Mind the box: $l_1$-APGD for sparse adversarial attacks on image classifiers
This addresses the need for more accurate adversarial robustness evaluation in machine learning security, particularly for sparse attacks, though it is incremental as it builds on prior PGD methods.
The paper tackles the problem of sparse adversarial attacks on image classifiers by showing that existing $l_1$-PGD attacks are suboptimal when considering the image domain $[0,1]^d$, and proposes $l_1$-APGD, which improves performance and leads to state-of-the-art $l_1$-robustness through adversarial training.
We show that when taking into account also the image domain $[0,1]^d$, established $l_1$-projected gradient descent (PGD) attacks are suboptimal as they do not consider that the effective threat model is the intersection of the $l_1$-ball and $[0,1]^d$. We study the expected sparsity of the steepest descent step for this effective threat model and show that the exact projection onto this set is computationally feasible and yields better performance. Moreover, we propose an adaptive form of PGD which is highly effective even with a small budget of iterations. Our resulting $l_1$-APGD is a strong white-box attack showing that prior works overestimated their $l_1$-robustness. Using $l_1$-APGD for adversarial training we get a robust classifier with SOTA $l_1$-robustness. Finally, we combine $l_1$-APGD and an adaptation of the Square Attack to $l_1$ into $l_1$-AutoAttack, an ensemble of attacks which reliably assesses adversarial robustness for the threat model of $l_1$-ball intersected with $[0,1]^d$.