<p>Machine learning (ML) and Deep learning (DL) techniques have exhibited remarkable efficacy across various domains, such as computer vision, cybersecurity, speech, facial recognition, and autonomous vehicles. Despite these advancements, the susceptibility of machine learning models to adversarial attacks poses considerable security challenges. Adversarial robustness is an essential requirement for the deployment of such systems in safety-critical environments. However, the current best practices for robustness analysis, such as ensemble-based AutoAttack, are computationally expensive and require large-scale adversarial training on high-performance computing (HPC) systems. In this paper, we introduce a computationally efficient hybrid attack that allocates the perturbation budget between the wavelet and spatial domains. The proposed white-box attack technique employs saliency maps for direct perturbations in the wavelet domain, followed by spatial domain perturbations, leveraging their interaction to improve attack efficacy and robustness evaluation. We have evaluated a variety of components, including the impact of saliency map on attack efficacy, the influence of wavelet type and decomposition levels, the combination of spectral and spatial domain synergy, and sample transferability and robustness against adversarially trained models. Extensive experiments reveal that our proposed attack methodology shows strong effectiveness in different scenarios. Crucially, the proposed hybrid method greatly reduces computational complexity, resulting in a two-fold speedup in attack throughput compared to ensemble attack baselines. This is beneficial for scalable real-time robustness benchmarking. The hybrid attack method exploits model weaknesses in both the frequency domain and spatial domain, which further degrades model accuracy, proving the success of a multi-faceted attack.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Saliency-driven dual-domain perturbations: sequential wavelet and pixel-space attacks for enhanced adversarial evasion of vision models

  • Sivaganesh,
  • Kanchana R. Menon,
  • Ramesh Naidu Laveti,
  • S. D. Sudarsan

摘要

Machine learning (ML) and Deep learning (DL) techniques have exhibited remarkable efficacy across various domains, such as computer vision, cybersecurity, speech, facial recognition, and autonomous vehicles. Despite these advancements, the susceptibility of machine learning models to adversarial attacks poses considerable security challenges. Adversarial robustness is an essential requirement for the deployment of such systems in safety-critical environments. However, the current best practices for robustness analysis, such as ensemble-based AutoAttack, are computationally expensive and require large-scale adversarial training on high-performance computing (HPC) systems. In this paper, we introduce a computationally efficient hybrid attack that allocates the perturbation budget between the wavelet and spatial domains. The proposed white-box attack technique employs saliency maps for direct perturbations in the wavelet domain, followed by spatial domain perturbations, leveraging their interaction to improve attack efficacy and robustness evaluation. We have evaluated a variety of components, including the impact of saliency map on attack efficacy, the influence of wavelet type and decomposition levels, the combination of spectral and spatial domain synergy, and sample transferability and robustness against adversarially trained models. Extensive experiments reveal that our proposed attack methodology shows strong effectiveness in different scenarios. Crucially, the proposed hybrid method greatly reduces computational complexity, resulting in a two-fold speedup in attack throughput compared to ensemble attack baselines. This is beneficial for scalable real-time robustness benchmarking. The hybrid attack method exploits model weaknesses in both the frequency domain and spatial domain, which further degrades model accuracy, proving the success of a multi-faceted attack.