Minimally distorted Adversarial Examples with a Fast Adaptive Boundary Attack
Francesco Croce, Matthias Hein
Code Available — Be the first to reproduce this paper.
ReproduceCode
- github.com/fra31/fab-attackOfficialIn papertf★ 0
Abstract
The evaluation of robustness against adversarial manipulation of neural networks-based classifiers is mainly tested with empirical attacks as methods for the exact computation, even when available, do not scale to large networks. We propose in this paper a new white-box adversarial attack wrt the l_p-norms for p \1,2,\ aiming at finding the minimal perturbation necessary to change the class of a given input. It has an intuitive geometric meaning, yields quickly high quality results, minimizes the size of the perturbation (so that it returns the robust accuracy at every threshold with a single run). It performs better or similar to state-of-the-art attacks which are partially specialized to one l_p-norm, and is robust to the phenomenon of gradient masking.