### 摘要

Deep neural networks have shown their vulnerability to adversarial attacks. In this paper, we focus on sparse adversarial attack based on the $ell_0$ norm constraint, which can succeed by only modifying a few pixels of an image. Despite a high attack success rate, prior sparse attack methods achieve a low transferability under the black-box protocol due to overfitting the target model. Therefore, we introduce a generator architecture to alleviate the overfitting issue and thus efficiently craft transferable sparse adversarial examples. Specifically, the generator decouples the sparse perturbation into amplitude and position components. We carefully design a random quantization operator to optimize these two components jointly in an end-to-end way. The experiment shows that our method has improved the transferability by a large margin under a similar sparsity setting compared with state-of-the-art methods. Moreover, our method achieves superior inference speed, 700$times$ faster than other optimization-based methods. The code is available at https://github.com/shaguopohuaizhe/TSAA.

Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)

We proposed a novel method to generate transferable sparse adversarial perturbations.

• The overall pipeline of our method. Our framework decouples the adversarial perturbation into two components which control distortion magnitude and perturbed pixel location respectively.

• Figure 2 shows adversarial images generated by GreedyFool and our method. When the perturbation constraint is Eps = 255, the perturbation is marginally visible for both GreedyFool and ours.

• Table 1 shows quantitative results for Eps = 255 on ImageNet. As the sparsity increases, the transferability of baselines increases, while our method is always better than others with a large margin.

• Table 2 shows comparison with generator-based dense attacks. The transfer rate of our method is competitive with the two dense attacks while our perturbation is sparser.

## Citation

@InProceedings{He_2022_CVPR,
author    = {He, Ziwen and Wang, Wei and Dong, Jing and Tan, Tieniu},
title     = {Transferable Sparse Adversarial Attack},
booktitle = {Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)},
month     = {June},
year      = {2022},
pages     = {14963--14972}
}