Saved in:
Bibliographic Details
Main Authors: Yang, Junjie, Chen, Tianlong, Chen, Xuxi, Wang, Zhangyang, Liang, Yingbin
Format: Preprint
Published: 2023
Subjects:
Online Access:https://arxiv.org/abs/2312.01260
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866929349891981312
author Yang, Junjie
Chen, Tianlong
Chen, Xuxi
Wang, Zhangyang
Liang, Yingbin
author_facet Yang, Junjie
Chen, Tianlong
Chen, Xuxi
Wang, Zhangyang
Liang, Yingbin
contents Neural networks have demonstrated success in various domains, yet their performance can be significantly degraded by even a small input perturbation. Consequently, the construction of such perturbations, known as adversarial attacks, has gained significant attention, many of which fall within "white-box" scenarios where we have full access to the neural network. Existing attack algorithms, such as the projected gradient descent (PGD), commonly take the sign function on the raw gradient before updating adversarial inputs, thereby neglecting gradient magnitude information. In this paper, we present a theoretical analysis of how such sign-based update algorithm influences step-wise attack performance, as well as its caveat. We also interpret why previous attempts of directly using raw gradients failed. Based on that, we further propose a new raw gradient descent (RGD) algorithm that eliminates the use of sign. Specifically, we convert the constrained optimization problem into an unconstrained one, by introducing a new hidden variable of non-clipped perturbation that can move beyond the constraint. The effectiveness of the proposed RGD algorithm has been demonstrated extensively in experiments, outperforming PGD and other competitors in various settings, without incurring any additional computational overhead. The codes is available in https://github.com/JunjieYang97/RGD.
format Preprint
id arxiv_https___arxiv_org_abs_2312_01260
institution arXiv
publishDate 2023
record_format arxiv
spellingShingle Rethinking PGD Attack: Is Sign Function Necessary?
Yang, Junjie
Chen, Tianlong
Chen, Xuxi
Wang, Zhangyang
Liang, Yingbin
Machine Learning
Cryptography and Security
Neural networks have demonstrated success in various domains, yet their performance can be significantly degraded by even a small input perturbation. Consequently, the construction of such perturbations, known as adversarial attacks, has gained significant attention, many of which fall within "white-box" scenarios where we have full access to the neural network. Existing attack algorithms, such as the projected gradient descent (PGD), commonly take the sign function on the raw gradient before updating adversarial inputs, thereby neglecting gradient magnitude information. In this paper, we present a theoretical analysis of how such sign-based update algorithm influences step-wise attack performance, as well as its caveat. We also interpret why previous attempts of directly using raw gradients failed. Based on that, we further propose a new raw gradient descent (RGD) algorithm that eliminates the use of sign. Specifically, we convert the constrained optimization problem into an unconstrained one, by introducing a new hidden variable of non-clipped perturbation that can move beyond the constraint. The effectiveness of the proposed RGD algorithm has been demonstrated extensively in experiments, outperforming PGD and other competitors in various settings, without incurring any additional computational overhead. The codes is available in https://github.com/JunjieYang97/RGD.
title Rethinking PGD Attack: Is Sign Function Necessary?
topic Machine Learning
Cryptography and Security
url https://arxiv.org/abs/2312.01260