(A) study on universal and transferable properties of adversarial perturbations

Abstract

Deep Neural networks (DNNs) are widely known to be vulnerable to adversarial examples, i.e. images perturbed by imperceptible perturbations. This work studies adversarial perturbations mainly with a focus on their two intriguing universal and transferable properties.

Regarding the universal property, this work makes the following contributions: (a) proposing a simple yet effective algorithm for crafting data-free targeted UAP with the proxy dataset based on a new perspective that UAPs have independent features while images behave like noise

(b) investigating strictly data-free UAP as well as applying UAP to solve the challenging practical no-box attack

(c) extending the concept of universal perturbation to data hiding for achieving universal deep hiding (UDH) by demonstrating its success in steganography, watermarking, and light field messaging

(d) providing a unified Fourier perspective towards understanding UAP and UDH, revealing that their success can be, at least partly, attributed to DNNs being sensitive to high-frequency input content.

Regarding the transferable property, our work makes the following contributions: (e) demonstrating that transferability is not at odds with attack strength and proposing a simple loss function that achieves state-of-the-art attack strength and/or transferability

(f) identifying that the widely used momentum iterative method improves the transferability at the cost of higher visibility, as well as proposing a novel momentum-free iterative method

(g) identifying over-fitting as the core issue for hindering transferability and proposing simple yet effective techniques to alleviate the over-fitting issue

(h) identifying surrogate model robustness as a major factor that influences the transferability and demonstrating that early stop and adversarial training yield better surrogate models for transferable attacks.

Overall, this dissertation attempts to provide a new understanding of adversarial robustness by revisiting their universal and transferable properties. Exploiting these two properties, this work focuses on simple yet effective techniques for more practical adversarial attacks.