Skip to main content
Springer Nature Link
Log in

Sparse Adversarial Attack via Bi-objective Optimization

  • Conference paper
  • First Online:
Evolutionary Multi-Criterion Optimization (EMO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13970))

Included in the following conference series:

Abstract

Neural classifiers have achieved near human level performances when applied to several real-world tasks. Despite their successes, recent works have demonstrated their vulnerability to adversarial attacks. In particular, image classifiers have shown to be vulnerable to fine-tuned noise that perturb a small number of pixels, known as sparse attacks. To generate such perturbations current works either prioritise query efficiency by allowing the size of the perturbation to be unbounded or the minimization of its size by allowing a large number of pixels to be perturbed. Addressing the drawbacks of both approaches we propose a method of conducting query efficient sparse adversarial attacks that minimizes the number of perturbed pixels by formulating the attack as a constrained bi-objective optimization problem. Within the single objective unbounded query-efficient scenario our method is able to outperform state-of-the-art sparse attack algorithms in terms of success rate and query efficiency. When also minimizing the number of perturbed pixels in the bi-objective setting, the proposed method is able to generate adversarial perturbations that impact a fewer number of pixels than its state-of-the-art competitors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Alzantot, M., Sharma, Y., Chakraborty, S., Srivastava, M.B.: Genattack: practical black-box attacks with gradient-free optimization. CoRR (2018)

    Google Scholar 

  2. Andriushchenko, M., Croce, F., Flammarion, N., Hein, M.: Square attack: a query-efficient black-box adversarial attack via random search. In: Vedaldi, A., Bischof, H., Brox, T., Frahm, J.-M. (eds.) ECCV 2020. LNCS, vol. 12368, pp. 484–501. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58592-1_29

    Chapter  Google Scholar 

  3. Bai, T., Luo, J., Zhao, J., Wen, B., Wang, Q.: Recent advances in adversarial training for adversarial robustness. In: Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, IJCAI 2021, Virtual Event/Montreal, Canada, 19–27 August 2021

    Google Scholar 

  4. Bhagoji, A.N., He, W., Li, B., Song, D.: Practical black-box attacks on deep neural networks using efficient query mechanisms. In: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (eds.) ECCV 2018. LNCS, vol. 11216, pp. 158–174. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01258-8_10

    Chapter  Google Scholar 

  5. Bojarski, M., et al.: End to end learning for self-driving cars. CoRR (2016)

    Google Scholar 

  6. Brendel, W., Rauber, J., Bethge, M.: Decision-based adversarial attacks: reliable attacks against black-box machine learning models. In: 6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30–3 May 2018, Conference Track Proceedings (2018)

    Google Scholar 

  7. Brigo, D., Huang, X., Pallavicini, A., de Ocariz Borde, H.S.: Interpretability in deep learning for finance: a case study for the heston model. CoRR (2021)

    Google Scholar 

  8. Brunner, T., Diehl, F., Truong-Le, M., Knoll, A.C.: Guessing smart: biased sampling for efficient black-box adversarial attacks. In: 2019 IEEE/CVF International Conference on Computer Vision, ICCV 2019, Seoul, Korea (South), October 27–2 November 2019

    Google Scholar 

  9. Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, 22–26 May 2017. IEEE Computer Society (2017)

    Google Scholar 

  10. Chen, P., Sharma, Y., Zhang, H., Yi, J., Hsieh, C.: EAD: elastic-net attacks to deep neural networks via adversarial examples. In: Proceedings of the Thirty-Second AAAI Conference on Artificial Intelligence, (AAAI-18), the 30th innovative Applications of Artificial Intelligence (IAAI-18), and the 8th AAAI Symposium on Educational Advances in Artificial Intelligence (EAAI-18), New Orleans, Louisiana, USA, 2–7 February 2018

    Google Scholar 

  11. Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, AISec@CCS 2017, Dallas, TX, USA, 3 November 2017

    Google Scholar 

  12. Cheng, M., Le, T., Chen, P., Zhang, H., Yi, J., Hsieh, C.: Query-efficient hard-label black-box attack: an optimization-based approach. In: 7th International Conference on Learning Representations, ICLR 2019, New Orleans, LA, USA, 6–9 May 2019

    Google Scholar 

  13. Cheng, S., Dong, Y., Pang, T., Su, H., Zhu, J.: Improving black-box adversarial attacks with a transfer-based prior. In: Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, 8–14 December 2019, Vancouver, BC, Canada (2019)

    Google Scholar 

  14. Croce, F., Andriushchenko, M., Singh, N.D., Flammarion, N., Hein, M.: Sparse-RS: a versatile framework for query-efficient sparse black-box adversarial attacks. In: Thirty-Sixth AAAI Conference on Artificial Intelligence, AAAI 2022. AAAI Press (2022)

    Google Scholar 

  15. Croce, F., Hein, M.: Sparse and imperceivable adversarial attacks. In: 2019 IEEE/CVF International Conference on Computer Vision, ICCV 2019, Seoul, Korea (South), October 27–2 November 2019. IEEE (2019)

    Google Scholar 

  16. Deb, K., Agrawal, S., Pratap, A., Meyarivan, T.: A fast and elitist multiobjective genetic algorithm: NSGA-II. IEEE Trans. Evol. Comput. (2002)

    Google Scholar 

  17. Deng, J., Dong, W., Socher, R., Li, L.J., Li, K., Fei-Fei, L.: Imagenet: a large-scale hierarchical image database. In: 2009 IEEE Conference on Computer Vision and Pattern Recognition, pp. 248–255 (2009)

    Google Scholar 

  18. Fang, X., Bai, H., Guo, Z., Shen, B., Hoi, S.C.H., Xu, Z.: DART: domain-adversarial residual-transfer networks for unsupervised cross-domain image classification. Neural Netw. (2020)

    Google Scholar 

  19. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, 7–9 May 2015, Conference Track Proceedings (2015)

    Google Scholar 

  20. Guo, C., Frank, J.S., Weinberger, K.Q.: Low frequency adversarial perturbation. In: Proceedings of the Thirty-Fifth Conference on Uncertainty in Artificial Intelligence, UAI 2019, Tel Aviv, Israel, July 22–25, 2019. Proceedings of Machine Learning Research (2019)

    Google Scholar 

  21. Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9–15 June 2019, Long Beach, California, USA. Proceedings of Machine Learning Research, PMLR (2019)

    Google Scholar 

  22. Guo, Y., Yan, Z., Zhang, C.: Subspace attack: exploiting promising subspaces for query-efficient black-box attacks. In: Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, 8–14 December 2019, Vancouver, BC, Canada (2019)

    Google Scholar 

  23. Hansen, N., Müller, S.D., Koumoutsakos, P.: Reducing the time complexity of the derandomized evolution strategy with covariance matrix adaptation (CMA-ES). Evol. Comput. (2003)

    Google Scholar 

  24. He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: Leibe, B., Matas, J., Sebe, N., Welling, M. (eds.) ECCV 2016. LNCS, vol. 9908, pp. 630–645. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46493-0_38

    Chapter  Google Scholar 

  25. Howard, A.G., et al.: MobileNets: efficient convolutional neural networks for mobile vision applications. CoRR (2017)

    Google Scholar 

  26. Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsmässan, Stockholm, Sweden, 10–15 July 2018. Proceedings of Machine Learning Research, PMLR (2018)

    Google Scholar 

  27. Junior, F.E.F., Yen, G.G.: Particle swarm optimization of deep neural networks architectures for image classification. Swarm Evol. Comput. (2019)

    Google Scholar 

  28. Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. In: 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, 7–9 May 2015, Conference Track Proceedings (2015)

    Google Scholar 

  29. Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images (2009)

    Google Scholar 

  30. Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. CoRR (2016)

    Google Scholar 

  31. Letham, B., Calandra, R., Rai, A., Bakshy, E.: Re-examining linear embeddings for high-dimensional bayesian optimization. In: Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, 6–12 December 2020, virtual (2020)

    Google Scholar 

  32. Li, C., Wang, H., Zhang, J., Yao, W., Jiang, T.: An approximated gradient sign method using differential evolution for black-box adversarial attack. IEEE Trans. Evolut. Comput. 1 (2022). https://doi.org/10.1109/TEVC.2022.3151373

  33. Lin, M., Chen, Q., Yan, S.: Network in network. In: 2nd International Conference on Learning Representations, ICLR 2014, Banff, AB, Canada, 14–16 April 2014, Conference Track Proceedings (2014)

    Google Scholar 

  34. Liu, Y., Ling, J., Liu, Z., Shen, J., Gao, C.: Finger vein secure biometric template generation based on deep learning. Soft Comput. (2018)

    Google Scholar 

  35. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. CoRR (2017)

    Google Scholar 

  36. Meunier, L., Atif, J., Teytaud, O.: Yet another but more efficient black-box adversarial attack: tiling and evolution strategies. CoRR (2019)

    Google Scholar 

  37. Narodytska, N., Kasiviswanathan, S.P.: Simple black-box adversarial attacks on deep neural networks. In: 2017 IEEE Conference on Computer Vision and Pattern Recognition Workshops, CVPR Workshops 2017, Honolulu, HI, USA, 21–26 July 2017. IEEE Computer Society (2017)

    Google Scholar 

  38. Papernot, N., McDaniel, P.D., Goodfellow, I.J.: Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. CoRR (2016)

    Google Scholar 

  39. Qiu, H., Custode, L.L., Iacca, G.: Black-box adversarial attacks using evolution strategies. In: GECCO 2021: Genetic and Evolutionary Computation Conference, Companion Volume, Lille, France, 10–14 July 2021

    Google Scholar 

  40. Ru, B., Cobb, A.D., Blaas, A., Gal, Y.: Bayesopt adversarial attack. In: 8th International Conference on Learning Representations, ICLR 2020, Addis Ababa, Ethiopia, 26–30 April 2020

    Google Scholar 

  41. Schott, L., Rauber, J., Bethge, M., Brendel, W.: Towards the first adversarially robust neural network model on MNIST. In: 7th International Conference on Learning Representations, ICLR 2019, New Orleans, LA, USA, 6–9 May 2019. OpenReview.net (2019)

    Google Scholar 

  42. Sharma, Y., Chen, P.: Attacking the madry defense model with \({\text{l}}_{\text{1 }}\)-based adversarial examples. CoRR abs/1710.10733 (2017)

    Google Scholar 

  43. Shukla, S.N., Sahu, A.K., Willmott, D., Kolter, J.Z.: Black-box adversarial attacks with bayesian optimization. CoRR (2019)

    Google Scholar 

  44. Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, 7–9 May 2015, Conference Track Proceedings (2015)

    Google Scholar 

  45. Springenberg, J.T., Dosovitskiy, A., Brox, T., Riedmiller, M.A.: Striving for simplicity: the all convolutional net. In: 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, 7–9 May 2015, Workshop Track Proceedings (2015)

    Google Scholar 

  46. Storn, R., Price, K.V.: Differential evolution - a simple and efficient heuristic for global optimization over continuous spaces (1997)

    Google Scholar 

  47. Su, J., Vargas, D.V., Sakurai, K.: One pixel attack for fooling deep neural networks. IEEE Trans. Evol. Comput. (2019)

    Google Scholar 

  48. Szegedy, C., et al.: Intriguing properties of neural networks. In: 2nd International Conference on Learning Representations, ICLR 2014, Banff, AB, Canada, 14–16 April 2014, Conference Track Proceedings (2014)

    Google Scholar 

  49. Tian, Y., Pan, J., Yang, S., Zhang, X., He, S., Jin, Y.: Imperceptible and sparse adversarial attacks via a dual-population based constrained evolutionary algorithm. IEEE Trans. Artif. Intell. (2022)

    Google Scholar 

  50. Tian, Y., Pan, J., Yang, S., Zhang, X., He, S., Jin, Y.: Imperceptible and sparse adversarial attacks via a dual-population based constrained evolutionary algorithm. IEEE Trans. Artif. Intell. (2022). https://doi.org/10.1109/TAI.2022.3168038

  51. Tian, Y., Ha, D.: Modern evolution strategies for creativity: fitting concrete images and abstract concepts. In: Martins, T., Rodríguez-Fernández, N., Rebelo, S.M. (eds.) EvoMUSART 2022. LNCS, vol. 13221, pp. 275–291. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-03789-4_18

    Chapter  Google Scholar 

  52. Tu, C., et al.: Autozoom: autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: The Thirty-Third AAAI Conference on Artificial Intelligence, AAAI 2019, The Thirty-First Innovative Applications of Artificial Intelligence Conference, IAAI 2019, The Ninth AAAI Symposium on Educational Advances in Artificial Intelligence, EAAI 2019, Honolulu, Hawaii, USA, January 27–1 February 2019 (2019)

    Google Scholar 

  53. Uesato, J., O’Donoghue, B., Kohli, P., van den Oord, A.: Adversarial risk and the dangers of evaluating against weak attacks. In: Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsmässan, Stockholm, Sweden, 10–15 July 2018. Proceedings of Machine Learning Research (2018)

    Google Scholar 

  54. Zhu, M., Chen, T., Wang, Z.: Sparse and imperceptible adversarial attack via a homotopy algorithm. In: Proceedings of the 38th International Conference on Machine Learning, ICML 2021, 18–24 July 2021, Virtual Event. Proceedings of Machine Learning Research, PMLR (2021)

    Google Scholar 

  55. Zoph, B., Vasudevan, V., Shlens, J., Le, Q.V.: Learning transferable architectures for scalable image recognition. In: 2018 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2018, Salt Lake City, UT, USA, 18–22 June 2018. Computer Vision Foundation/IEEE Computer Society (2018)

    Google Scholar 

Download references

Acknowledgements

This work was supported by UKRI Future Leaders Fellowship (MR/S017062/1), EPSRC (2404317), NSFC (62076056), Royal Society (IES/R2/212077) and Amazon Research Award.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Exeter, Exeter, EX4 4QF, UK

    Phoenix Williams, Ke Li & Geyong Min

Authors
  1. Phoenix Williams
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ke Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Geyong Min
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Phoenix Williams .

Editor information

Editors and Affiliations

  1. Leiden University, Leiden, The Netherlands

    Michael Emmerich

  2. Leiden University, Leiden, The Netherlands

    André Deutz

  3. Leiden University, Leiden, The Netherlands

    Hao Wang

  4. Leiden University, Leiden, The Netherlands

    Anna V. Kononova

  5. TH Köln, Gummersbach, Germany

    Boris Naujoks

  6. University of Exeter, Exeter, UK

    Ke Li

  7. University of Jyvaskyla, Jyvaskyla, Finland

    Kaisa Miettinen

  8. De Montfort University, Leicester, UK

    Iryna Yevseyeva

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Williams, P., Li, K., Min, G. (2023). Sparse Adversarial Attack via Bi-objective Optimization. In: Emmerich, M., et al. Evolutionary Multi-Criterion Optimization. EMO 2023. Lecture Notes in Computer Science, vol 13970. Springer, Cham. https://doi.org/10.1007/978-3-031-27250-9_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-27250-9_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-27249-3

  • Online ISBN: 978-3-031-27250-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics