QuadAttack: A Quadratic Programming Approach to Ordered Top-K Attacks

Thomas Paniagua,Ryan Grainger,Tianfu Wu
2023-12-12
Abstract:The adversarial vulnerability of Deep Neural Networks (DNNs) has been well-known and widely concerned, often under the context of learning top-$1$ attacks (e.g., fooling a DNN to classify a cat image as dog). This paper shows that the concern is much more serious by learning significantly more aggressive ordered top-$K$ clear-box~\footnote{ This is often referred to as white/black-box attacks in the literature. We choose to adopt neutral terminology, clear/opaque-box attacks in this paper, and omit the prefix clear-box for simplicity.} targeted attacks proposed in Adversarial Distillation. We propose a novel and rigorous quadratic programming (QP) method of learning ordered top-$K$ attacks with low computing cost, dubbed as \textbf{QuadAttac$K$}. Our QuadAttac$K$ directly solves the QP to satisfy the attack constraint in the feature embedding space (i.e., the input space to the final linear classifier), which thus exploits the semantics of the feature embedding space (i.e., the principle of class coherence). With the optimized feature embedding vector perturbation, it then computes the adversarial perturbation in the data space via the vanilla one-step back-propagation. In experiments, the proposed QuadAttac$K$ is tested in the ImageNet-1k classification using ResNet-50, DenseNet-121, and Vision Transformers (ViT-B and DEiT-S). It successfully pushes the boundary of successful ordered top-$K$ attacks from $K=10$ up to $K=20$ at a cheap budget ($1\times 60$) and further improves attack success rates for $K=5$ for all tested models, while retaining the performance for $K=1$.
Cryptography and Security,Machine Learning
What problem does this paper attempt to address?
### What problem does this paper attempt to solve? This paper aims to solve an important problem in the adversarial attacks of deep neural networks (DNNs), namely **ordered Top - K adversarial attacks**. Specifically, the paper proposes a new method - **QuadAttac K** for learning more aggressive and complex ordered Top - K adversarial attacks. #### Background and problem description 1. **Background of adversarial attacks**: - Deep neural networks are vulnerable to adversarial attacks. These attacks introduce tiny and visually imperceptible perturbations, causing the model to make incorrect predictions on input data. - Most current research focuses on **Top - 1 attacks**, that is, by perturbing, the model misclassifies the input into a specific target category. - However, **ordered Top - K attacks** are more complex, requiring the model not only to misclassify the input into specific multiple target categories, but also the order of these categories must conform to the preset order. 2. **Limitations of existing methods**: - Existing adversarial attack methods (such as the C&W method and the adversarial distillation method) often fail when dealing with K greater than 10 and cannot effectively generate ordered Top - K adversarial samples. - These methods usually rely on manually - designed surrogate loss functions, which may lead to consistency and accuracy problems in the optimization process. 3. **Research motivation**: - The paper points out that existing methods perform poorly when dealing with larger K values, especially in the case of limited computing resources. - In order to increase the success rate of attacks and extend to larger K values, a more effective optimization method is needed to generate ordered Top - K adversarial samples. #### Proposed method The paper proposes **QuadAttac K**, a method based on quadratic programming (QP), to solve the above problems: 1. **Optimization objective**: - **Direct optimization in the feature embedding space**: By minimizing the Euclidean distance of the feature embedding vector instead of directly minimizing the norm of the perturbation in the data space, so as to better utilize the semantic information in the feature embedding space. - **Linear constraints**: Convert the requirements of ordered Top - K attacks into linear constraints and optimize them through a QP solver. 2. **Specific steps**: - **First step**: Use a QP solver in the feature embedding space to find the optimal feature vector that satisfies the ordered Top - K constraints. - **Second step**: According to the optimized feature vector, calculate the perturbation in the data space through back - propagation and generate the final adversarial sample. #### Experimental results The paper conducted experiments on the ImageNet - 1k dataset and tested multiple models such as ResNet - 50, DenseNet - 121, and Vision Transformers (ViT - B and DEiT - S). The experimental results show that QuadAttac K can successfully generate ordered Top - K adversarial samples with K = 20 at a lower computational cost, and significantly improve the attack success rate when K = 5, while retaining the performance when K = 1. ### Summary By proposing the QuadAttac K method, this paper overcomes the limitations of existing adversarial attack methods when dealing with larger K values, provides a more effective and reliable method for generating ordered Top - K adversarial samples, and promotes the further development of adversarial attack research.