Guidance Through Surrogate: Toward a Generic Diagnostic Attack

Document Type

Article

Publication Title

IEEE Transactions on Neural Networks and Learning Systems

Abstract

Adversarial training (AT) is an effective approach to making deep neural networks robust against adversarial attacks. Recently, different AT defenses are proposed that not only maintain a high clean accuracy but also show significant robustness against popular and well-studied adversarial attacks, such as projected gradient descent (PGD). High adversarial robustness can also arise if an attack fails to find adversarial gradient directions, a phenomenon known as “gradient masking.” In this work, we analyze the effect of label smoothing on AT as one of the potential causes of gradient masking. We then develop a guided mechanism to avoid local minima during attack optimization, leading to a novel attack dubbed guided projected gradient attack (G-PGA). Our attack approach is based on a “match and deceive” loss that finds optimal adversarial directions through guidance from a surrogate model. Our modified attack does not require random restarts a large number of attack iterations or a search for optimal step size. Furthermore, our proposed G-PGA is generic, thus it can be combined with an ensemble attack strategy as we demonstrate in the case of auto-attack, leading to efficiency and convergence speed improvements. More than an effective attack, G-PGA can be used as a diagnostic tool to reveal elusive robustness due to gradient masking in adversarial defenses. IEEE

First Page

1

Last Page

12

DOI

10.1109/TNNLS.2022.3186278

Publication Date

7-11-2022

Keywords

Adversarial attack, Behavioral sciences, Computational modeling, gradient masking, guided optimization, image classification, label smoothing, Optimization, Perturbation methods, Robustness, Smoothing methods, Training, Air navigation, Behavioral research, Deep neural networks, Image classification, Perturbation techniques

Comments

IR Deposit conditions:

OA version (pathway a) Accepted version

No embargo

When accepted for publication, set statement to accompany deposit (see policy)

Must link to publisher version with DOI

Publisher copyright and source must be acknowledged

Share

COinS