Transform-Dependent Adversarial Attacks
This work addresses a security issue for deep learning systems by revealing a previously overlooked vulnerability, with potential applications in defense mechanisms, though it is incremental in building on existing adversarial attack methods.
The paper tackles the problem of deep networks' vulnerability to adversarial attacks by introducing transform-dependent adversarial attacks, which exploit the dependence of adversarial perturbations on image transforms to achieve diverse adversarial effects, resulting in outperforming state-of-the-art transfer attacks by 17-31% in blackbox scenarios.
Deep networks are highly vulnerable to adversarial attacks, yet conventional attack methods utilize static adversarial perturbations that induce fixed mispredictions. In this work, we exploit an overlooked property of adversarial perturbations--their dependence on image transforms--and introduce transform-dependent adversarial attacks. Unlike traditional attacks, our perturbations exhibit metamorphic properties, enabling diverse adversarial effects as a function of transformation parameters. We demonstrate that this transform-dependent vulnerability exists across different architectures (e.g., CNN and transformer), vision tasks (e.g., image classification and object detection), and a wide range of image transforms. Additionally, we show that transform-dependent perturbations can serve as a defense mechanism, preventing sensitive information disclosure when image enhancement transforms pose a risk of revealing private content. Through analysis in blackbox and defended model settings, we show that transform-dependent perturbations achieve high targeted attack success rates, outperforming state-of-the-art transfer attacks by 17-31% in blackbox scenarios. Our work introduces novel, controllable paradigm for adversarial attack deployment, revealing a previously overlooked vulnerability in deep networks.