Loading...

Adversarial Attack to Deep Learning Networks via Imperceptible Sparse Perturbation

Heshmati, Alireza | 2022

347 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: Farsi
  3. Document No: 55489 (05)
  4. University: Sharif University of Technology
  5. Department: Electrical Engineering
  6. Advisor(s): Ghaemmaghami, Shahrokh; Marvasti, Farokh; Amini, Sajad
  7. Abstract:
  8. Nowadays, methods based on deep learning networks are the most effective artificial in­ telligence methods. Although they have achieved success in various fields (such as machine vision and object recognition), practical and experimental cases show the fragility of deep learning networks against perturbations and unwanted changes of the input pattern. All these perturbations must be in a way that the main class of the perturbed input pattern can be rec­ ognized by human, but the network makes a mistake in recognizing its correct class. This thesis seeks a more accurate evaluation by designing adversarial attacks such that the main class of the adversarial pattern is detectable by human vision. Thereby, one of the important challenges is controlling sparsity of the perturbations. The second challenge, which is also important in this thesis, is controlling the amount of perturbation of the each element. The ℓ∞­norm is a distance criterion that controls the maximum absolute values of the perturba­ tions. Controlling ℓ∞­norm and sparsity of the perturbations makes the adversarial attack more realistic and imperceptible, so that human vision can not identify the adversarial image at all. As a result, the main challenge of this thesis is designing sparse and imperceptible adversarial attacks on deep learning networks. The other methods for designing adversar­ ial attacks, often seek to minimize the number of the perturbed elements of the adversarial image by replacing ℓ0­norm with ℓ1­norm, ℓ2­norm or search methods. While in reality, the number of perturbed pixels is important. The other methods for designing the imperceptible adversarial attacks often use clipping (projecting on the ℓ∞­norm ball) which requires know­ ing the threshold of the desirable maximum value of perturbations. The proposed method of this thesis implement sparsity and imperceptibility criteria by SL0 and LSEAp functions, respectively. These functions grant much better approximations for these criteria than other functions and both are composed of exponential functions. In this thesis, proposed adversar­ ial attacks are developed in a way that the sparse element types are convertable into sparse pixel or grouped types. The results show that the adversarial attacks proposed in this thesis have the perfect attack accuracy for networks witch are used in this thesis (even the one witch is resistant to adversarial attacks) and render better controlling over the sparsity and the ℓ∞­ norm criteria, compared to the other methods. They achieved imperceptibility because the functions used in this thesis were able to approximate the sparsity and the ℓ∞­norm consider­ ably, and the LSEAp function, unlike other methods, tries to reduce the ℓ∞­norm according to the input pattern. Both these functions are implemented easily by hardware.
  9. Keywords:
  10. Deep Learning ; H-infinity Method ; Adversarial Attacks ; H-infinity Approximation ; Sparse Perturbation

 Digital Object List

 Bookmark

...see more