Adversarial Pixel Restoration as a Pretext Task for Transferable Perturbations
This addresses the challenge of generating adversarial attacks without relying on labeled data or extensive datasets, though it is incremental as it builds on existing unsupervised training methods.
The paper tackles the problem of transferable adversarial attacks requiring a pretrained surrogate model by proposing Adversarial Pixel Restoration, a self-supervised method to train an effective surrogate from scratch with no labels and few data, improving transferability by 16.4% on ImageNet.
Transferable adversarial attacks optimize adversaries from a pretrained surrogate model and known label space to fool the unknown black-box models. Therefore, these attacks are restricted by the availability of an effective surrogate model. In this work, we relax this assumption and propose Adversarial Pixel Restoration as a self-supervised alternative to train an effective surrogate model from scratch under the condition of no labels and few data samples. Our training approach is based on a min-max scheme which reduces overfitting via an adversarial objective and thus optimizes for a more generalizable surrogate model. Our proposed attack is complimentary to the adversarial pixel restoration and is independent of any task specific objective as it can be launched in a self-supervised manner. We successfully demonstrate the adversarial transferability of our approach to Vision Transformers as well as Convolutional Neural Networks for the tasks of classification, object detection, and video segmentation. Our training approach improves the transferability of the baseline unsupervised training method by 16.4% on ImageNet val. set. Our codes & pre-trained surrogate models are available at: https://github.com/HashmatShadab/APR