Improving Generalization of Universal Adversarial Perturbation via Dynamic Maximin Optimization
DOI:
https://doi.org/10.1609/aaai.v39i10.33117Abstract
Deep neural networks (DNNs) are susceptible to universal adversarial perturbations (UAPs). These perturbations are meticulously designed to fool the target model universally across all sample classes. Unlike instance-specific adversarial examples (AEs), generating UAPs is more complex because they must be generalized across a wide range of data samples and models. Our research reveals that existing universal attack methods, which optimize UAPs using DNNs with static model parameter snapshots, do not fully leverage the potential of DNNs to generate more effective UAPs. Rather than optimizing UAPs against static DNN models with a fixed training set, we suggest using dynamic model-data pairs to generate UAPs. In particular, we introduce a dynamic maximin optimization strategy, aiming to optimize the UAP across a variety of optimal model-data pairs. We term this approach DM-UAP. DM-UAP utilizes an iterative max-min-min optimization framework that refines the model-data pairs, coupled with a curriculum UAP learning algorithm to examine the combined space of model parameters and data thoroughly. Comprehensive experiments on the ImageNet dataset demonstrate that the proposed DM-UAP markedly enhances both cross-sample universality and cross-model transferability of UAPs. Using only 500 samples for UAP generation, DM-UAP outperforms the state-of-the-art approach with an average increase in fooling ratio of 12.108%.
Downloads
Published
2025-04-11
How to Cite
Zhang, Y., Xu, Y., Shi, J., Zhang, L. Y., Hu, S., Li, M., & Zhang, Y. (2025). Improving Generalization of Universal Adversarial Perturbation via Dynamic Maximin Optimization. Proceedings of the AAAI Conference on Artificial Intelligence, 39(10), 10293-10301. https://doi.org/10.1609/aaai.v39i10.33117
Issue
Section
AAAI Technical Track on Computer Vision IX
