Subramanyam A V
IEEE Trans Image Process. 2022;31:4039-4049. doi: 10.1109/TIP.2022.3180207. Epub 2022 Jun 14.
Adversarial attacks have been extensively investigated in the recent past. Quite interestingly, a majority of these attacks primarily work in the l space. In this work, we propose a novel approach for generating adversarial samples using Wasserstein distance. Unlike previous approaches, we use an unbalanced optimal transport formulation which is naturally suited for images. We first compute an adversarial sample using a gradient step and then project the resultant image into Wasserstein ball with respect to original sample. The attack introduces perturbation in the form of pixel mass distribution which is guided by a cost metric. Elaborate experiments on MNIST, Fashion-MNIST, CIFAR-10 and Tiny ImageNet demonstrate a sharp decrease in the performance of state-of-art classifiers. We also perform experiments with adversarially trained classifiers and show that our system achieves superior performance in terms of adversarial defense against several state-of-art attacks. Our code and pre-trained models are available at https://bit.ly/2SQBR4E.
最近,对抗攻击受到了广泛研究。非常有趣的是,这些攻击中的大多数主要在l空间中起作用。在这项工作中,我们提出了一种使用瓦瑟斯坦距离生成对抗样本的新方法。与以前的方法不同,我们使用一种自然适用于图像的不平衡最优传输公式。我们首先使用梯度步长计算一个对抗样本,然后将所得图像相对于原始样本投影到瓦瑟斯坦球中。该攻击以像素质量分布的形式引入扰动,该扰动由成本度量引导。在MNIST、Fashion-MNIST、CIFAR-10和Tiny ImageNet上进行的详细实验表明,最先进分类器的性能急剧下降。我们还对经过对抗训练的分类器进行了实验,并表明我们的系统在针对几种最先进攻击的对抗防御方面取得了卓越的性能。我们的代码和预训练模型可在https://bit.ly/2SQBR4E上获取。
