Concept-based Adversarial Attack: a Probabilistic Perspective
This work addresses adversarial robustness in machine learning by enabling attacks that manipulate concepts rather than individual images, which is incremental as it builds on existing adversarial attack methods.
The paper tackles the problem of generating adversarial examples by extending attacks from single images to entire concepts using a probabilistic framework, resulting in more diverse adversarial examples that preserve the original concept with higher attack efficiency.
We propose a concept-based adversarial attack framework that extends beyond single-image perturbations by adopting a probabilistic perspective. Rather than modifying a single image, our method operates on an entire concept -- represented by a probabilistic generative model or a set of images -- to generate diverse adversarial examples. Preserving the concept is essential, as it ensures that the resulting adversarial images remain identifiable as instances of the original underlying category or identity. By sampling from this concept-based adversarial distribution, we generate images that maintain the original concept but vary in pose, viewpoint, or background, thereby misleading the classifier. Mathematically, this framework remains consistent with traditional adversarial attacks in a principled manner. Our theoretical and empirical results demonstrate that concept-based adversarial attacks yield more diverse adversarial examples and effectively preserve the underlying concept, while achieving higher attack efficiency.