Phoenix Williams’s research while affiliated with University of Exeter and other places

Deep neural networks (DNNs) have achieved remarkable performance in various tasks, including image classification. However, recent research has revealed the susceptibility of trained DNNs to subtle perturbations introduced into input images. Addressing these vulnerabilities is pivotal, leading to a significant area of study focused on developing attack algorithms capable of generating potent adversarial images. In scenarios where access to gradient information is restricted (black-box scenario), many existing methods introduce optimized perturbations to each individual pixels of an image to cause trained DNNs to mis-classify. However, due to the high-dimensional nature of this approach, current methods have inherent limitations. In contrast, our proposed approach involves the construction of perturbations by concatenating a series of overlapping semi-transparent shapes. Through the optimization of these shapes’ characteristics, we generate perturbations that result in the desired misclassification by the DNN. By conducting a series of attacks on state-of-the-art DNNs trained of CIFAR-10 and Imagenet datasets, our method consistently outperforms existing attack algorithms in terms of both query efficiency and success rate.

Neural classifiers have achieved near human level performances when applied to several real-world tasks. Despite their successes, recent works have demonstrated their vulnerability to adversarial attacks. In particular, image classifiers have shown to be vulnerable to fine-tuned noise that perturb a small number of pixels, known as sparse attacks. To generate such perturbations current works either prioritise query efficiency by allowing the size of the perturbation to be unbounded or the minimization of its size by allowing a large number of pixels to be perturbed. Addressing the drawbacks of both approaches we propose a method of conducting query efficient sparse adversarial attacks that minimizes the number of perturbed pixels by formulating the attack as a constrained bi-objective optimization problem. Within the single objective unbounded query-efficient scenario our method is able to outperform state-of-the-art sparse attack algorithms in terms of success rate and query efficiency. When also minimizing the number of perturbed pixels in the bi-objective setting, the proposed method is able to generate adversarial perturbations that impact a fewer number of pixels than its state-of-the-art competitors.

Deep neural networks (DNNs) have achieved state-of-the-art performance in many tasks but have shown extreme vulnerabilities to attacks generated by adversarial examples. Many works go with a white-box attack that assumes total access to the targeted model including its architecture and gradients. A more realistic assumption is the black-box scenario where an attacker only has access to the targeted model by querying some input and observing its predicted class probabilities. Different from most prevalent black-box attacks that make use of substitute models or gradient estimation, this paper proposes a gradient-free attack by using a concept of evolutionary art to generate adversarial examples that iteratively evolves a set of overlapping transparent shapes. To evaluate the effectiveness of our proposed method, we attack three state-of-the-art image classification models trained on the CIFAR-10 dataset in a targeted manner. We conduct a parameter study outlining the impact the number and type of shapes have on the proposed attack's performance. In comparison to state-of-the-art black-box attacks, our attack is more effective at generating adversarial examples and achieves a higher attack success rate on all three baseline models.