Transferable Perturbations of Deep Feature DistributionsDownload PDF

25 Sept 2019, 19:14 (modified: 10 Feb 2022, 11:44)ICLR 2020 Conference Blind SubmissionReaders: Everyone
Original Pdf: pdf
Data: [ImageNet](
Abstract: Almost all current adversarial attacks of CNN classifiers rely on information derived from the output layer of the network. This work presents a new adversarial attack based on the modeling and exploitation of class-wise and layer-wise deep feature distributions. We achieve state-of-the-art targeted blackbox transfer-based attack results for undefended ImageNet models. Further, we place a priority on explainability and interpretability of the attacking process. Our methodology affords an analysis of how adversarial attacks change the intermediate feature distributions of CNNs, as well as a measure of layer-wise and class-wise feature distributional separability/entanglement. We also conceptualize a transition from task/data-specific to model-specific features within a CNN architecture that directly impacts the transferability of adversarial examples.
Keywords: adversarial attacks, transferability, interpretability
TL;DR: We show that perturbations based-on intermediate feature distributions yield more transferable adversarial examples and allow for analysis of the affects of adversarial perturbations on intermediate representations.
10 Replies