer-based attack results on undefended ImageNet models.
Almost all current adversarial attacks of CNN classifiers rely on information derived from the output layer of the network. This work presents a new adversarial attack based on the modeling and exploitation of class-wise and layer-wise deep feature distributions. We achieve state-of-the-art targeted blackbox transfer-based attack results for undefended ImageNet models. Further, we place a priority on explainability and interpretability of the attacking process. Our methodology affords an analysis of how adversarial attacks change the intermediate feature distributions of CNNs, as well as a measure of layer-wise and class-wise feature distributional separability/entanglement. We also conceptualize a transition from task/data-specific to model-specific features within a CNN architecture that directly impacts the transferability of adversarial examples.