Carpet-bombing patch: attacking a deep network without usual requirements
This work addresses safety issues in deep learning by demonstrating a more accessible attack method, though it is incremental as it builds on existing literature to reduce attack requirements.
The paper tackles the problem of evasion attacks on deep networks by introducing a carpet-bombing patch attack that requires almost no prior knowledge, such as the network's task, and results in decreased accuracy on ImageNet, mAP on Pascal VOC, and IoU on Cityscapes.
Although deep networks have shown vulnerability to evasion attacks, such attacks have usually unrealistic requirements. Recent literature discussed the possibility to remove or not some of these requirements. This paper contributes to this literature by introducing a carpet-bombing patch attack which has almost no requirement. Targeting the feature representations, this patch attack does not require knowing the network task. This attack decreases accuracy on Imagenet, mAP on Pascal Voc, and IoU on Cityscapes without being aware that the underlying tasks involved classification, detection or semantic segmentation, respectively. Beyond the potential safety issues raised by this attack, the impact of the carpet-bombing attack highlights some interesting property of deep network layer dynamic.