Stochastic sparse adversarial attacks
This work provides a new method for generating sparse adversarial attacks, which is an important problem for understanding and improving the robustness of neural networks.
This paper introduces Stochastic Sparse Adversarial Attacks (SSAA), a new class of noise-based targeted and untargeted attacks for neural network classifiers. On ImageNet, one variant, Voting Folded Gaussian Attack (VFGA), achieves an L0 score up to 2/5 lower than SparseFool while being faster, and also outperforms Sparse-RS in L0 score when both are fully successful.
This paper introduces stochastic sparse adversarial attacks (SSAA), standing as simple, fast and purely noise-based targeted and untargeted attacks of neural network classifiers (NNC). SSAA offer new examples of sparse (or $L_0$) attacks for which only few methods have been proposed previously. These attacks are devised by exploiting a small-time expansion idea widely used for Markov processes. Experiments on small and large datasets (CIFAR-10 and ImageNet) illustrate several advantages of SSAA in comparison with the-state-of-the-art methods. For instance, in the untargeted case, our method called Voting Folded Gaussian Attack (VFGA) scales efficiently to ImageNet and achieves a significantly lower $L_0$ score than SparseFool (up to $\frac{2}{5}$) while being faster. Moreover, VFGA achieves better $L_0$ scores on ImageNet than Sparse-RS when both attacks are fully successful on a large number of samples.