$\sigma$-zero: Gradient-based Optimization of \\$\ell_0$-norm Adversarial Examples
Primary Area: general machine learning (i.e., none of the above)
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Keywords: adversarial examples, gradient-based attack, machine learning security
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
TL;DR: we propose $\sigma$\texttt{-zero} an adversarial attack that leverages a differentiable approximation of the $\ell_0$ norm to facilitate gradient-based optimization.
Abstract: Evaluating the adversarial robustness of deep networks to gradient-based attacks is challenging.
While most attacks focus $\ell_2$-norm and $\ell_\infty$-norm constraints to craft input perturbations, only a few have investigated sparse $\ell_1$-norm and $\ell_0$-norm attacks.
In particular, $\ell_0$-norm attacks remain the least studied due to the inherent complexity of optimizing over a non-convex and non-differentiable constraint.
However, evaluating the robustness of these attacks might unveil weaknesses otherwise left untested with conventional $\ell_2$ and $\ell_\infty$ attacks.
In this work, we propose a novel $\ell_0$-norm attack, called $\sigma$\texttt{-zero}, which leverages an ad-hoc differentiable approximation of the $\ell_0$ norm to facilitate gradient-based optimization.
Extensive evaluations on MNIST, CIFAR10, and ImageNet datasets show that $\sigma$\texttt{-zero} can find adversarial examples with minimal $\ell_0$ distortion, outperforming competing methods in terms of success rate and scalability.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
Supplementary Material: zip
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 4978
Loading