Next Article in Journal
Challenges of Machine Learning Applied to Safety-Critical Cyber-Physical Systems
Previous Article in Journal
Do Randomized Algorithms Improve the Efficiency of Minimal Learning Machine?
Article

Probabilistic Jacobian-Based Saliency Maps Attacks

1
CentraleSupélec, Mathematics and Computer Science Department, 3 Rue Joliot-Curie, 91192 Gif-sur-Yvette, France
2
IRT SystemX, 8 Avenue de la Vauve, 91120 Palaiseau, France
*
Author to whom correspondence should be addressed.
Mach. Learn. Knowl. Extr. 2020, 2(4), 558-578; https://doi.org/10.3390/make2040030
Received: 10 October 2020 / Revised: 2 November 2020 / Accepted: 5 November 2020 / Published: 13 November 2020
(This article belongs to the Section Learning)
This paper introduces simple, faster and more efficient versions of the known targeted and untargeted Jacobian-based Saliency Map Attacks (JSMA). Despite creating adversarial examples with a higher average L 0 distance than the state-of-the-art Carlini-Wagner attack, the new versions of JSMA have a significant speed advantage over this attack, making them very convenient for L 0 real-time robustness testing of neural network classifiers.
Neural network classifiers (NNCs) are known to be vulnerable to malicious adversarial perturbations of inputs including those modifying a small fraction of the input features named sparse or L0 attacks. Effective and fast L0 attacks, such as the widely used Jacobian-based Saliency Map Attack (JSMA) are practical to fool NNCs but also to improve their robustness. In this paper, we show that penalising saliency maps of JSMA by the output probabilities and the input features of the NNC leads to more powerful attack algorithms that better take into account each input’s characteristics. This leads us to introduce improved versions of JSMA, named Weighted JSMA (WJSMA) and Taylor JSMA (TJSMA), and demonstrate through a variety of white-box and black-box experiments on three different datasets (MNIST, CIFAR-10 and GTSRB), that they are both significantly faster and more efficient than the original targeted and non-targeted versions of JSMA. Experiments also demonstrate, in some cases, very competitive results of our attacks in comparison with the Carlini-Wagner (CW) L0 attack, while remaining, like JSMA, significantly faster (WJSMA and TJSMA are more than 50 times faster than CW L0 on CIFAR-10). Therefore, our new attacks provide good trade-offs between JSMA and CW for L0 real-time adversarial testing on datasets such as the ones previously cited. View Full-Text
Keywords: Jacobian-based Saliency Map; adversarial attacks; deep neural network classifiers; MNIST; CIFAR-10; GTSRB Jacobian-based Saliency Map; adversarial attacks; deep neural network classifiers; MNIST; CIFAR-10; GTSRB
Show Figures

Figure 1

MDPI and ACS Style

Combey, T.; Loison, A.; Faucher, M.; Hajri, H. Probabilistic Jacobian-Based Saliency Maps Attacks. Mach. Learn. Knowl. Extr. 2020, 2, 558-578. https://doi.org/10.3390/make2040030

AMA Style

Combey T, Loison A, Faucher M, Hajri H. Probabilistic Jacobian-Based Saliency Maps Attacks. Machine Learning and Knowledge Extraction. 2020; 2(4):558-578. https://doi.org/10.3390/make2040030

Chicago/Turabian Style

Combey, Théo, António Loison, Maxime Faucher, and Hatem Hajri. 2020. "Probabilistic Jacobian-Based Saliency Maps Attacks" Machine Learning and Knowledge Extraction 2, no. 4: 558-578. https://doi.org/10.3390/make2040030

Find Other Styles

Article Access Map by Country/Region

1
Back to TopTop