Abstract:Sparse and patch adversarial attacks were previously shown to be applicable in realistic settings and are considered a security risk to autonomous systems. Sparse adversarial perturbations constitute a setting in which the adversarial perturbations are limited to affecting a relatively small number of points in the input. Patch adversarial attacks denote the setting where the sparse attacks are limited to a given structure, i.e., sparse patches with a given shape and number. However, previous patch adversarial attacks do not simultaneously optimize multiple patches' locations and perturbations. This work suggests a novel approach for sparse patches adversarial attacks via point-wise trimming dense adversarial perturbations. Our approach enables simultaneous optimization of multiple sparse patches' locations and perturbations for any given number and shape. Moreover, our approach is also applicable for standard sparse adversarial attacks, where we show that it significantly improves the state-of-the-art over multiple extensive settings. A reference implementation of the proposed method and the reported experiments is provided at \url{<a class="link-external link-https" href="https://github.com/yanemcovsky/SparsePatches.git" rel="external noopener nofollow">this https URL</a>}

What problem does this paper attempt to address?

The problem that this paper attempts to solve is the optimization problem of **sparse - patch adversarial attacks**. Specifically, the author focuses on how to simultaneously optimize the positions and perturbations of multiple patches under the condition of sparse patches with given shapes and quantities. This problem has not been well - solved in previous studies because the optimization process involves the search of the combinatorial space, and the computational complexity increases exponentially as the number of patches increases. ### Main problem description 1. **Sparse adversarial attacks**: In this setting, the adversarial perturbation is limited to affecting a small number of points in the input, that is, the L0 - norm constraint. 2. **Patch adversarial attacks**: This is a subset of sparse attacks, in which the perturbation points are restricted to form patches with given shapes and quantities. 3. **Optimization challenges**: Previous patch - adversarial - attack methods cannot simultaneously optimize the positions and perturbations of multiple patches, but can only optimize the perturbations at fixed positions or the positions of fixed patches. ### Solutions proposed in the paper The author proposes a new method based on **point - by - point pruning of dense adversarial perturbations**, called **SparsePatches**. This method is implemented through the following steps: 1. **Generate dense perturbations**: First, generate a relatively dense adversarial perturbation \(\delta\), whose L0 - norm is greater than the set upper limit \(\epsilon_0\). 2. **Point - by - point evaluation**: Evaluate the importance of each point and select the most important points as the final sparse perturbations. 3. **Gradual pruning**: Through a series of pruning steps, gradually reduce the L0 - norm of the perturbation until the predetermined \(\epsilon_0\) is reached. 4. **Patch constraints**: For patch attacks, ensure that the final perturbation forms patches with given shapes and quantities. ### Advantages of the method - **First direct solution**: This is the first method to directly solve the problem of simultaneously optimizing the positions and perturbations of multiple patches. - **No differentiability required**: Differentiability is not required during the pruning process, which is suitable for various real - world scenarios. - **Performance improvement**: Significantly outperforms existing methods in multiple experimental settings, especially on robust models. ### Experimental results The paper conducted extensive experiments on the ImageNet dataset and compared the adversarial success rates (ASR) under different models (such as InceptionV3, ResNet50, Swin - B, ConvNeXt - B). The results show that the new method can achieve better results in most cases, especially when the L0 - norm is large. ### Conclusion This paper proposes a new sparse - patch adversarial - attack method, which can effectively optimize the positions and perturbations of multiple patches, solves the optimization problems in existing methods, and shows superior performance in multiple experiments.

Sparse patches adversarial attacks via extrapolating point-wise information

Sparse Adversarial Attack via Perturbation Factorization

Simultaneously Optimizing Perturbations and Positions for Black-box Adversarial Patch Attacks.

IPatch: A Remote Adversarial Patch

Sparse and Imperceivable Adversarial Attacks

Cross-shaped Adversarial Patch Attack

Traversing the Subspace of Adversarial Patches

Adversarial Attacks in a Multi-view Setting: An Empirical Study of the Adversarial Patches Inter-view Transferability

DePatch: Towards Robust Adversarial Patch for Evading Person Detectors in the Real World

Adversarial Training against Location-Optimized Adversarial Patches

Benchmarking Adversarial Patch Against Aerial Detection

An information-theoretic perspective of physical adversarial patches

Breaking the Illusion: Real-world Challenges for Adversarial Patches in Object Detection

PatchZero: Defending against Adversarial Patch Attacks by Detecting and Zeroing the Patch

Unified Adversarial Patch for Cross-modal Attacks in the Physical World

GreedyFool: Distortion-Aware Sparse Adversarial Attack

BadPart: Unified Black-box Adversarial Patch Attacks against Pixel-wise Regression Tasks

Adversarial patch attacks against aerial imagery object detectors

PAD: Patch-Agnostic Defense against Adversarial Patch Attacks

Generating Adversarial yet Inconspicuous Patches with a Single Image