σ-zero: Gradient-based Optimization of _0-norm Adversarial Examples
Antonio Emanuele Cinà, Francesco Villani, Maura Pintor, Lea Schönherr, Battista Biggio, Marcello Pelillo
Code Available — Be the first to reproduce this paper.
ReproduceCode
- github.com/jeromerony/adversarial-libraryOfficialIn paperpytorch★ 166
- github.com/sigma0-advx/sigma-zeroOfficialIn paperpytorch★ 16
- github.com/cinofix/sigma-zero-adversarial-attackOfficialIn paperpytorch★ 16
Abstract
Evaluating the adversarial robustness of deep networks to gradient-based attacks is challenging. While most attacks consider _2- and _-norm constraints to craft input perturbations, only a few investigate sparse _1- and _0-norm attacks. In particular, _0-norm attacks remain the least studied due to the inherent complexity of optimizing over a non-convex and non-differentiable constraint. However, evaluating adversarial robustness under these attacks could reveal weaknesses otherwise left untested with more conventional _2- and _-norm attacks. In this work, we propose a novel _0-norm attack, called -zero, which leverages a differentiable approximation of the _0 norm to facilitate gradient-based optimization, and an adaptive projection operator to dynamically adjust the trade-off between loss minimization and perturbation sparsity. Extensive evaluations using MNIST, CIFAR10, and ImageNet datasets, involving robust and non-robust models, show that -zero finds minimum _0-norm adversarial examples without requiring any time-consuming hyperparameter tuning, and that it outperforms all competing sparse attacks in terms of success rate, perturbation size, and efficiency.