Skip to main content
Springer Nature Link
Log in

A Theoretically Grounded Extension of Universal Attacks from the Attacker’s Viewpoint

  • Conference paper
  • First Online:
Machine Learning and Knowledge Discovery in Databases. Research Track (ECML PKDD 2024)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 14944))

  • 539 Accesses

Abstract

We extend universal attacks by jointly learning a set of perturbations to choose from to maximize the chance of attacking deep neural network models. Specifically, we embrace the attacker’s perspective and introduce a theoretical bound quantifying how much the universal perturbations are able to fool a given model on unseen examples. An extension to assert the transferability of universal attacks is also provided. To learn such perturbations, we devise an algorithmic solution with convergence guarantees under Lipschitz continuity assumptions. Moreover, we demonstrate how it can improve the performance of state-of-the-art gradient-based universal perturbation. As evidenced by our experiments, these novel universal perturbations result in more interpretable, diverse, and transferable attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    While the form of Proposition 1 is classical, the Rademacher complexity is computed on the set of perturbations \(\mathcal {B}_p(\delta )\) rather than on the set of models \(\mathcal {F}\).

  2. 2.

    Pytorch codes of UAP, Fast-UAP baselines, and our proposed UAP attack are publicly available at https://github.com/JordanFrecon/guap.

References

  1. Attias, I., Kontorovich, A., Mansour, Y.: Improved generalization bounds for adversarially robust learning. J. Mach. Learn. Res. 23(1), 7897–7927 (2022)

    MathSciNet  Google Scholar 

  2. Attouch, H., Bolte, J., Svaiter, B.F.: Convergence of descent methods for semi-algebraic and tame problems: proximal algorithms, forward–backward splitting, and regularized gauss–seidel methods. Math. Program. 137(1–2), 91–129 (2011)

    MathSciNet  Google Scholar 

  3. Awasthi, P., Frank, N., Mohri, M.: Adversarial learning guarantees for linear hypotheses and neural networks. In: ICML (2020)

    Google Scholar 

  4. Baluja, S., Fischer, I.: Learning to attack: adversarial transformation networks. In: AAAI, vol. 32, no. 1 (2018)

    Google Scholar 

  5. Bartlett, P.L., Boucheron, S., Lugosi, G.: Model selection and error estimation. Mach. Learn. 48(1–3), 85–113 (2002)

    Article  Google Scholar 

  6. Bartlett, P.L., Mendelson, S.: Rademacher and gaussian complexities: risk bounds and structural results. J. Mach. Learn. Res. 3, 463–482 (2002)

    MathSciNet  Google Scholar 

  7. Benz, P., Zhang, C., Karjauv, A., Kweon, I.S.: Universal adversarial training with class-wise perturbations. In: IEEE ICME (2021)

    Google Scholar 

  8. Bonettini, S., Loris, I., Porta, F., Prato, M., Rebegoldi, S.: On the convergence of a linesearch based proximal-gradient method for nonconvex optimization. Inverse Probl. 33(5), 055005 (2017)

    Article  MathSciNet  Google Scholar 

  9. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: IEEE S &P (2017)

    Google Scholar 

  10. Chen, T., Liu, S., Chang, S., Cheng, Y., Amini, L., Wang, Z.: Adversarial robustness: from self-supervised pre-training to fine-tuning. In: IEEE/CVF CVPR (2020)

    Google Scholar 

  11. Combettes, P.L., Pesquet, J.C.: Lipschitz certificates for layered network structures driven by averaged activation operators. SIAM SIMODS 2(2), 529–557 (2020)

    MathSciNet  Google Scholar 

  12. Croce, F., Andriushchenko, M., Sehwag, V., Flammarion, N., Chiang, M., Mittal, P., Hein, M.: RobustBench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670 (2020)

  13. Croce, F., Hein, M.: Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: ICML (2020)

    Google Scholar 

  14. Dai, J., Shu, L.: Fast-UAP: an algorithm for expediting universal adversarial perturbation generation using the orientations of perturbation vectors. Neurocomputing 422, 109–117 (2021)

    Article  Google Scholar 

  15. Dong, Y., et al.: Boosting adversarial attacks with momentum. In: IEEE/CVF CVPR (2018)

    Google Scholar 

  16. Dziugaite, G.K., Roy, D.M.: Data-dependent PAC-Bayes priors via differential privacy. In: NeurIPS (2018)

    Google Scholar 

  17. Finlay, C., Pooladian, A.A., Oberman, A.: The LogBarrier adversarial attack: making effective use of decision boundary information. In: IEEE/CVF CVPR (2019)

    Google Scholar 

  18. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: ICLR (2015)

    Google Scholar 

  19. Gouk, H., Frank, E., Pfahringer, B., Cree, M.J.: Regularisation of neural networks by enforcing lipschitz continuity. Mach. Learn. 110(2), 393–416 (2021)

    Article  MathSciNet  Google Scholar 

  20. Grigorescu, S., Trasnea, B., Cocias, T., Macesanu, G.: A survey of deep learning techniques for autonomous driving. J .Field Robot. 37(3), 362–386 (2020)

    Article  Google Scholar 

  21. Gu, S., Rigazio, L.: Towards deep neural network architectures robust to adversarial examples. In: ICLR, Workshop Track Proceedings (2015)

    Google Scholar 

  22. Hayes, J., Danezis, G.: Learning universal adversarial perturbations with generative models. In: IEEE S &P Workshops (2018)

    Google Scholar 

  23. Huang, X., et al.: A survey of safety and trustworthiness of deep neural networks: verification, testing, adversarial attack and defence, and interpretability. Comput. Sci. Rev. 37, 100270 (2020)

    Article  MathSciNet  Google Scholar 

  24. Khim, J., Loh, P.L.: Adversarial risk bounds via function transformation. arXiv preprint arXiv:1810.09519 (2018)

  25. Khrulkov, V., Oseledets, I.: Art of singular vectors and universal adversarial perturbations. In: IEEE/CVF CVPR (2018)

    Google Scholar 

  26. Kim, H.: Torchattacks: a PyTorch repository for adversarial attacks. arXiv preprint arXiv:2010.01950 (2020)

  27. Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Tech. Rep. 0, University of Toronto, Toronto, Ontario (2009)

    Google Scholar 

  28. Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. In: ICLR Workshop Track Proceedings (2017)

    Google Scholar 

  29. Laidlaw, C., Singla, S., Feizi, S.: Perceptual adversarial robustness: Defense against unseen threat models. In: ICLR (2021)

    Google Scholar 

  30. LeCun, Y., Cortes, C.: MNIST handwritten digit database (2010)

    Google Scholar 

  31. Lin, J., Song, C., He, K., Wang, L., Hopcroft, J.E.: Nesterov accelerated gradient and scale invariance for adversarial attacks. In: ICLR (2020)

    Google Scholar 

  32. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018)

    Google Scholar 

  33. Miotto, R., Wang, F., Wang, S., Jiang, X., Dudley, J.T.: Deep learning for healthcare: review, opportunities and challenges. Brief. Bioinform. 19(6), 1236–1246 (2018)

    Article  Google Scholar 

  34. Mohri, M., Rostamizadeh, A., Talwalkar, A.: Foundations of Machine Learning. MIT Press, Adaptive computation and machine learning (2012)

    Google Scholar 

  35. Montasser, O., Hanneke, S., Srebro, N.: VC classes are adversarially robustly learnable, but only improperly. In: COLT (2019)

    Google Scholar 

  36. Moosavi-Dezfooli, S.M., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial perturbations. In: IEEE/CVF CVPR (2017)

    Google Scholar 

  37. Moosavi-Dezfooli, S., Fawzi, A., Frossard, P.: DeepFool: a simple and accurate method to fool deep neural networks. In: IEEE/CVF CVPR (2016)

    Google Scholar 

  38. Mustafa, W., Lei, Y., Kloft, M.: On the generalization analysis of adversarial learning. In: ICML (2022)

    Google Scholar 

  39. Nassi, B., Mirsky, Y., Nassi, D., Ben-Netanel, R., Drokin, O., Elovici, Y.: Phantom of the ADAS: securing advanced driver-assistance systems from split-second phantom attacks. In: ACM SIGSAC CCS (2020)

    Google Scholar 

  40. Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings. In: IEEE S &P (2016)

    Google Scholar 

  41. Qayyum, A., Usama, M., Qadir, J., Al-Fuqaha, A.: Securing connected amp; autonomous vehicles: challenges posed by adversarial machine learning and the way forward. IEEE Commun. Surv. 22(2), 998–1026 (2020)

    Article  Google Scholar 

  42. Qin, Z., et al.: Boosting the transferability of adversarial attacks with reverse adversarial perturbation. In: NeurIPS (2022)

    Google Scholar 

  43. Sandler, M., Howard, A., Zhu, M., Zhmoginov, A., Chen, L.C.: MobileNetV2: inverted residuals and linear bottlenecks. In: IEEE/CVF CVPR (2018)

    Google Scholar 

  44. Sehwag, V., et al.: Robust learning meets generative models: can proxy distributions improve adversarial robustness? In: ICLR (2022)

    Google Scholar 

  45. Shafahi, A., Najibi, M., Xu, Z., Dickerson, J., Davis, L.S., Goldstein, T.: Universal adversarial training. In: AAAI (2020)

    Google Scholar 

  46. Szegedy, C., et al.: Intriguing properties of neural networks. In: ICLR (2014)

    Google Scholar 

  47. Tabacof, P., Valle, E.: Exploring the space of adversarial images. In: IEEE IJCNN (2016)

    Google Scholar 

  48. Viallard, P., Vidot, E.G., Habrard, A., Morvant, E.: A PAC-Bayes analysis of adversarial robustness. In: NeurIPS (2021)

    Google Scholar 

  49. Wang, X., Lin, J., Hu, H., Wang, J., He, K.: Boosting adversarial transferability through enhanced momentum. arXiv preprint arXiv:2103.10609 (2021)

  50. Xiao, C., Li, B., yan Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: International Joint Conference on Artificial Intelligence (2018)

    Google Scholar 

  51. Xing, Y., Song, Q., Cheng, G.: On the algorithmic stability of adversarial training. NeurIPS 34, 26523–26535 (2021)

    Google Scholar 

  52. Yin, D., Kannan, R., Bartlett, P.: Rademacher complexity for adversarially robust generalization. In: ICML (2019)

    Google Scholar 

  53. Zeng, J., Lau, T.T.K., Lin, S., Yao, Y.: Global convergence of block coordinate descent in deep learning. In: ICML (2019)

    Google Scholar 

  54. Zeng, Y., et al.: Towards robustness certification against universal perturbations. In: ICLR (2023)

    Google Scholar 

  55. Zhang, C., Benz, P., Imtiaz, T., Kweon, I.S.: Understanding adversarial examples from the mutual influence of images and perturbations. In: IEEE/CVF CVPR (2020)

    Google Scholar 

  56. Zhang, C., Benz, P., Lin, C., Karjauv, A., Wu, J., Kweon, I.S.: A survey on universal adversarial attack. In: IJCAI (2021), Survey Track (2021)

    Google Scholar 

  57. Zhang, Y., Tian, X., Li, Y., Wang, X., Tao, D.: Principal component adversarial example. IEEE Trans. Image Process. 29, 4804–4815 (2020)

    Article  Google Scholar 

Download references

Acknowledgments

The authors gratefully acknowledge the financial support of the French Agence Nationale de la Recherche (ANR), under grant ANR-20-CHIA-0021-01 (project RAIMO).

Author information

Authors and Affiliations

  1. Inria, Lyon, France

    Jordan Patracone & Amaury Habrard

  2. Université Jean Monnet Saint-Etienne, CNRS, Institut d Optique Graduate School, Laboratoire Hubert Curien UMR 5516, F-42023, Saint-Etienne, France

    Jordan Patracone, Emilie Morvant & Amaury Habrard

  3. Univ. Rennes, Inria, CNRS IRISA - UMR 6074, F35000, Rennes, France

    Paul Viallard

  4. INSA Rouen, Univ. Rouen, Univ. Le Havre, Normandie Univ., LITIS, Saint-Etienne-du-Rouvray, France

    Gilles Gasso & Stéphane Canu

  5. Institut Universitaire de France (IUF), Paris, France

    Amaury Habrard

Authors
  1. Jordan Patracone
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Paul Viallard
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Emilie Morvant
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Gilles Gasso
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Amaury Habrard
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Stéphane Canu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jordan Patracone .

Editor information

Editors and Affiliations

  1. LTCI, Télécom Paris, Palaiseau Cedex, France

    Albert Bifet

  2. KU Leuven, Leuven, Belgium

    Jesse Davis

  3. Faculty of Informatics, Vytautas Magnus University, Akademija, Lithuania

    Tomas Krilavičius

  4. Institute of Computer Science, University of Tartu, Tartu, Estonia

    Meelis Kull

  5. Department of Computer Science, Bundeswehr University Munich, Munich, Germany

    Eirini Ntoutsi

  6. Department of Computer Science, University of Helsinki, Helsinki, Finland

    Indrė Žliobaitė

Ethics declarations

Disclosure of Interests

The authors have no competing interests to declare that are relevant to the content of this article

Ethic Statement

While focused on DNN attacks, the identified weaknesses could aid in improving their robustness, fostering the development of more reliable DNNs.

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 808 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Patracone, J., Viallard, P., Morvant, E., Gasso, G., Habrard, A., Canu, S. (2024). A Theoretically Grounded Extension of Universal Attacks from the Attacker’s Viewpoint. In: Bifet, A., Davis, J., Krilavičius, T., Kull, M., Ntoutsi, E., Žliobaitė, I. (eds) Machine Learning and Knowledge Discovery in Databases. Research Track. ECML PKDD 2024. Lecture Notes in Computer Science(), vol 14944. Springer, Cham. https://doi.org/10.1007/978-3-031-70359-1_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-70359-1_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-70358-4

  • Online ISBN: 978-3-031-70359-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships