Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks
Deep neural networks are vulnerable to adversarial examples, which can mislead classifiers by adding imperceptible perturbations. An intriguing property of adversarial examples is their good transferability, making black-box attacks feasible in real-world applications. Due to the threat of adversari...
Saved in:
| Published in: | Proceedings (IEEE Computer Society Conference on Computer Vision and Pattern Recognition. Online) pp. 4307 - 4316 |
|---|---|
| Main Authors: | , , , |
| Format: | Conference Proceeding |
| Language: | English |
| Published: |
IEEE
01.06.2019
|
| Subjects: | |
| ISSN: | 1063-6919 |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Abstract | Deep neural networks are vulnerable to adversarial examples, which can mislead classifiers by adding imperceptible perturbations. An intriguing property of adversarial examples is their good transferability, making black-box attacks feasible in real-world applications. Due to the threat of adversarial attacks, many methods have been proposed to improve the robustness. Several state-of-the-art defenses are shown to be robust against transferable adversarial examples. In this paper, we propose a translation-invariant attack method to generate more transferable adversarial examples against the defense models. By optimizing a perturbation over an ensemble of translated images, the generated adversarial example is less sensitive to the white-box model being attacked and has better transferability. To improve the efficiency of attacks, we further show that our method can be implemented by convolving the gradient at the untranslated image with a pre-defined kernel. Our method is generally applicable to any gradient-based attack method. Extensive experiments on the ImageNet dataset validate the effectiveness of the proposed method. Our best attack fools eight state-of-the-art defenses at an 82% success rate on average based only on the transferability, demonstrating the insecurity of the current defense techniques. |
|---|---|
| AbstractList | Deep neural networks are vulnerable to adversarial examples, which can mislead classifiers by adding imperceptible perturbations. An intriguing property of adversarial examples is their good transferability, making black-box attacks feasible in real-world applications. Due to the threat of adversarial attacks, many methods have been proposed to improve the robustness. Several state-of-the-art defenses are shown to be robust against transferable adversarial examples. In this paper, we propose a translation-invariant attack method to generate more transferable adversarial examples against the defense models. By optimizing a perturbation over an ensemble of translated images, the generated adversarial example is less sensitive to the white-box model being attacked and has better transferability. To improve the efficiency of attacks, we further show that our method can be implemented by convolving the gradient at the untranslated image with a pre-defined kernel. Our method is generally applicable to any gradient-based attack method. Extensive experiments on the ImageNet dataset validate the effectiveness of the proposed method. Our best attack fools eight state-of-the-art defenses at an 82% success rate on average based only on the transferability, demonstrating the insecurity of the current defense techniques. |
| Author | Dong, Yinpeng Zhu, Jun Su, Hang Pang, Tianyu |
| Author_xml | – sequence: 1 givenname: Yinpeng surname: Dong fullname: Dong, Yinpeng organization: Tsinghua Univ – sequence: 2 givenname: Tianyu surname: Pang fullname: Pang, Tianyu organization: Tsinghua Univ – sequence: 3 givenname: Hang surname: Su fullname: Su, Hang organization: Tsinghua Univiersity – sequence: 4 givenname: Jun surname: Zhu fullname: Zhu, Jun organization: Tsinghua Univ |
| BookMark | eNotzEFLwzAYgOEoCs7Zswcv_QOt35ekTXIcc9PBQJGy60iaL1LtstGU4f69yjy9l4f3ll3FfSTG7hFKRDCP883be8kBTQkgpbxgmVEaFdcouBH6kk0QalHUBs0Ny1L6BADBEWujJ2yzOFrfxY_8iQLFRCkf93kz2JgCDdb1lM_8kYZkh872-eLb7g79L3KnM-rt2O1jsYrHPxDHfDaOtv1Kd-w62D5R9t8pa5aLZv5SrF-fV_PZuug4iLFofQCjCCoKlVfBKg6V4TK0nDjVTimnW_StQ3COhMBgpJdKAPcaaynElD2ctx0RbQ9Dt7PDaatNJSSvxA_zQ1Pi |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IH CBEJK RIE RIO |
| DOI | 10.1109/CVPR.2019.00444 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan (POP) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE/IET Electronic Library IEEE Proceedings Order Plans (POP) 1998-present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE/IET Electronic Library url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Applied Sciences |
| EISBN | 9781728132938 1728132932 |
| EISSN | 1063-6919 |
| EndPage | 4316 |
| ExternalDocumentID | 8953425 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IH 6IL 6IN AAWTH ABLEC ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IJVOP OCL RIE RIL RIO |
| ID | FETCH-LOGICAL-i203t-cdf097e05ef5d7fa7205924fc2e2e6b77b8c1dcb10bbe331f94d47302d816433 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 693 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000529484004050&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Aug 27 07:44:55 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i203t-cdf097e05ef5d7fa7205924fc2e2e6b77b8c1dcb10bbe331f94d47302d816433 |
| PageCount | 10 |
| ParticipantIDs | ieee_primary_8953425 |
| PublicationCentury | 2000 |
| PublicationDate | 2019-June |
| PublicationDateYYYYMMDD | 2019-06-01 |
| PublicationDate_xml | – month: 06 year: 2019 text: 2019-June |
| PublicationDecade | 2010 |
| PublicationTitle | Proceedings (IEEE Computer Society Conference on Computer Vision and Pattern Recognition. Online) |
| PublicationTitleAbbrev | CVPR |
| PublicationYear | 2019 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0003211698 |
| Score | 2.6493142 |
| Snippet | Deep neural networks are vulnerable to adversarial examples, which can mislead classifiers by adding imperceptible perturbations. An intriguing property of... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 4307 |
| SubjectTerms | Categorization Codes Computational modeling Computer vision Deep learning Glass box Kernel Pattern recognition Perturbation methods Recognition: Detection Retrieval Robustness Security |
| Title | Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks |
| URI | https://ieeexplore.ieee.org/document/8953425 |
| WOSCitedRecordID | wos000529484004050&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LSwMxEA5t8eCpaiu-ycGjsbt5bJKj1BYFKUVK6a1skgn0spXuKvrvTXaXiuDFWwhDApMZ5pH5ZhC69Zk2SntBpANHuNOG5Kk0RGUCRBZCElrnO5YvcjZTq5Wed9DdHgsDAHXxGdzHZf2X77b2PabKRkoLFmSsi7pSygartc-nsBDJZFq13XvSRI_Gy_lrrN2KDSk557_Gp9TWY9r_371HaPgDw8PzvYE5Rh0oTlC_9Rtxq5XlAC2DOxwp8CP4EJVCiastro1QOCVCo3A9drnMo7DhyWceOwKX2Hw1RE01HHkuPiJBUeGHqorI-yFaTCeL8RNp5yWQDU1YRazziZaQCPDCSZ9LGnwnyr2lQCEzUhplU2dNmhgDjKVec8eDhlOnQtDE2CnqFdsCzhA2TBhhjaYqtRxklhuXGx54rI1Orc7P0SByaf3WdMRYtwy6-Hv7Eh3GZ2gKrK5Qr9q9wzU6sB_Vptzd1M_4DSp3oIM |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LSwMxEA61Cnqq2opvc_Bo7G4em81RtKXFWoqU0lvZJLPQy1a626L_3mR3qQhevIUwJDCZYR6Zbwah-zRSOlapINKCJdwqTZJQahJHAkTkQhJa5jtmIzkex_O5mjTQww4LAwBl8Rk8-mX5l29XZuNTZd1YCeZkbA_tC85pWKG1dhkV5mKZSMV1_54wUN3n2eTdV2_5lpSc818DVEr70W_97-Zj1PkB4uHJzsScoAZkp6hVe4641su8jWbOIfYU-AVSF5dCjosVLs2QO8WDo3A5eDlPvLjh3mfiewLnWH9VRFU9HBlmW0-QFfipKDz2voOm_d70eUDqiQlkSQNWEGPTQEkIBKTCyjSR1HlPlKeGAoVIS6ljE1qjw0BrYCxMFbfc6Ti1sQubGDtDzWyVwTnCmgktjFY0Dg0HGSXaJpo7HiutQqOSC9T2XFp8VD0xFjWDLv_evkOHg-nbaDEajl-v0JF_kqrc6ho1i_UGbtCB2RbLfH1bPuk3sDyjyg |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+%28IEEE+Computer+Society+Conference+on+Computer+Vision+and+Pattern+Recognition.+Online%29&rft.atitle=Evading+Defenses+to+Transferable+Adversarial+Examples+by+Translation-Invariant+Attacks&rft.au=Dong%2C+Yinpeng&rft.au=Pang%2C+Tianyu&rft.au=Su%2C+Hang&rft.au=Zhu%2C+Jun&rft.date=2019-06-01&rft.pub=IEEE&rft.eissn=1063-6919&rft.spage=4307&rft.epage=4316&rft_id=info:doi/10.1109%2FCVPR.2019.00444&rft.externalDocID=8953425 |