0%

(CVPR 2018) Generative Adversarial Perturbations

Keyword [Universal Adversarial Perturbations]

Poursaeed O, Katsman I, Gao B, et al. Generative adversarial perturbations[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2018: 4422-4431.



1. Overview


In this paper, it proposed generative models for creating adversarial examples

  • can produce image-agnostic and image-dependent perturbation for targeted and untargeted attacks
  • demonstrate that similar architecture can achive impressive results in fooling both classification and semantic segmentation models
  • faster than iterative methods at inference time

1.1. Type of perturbation

  • Universal. fixed
  • Image-dependent. vary for different images
    • targeted
    • untargeted

1.2. Contribution

  • unifying framework. universal and image-dependent
  • state-of-art performance in universal perturbations
  • first to present effective targeted universal perturbation
  • faster than iterative and optimization-based methods, the order of milliseconds

1.3.1. Universal Perturbations

  • iterates over samples in a target set, aggregate image-dependent perturbation and normalize the results to build universal perturbation
  • add image-dependent perturbations and clip the results

1.3.2. Image-dependent Perturbation

  • optimization-based
  • FGSM
  • Iterative Least-Likely Class
  • adversarial examples are sensitive to the angle and distance



2. Generative Adversarial Perturbation


2.1. Universal Perturbation



  • U. scale to have a fixed norm



  • trained with fooling loss. the combination of fooling and discriminatice loss lead to sub-optimal



2.2. Image-dependent Perturbation




  • generate perturbation instead of adversarial example giving us better control over the perturbation magnitude

2.3. Fooling Multiple Network






3. Experiments




  • L_{oo}. make use of the maximum permissible magnitude at each pixel