Transferable Sparse Adversarial Attack
This addresses the challenge of creating efficient and transferable adversarial attacks for security testing of deep neural networks, representing an incremental advance in attack methods.
The paper tackles the problem of low transferability in sparse adversarial attacks under black-box conditions by introducing a generator architecture that decouples perturbations into amplitude and position components, achieving a large improvement in transferability and a 700× faster inference speed compared to state-of-the-art methods.
Deep neural networks have shown their vulnerability to adversarial attacks. In this paper, we focus on sparse adversarial attack based on the $\ell_0$ norm constraint, which can succeed by only modifying a few pixels of an image. Despite a high attack success rate, prior sparse attack methods achieve a low transferability under the black-box protocol due to overfitting the target model. Therefore, we introduce a generator architecture to alleviate the overfitting issue and thus efficiently craft transferable sparse adversarial examples. Specifically, the generator decouples the sparse perturbation into amplitude and position components. We carefully design a random quantization operator to optimize these two components jointly in an end-to-end way. The experiment shows that our method has improved the transferability by a large margin under a similar sparsity setting compared with state-of-the-art methods. Moreover, our method achieves superior inference speed, 700$\times$ faster than other optimization-based methods. The code is available at https://github.com/shaguopohuaizhe/TSAA.