Is FGSM Optimal or Necessary for L∞ Adversarial Attack?

Cited 0 time in webofscience Cited 0 time in scopus
  • Hit : 124
  • Download : 0
Due to its simplicity and efficiency, the fast gradient sign method (FGSM) has been widely used in L∞ norm-bounded adversarial attack. Its iterative variant I-FGSM has become the de facto standard practice of performing a strong attack but suffers from a low transfer rate. Momentum-based iterative FGSM, i.e. MI-FGSM, is the first technique for boosting the transferability of I-FGSM. In this work, we identify two drawbacks of MI-FGSM: inducing higher average pixel discrepancy (APD) to the image as well as making the current iteration update overly dependent on the historical gradients. They increase the perturbation visibility as well as limit the potential of even higher transferability. We revisit why momentum improves the transferability and attribute it to alleviating the unreliable sign directions for the small gradient values. This unreliable sign direction problem occurs because the sign operation in FGSM maps all positive and negative gradient values to 1 and -1, respectively while ignoring their actual values. To this end, we propose a new momentum-free iterative method that processes the gradient with a generalizable Cut&Norm operation instead of a sign operation. In a wide range of attack setups, our approach consistently outperforms existing MI-FGSM by a large margin for white-box and black-box attacks in both non-targeted and targeted settings.
Publisher
Computer Vision Foundation (CVF), IEEE Computer Society
Issue Date
2021-06-19
Language
English
Citation

Workshop on Adversarial Machine Learning in Real-World Computer Vision Systems and Online Challenges (AML-CV)

URI
http://hdl.handle.net/10203/289127
Appears in Collection
EE-Conference Papers(학술회의논문)
Files in This Item
There are no files associated with this item.

qr_code

  • mendeley

    citeulike


rss_1.0 rss_2.0 atom_1.0