Timezone: »

 
Fast Minimum-norm Adversarial Attacks through Adaptive Norm Constraints
Maura Pintor · Fabio Roli · Wieland Brendel · Battista Biggio

@
in A Blessing in Disguise: The Prospects and Perils of Adversarial Machine Learning »
Evaluating adversarial robustness amounts to finding the minimum perturbation needed to have an input sample misclassified. The inherent complexity of the underlying optimization requires current gradient-based attacks to be carefully tuned, initialized, and possibly executed for many computationally-demanding iterations, even if specialized to a given perturbation model. In this work, we overcome these limitations by proposing a fast minimum-norm (FMN) attack that works with different $\ell_p$-norm perturbation models ($p=0, 1, 2, \infty$), is robust to hyperparameter choices, does not require adversarial starting points, and converges within few lightweight steps. It works by iteratively finding the sample misclassified with maximum confidence within an $\ell_p$-norm constraint of size $\epsilon$, while adapting $\epsilon$ to minimize the distance of the current sample to the decision boundary. Extensive experiments show that FMN significantly outperforms existing attacks in terms of convergence speed and computation time, while reporting comparable or even smaller perturbation sizes.

Author Information

Maura Pintor (University of Cagliari)

Maura Pintor is a Postdoctoral Researcher at the PRA Lab, in the Department of Electrical and Electronic Engineering of the University of Cagliari, Italy. She received the MSc degree in Telecommunications Engineering with honors in 2018 and the PhD degree in Electronic and Computer Engineering from the University of Cagliari in 2022. Her PhD thesis, "Towards Debugging and Improving Adversarial Robustness Evaluations", provides a framework for optimizing and debugging adversarial attacks. She is co-author of the paper "Why Do Adversarial Attacks Transfer? Explaining Transferability of Evasion and Poisoning Attacks", accepted at USENIX Sec. 2019, and of the paper "Fast Minimum-norm Adversarial Attacks through Adaptive Norm Constraints", accepted at NeurIPS 2021. She was a visiting student at Eberhard Karls Universitaet Tuebingen from March to June 2020. She has collaborated with Pluribus One in the EU H2020 projects ALOHA and AssureMOSS.

Fabio Roli (University of Cagliari)
Wieland Brendel (University of Tübingen)
Battista Biggio (University of Cagliari, Italy)

More from the Same Authors