Advanced search
1 file | 1.54 MB Add to list

Perturbation analysis of gradient-based adversarial attacks

Utku Özbulak (UGent) , Manvel Gasparyan (UGent) , Wesley De Neve (UGent) and Arnout Van Messem (UGent)
(2020) PATTERN RECOGNITION LETTERS. 135. p.313-320
Author
Organization
Abstract
After the discovery of adversarial examples and their adverse effects on deep learning models, many studies focused on finding more diverse methods to generate these carefully crafted samples. Although empirical results on the effectiveness of adversarial example generation methods against defense mecha- nisms are discussed in detail in the literature, an in-depth study of the theoretical properties and the per- turbation effectiveness of these adversarial attacks has largely been lacking. In this paper, we investigate the objective functions of three popular methods for adversarial example generation: the L-BFGS attack, the Iterative Fast Gradient Sign attack, and Carlini & Wagner’s attack. Specifically, we perform a com- parative and formal analysis of the loss functions underlying the aforementioned attacks while laying out large-scale experimental results on the ImageNet dataset. This analysis exposes (1) the faster optimization speed as well as the constrained optimization space of the cross-entropy loss, (2) the detrimental effects of using the signature of the cross-entropy loss on optimization precision as well as optimization space, and (3) the slow optimization speed of the logit loss in the context of adversariality. Our experiments reveal that the Iterative Fast Gradient Sign attack, which is thought to be fast for generating adversarial examples, is the worst attack in terms of the number of iterations required to create adversarial examples in the setting of equal perturbation. Moreover, our experiments show that the underlying loss function of Carlini & Wagner’s attack, which is criticized for being substantially slower than other adversarial at- tacks, is not that much slower than other loss functions. Finally, we analyze how well neural networks can identify adversarial perturbations generated by the attacks under consideration, hereby revisiting the idea of adversarial retraining on ImageNet.
Keywords
Signal Processing, Software, Artificial Intelligence, Computer Vision and Pattern Recognition, Adversarial attacks, Adversarial examples, Deep learning, Perturbation analysis

Downloads

  • (...).pdf
    • full text (Published version)
    • |
    • UGent only
    • |
    • PDF
    • |
    • 1.54 MB

Citation

Please use this url to cite or link to this publication:

MLA
Özbulak, Utku, et al. “Perturbation Analysis of Gradient-Based Adversarial Attacks.” PATTERN RECOGNITION LETTERS, vol. 135, 2020, pp. 313–20, doi:10.1016/j.patrec.2020.04.034.
APA
Özbulak, U., Gasparyan, M., De Neve, W., & Van Messem, A. (2020). Perturbation analysis of gradient-based adversarial attacks. PATTERN RECOGNITION LETTERS, 135, 313–320. https://doi.org/10.1016/j.patrec.2020.04.034
Chicago author-date
Özbulak, Utku, Manvel Gasparyan, Wesley De Neve, and Arnout Van Messem. 2020. “Perturbation Analysis of Gradient-Based Adversarial Attacks.” PATTERN RECOGNITION LETTERS 135: 313–20. https://doi.org/10.1016/j.patrec.2020.04.034.
Chicago author-date (all authors)
Özbulak, Utku, Manvel Gasparyan, Wesley De Neve, and Arnout Van Messem. 2020. “Perturbation Analysis of Gradient-Based Adversarial Attacks.” PATTERN RECOGNITION LETTERS 135: 313–320. doi:10.1016/j.patrec.2020.04.034.
Vancouver
1.
Özbulak U, Gasparyan M, De Neve W, Van Messem A. Perturbation analysis of gradient-based adversarial attacks. PATTERN RECOGNITION LETTERS. 2020;135:313–20.
IEEE
[1]
U. Özbulak, M. Gasparyan, W. De Neve, and A. Van Messem, “Perturbation analysis of gradient-based adversarial attacks,” PATTERN RECOGNITION LETTERS, vol. 135, pp. 313–320, 2020.
@article{8663504,
  abstract     = {After the discovery of adversarial examples and their adverse effects on deep learning models, many studies focused on finding more diverse methods to generate these carefully crafted samples. Although empirical results on the effectiveness of adversarial example generation methods against defense mecha- nisms are discussed in detail in the literature, an in-depth study of the theoretical properties and the per- turbation effectiveness of these adversarial attacks has largely been lacking. In this paper, we investigate the objective functions of three popular methods for adversarial example generation: the L-BFGS attack, the Iterative Fast Gradient Sign attack, and Carlini & Wagner’s attack. Specifically, we perform a com- parative and formal analysis of the loss functions underlying the aforementioned attacks while laying out large-scale experimental results on the ImageNet dataset. This analysis exposes (1) the faster optimization speed as well as the constrained optimization space of the cross-entropy loss, (2) the detrimental effects of using the signature of the cross-entropy loss on optimization precision as well as optimization space, and (3) the slow optimization speed of the logit loss in the context of adversariality. Our experiments reveal that the Iterative Fast Gradient Sign attack, which is thought to be fast for generating adversarial examples, is the worst attack in terms of the number of iterations required to create adversarial examples in the setting of equal perturbation. Moreover, our experiments show that the underlying loss function of Carlini & Wagner’s attack, which is criticized for being substantially slower than other adversarial at- tacks, is not that much slower than other loss functions. Finally, we analyze how well neural networks can identify adversarial perturbations generated by the attacks under consideration, hereby revisiting the idea of adversarial retraining on ImageNet.},
  author       = {Özbulak, Utku and Gasparyan, Manvel and De Neve, Wesley and Van Messem, Arnout},
  issn         = {0167-8655},
  journal      = {PATTERN RECOGNITION LETTERS},
  keywords     = {Signal Processing,Software,Artificial Intelligence,Computer Vision and Pattern Recognition,Adversarial attacks,Adversarial examples,Deep learning,Perturbation analysis},
  language     = {eng},
  pages        = {313--320},
  title        = {Perturbation analysis of gradient-based adversarial attacks},
  url          = {http://dx.doi.org/10.1016/j.patrec.2020.04.034},
  volume       = {135},
  year         = {2020},
}

Altmetric
View in Altmetric