Generalizing Universal Adversarial Attacks Beyond Additive Perturbations

by   Yanghao Zhang, et al.

The previous study has shown that universal adversarial attacks can fool deep neural networks over a large set of input images with a single human-invisible perturbation. However, current methods for universal adversarial attacks are based on additive perturbation, which cause misclassification when the perturbation is directly added to the input images. In this paper, for the first time, we show that a universal adversarial attack can also be achieved via non-additive perturbation (e.g., spatial transformation). More importantly, to unify both additive and non-additive perturbations, we propose a novel unified yet flexible framework for universal adversarial attacks, called GUAP, which is able to initiate attacks by additive perturbation, non-additive perturbation, or the combination of both. Extensive experiments are conducted on CIFAR-10 and ImageNet datasets with six deep neural network models including GoogleLeNet, VGG16/19, ResNet101/152, and DenseNet121. The empirical experiments demonstrate that GUAP can obtain up to 90.9 attack rates on CIFAR-10 and ImageNet datasets, leading to over 15 improvements respectively than current state-of-the-art universal adversarial attacks. The code for reproducing the experiments in this paper is available at


page 1

page 4

page 5

page 7

page 8

page 9


Output Diversified Initialization for Adversarial Attacks

Adversarial examples are often constructed by iteratively refining a ran...

Enabling Fast and Universal Audio Adversarial Attack Using Generative Model

Recently, the vulnerability of DNN-based audio systems to adversarial at...

Sparse Adversarial Video Attacks with Spatial Transformations

In recent years, a significant amount of research efforts concentrated o...

Universalization of any adversarial attack using very few test examples

Deep learning models are known to be vulnerable not only to input-depend...

Physical Passive Patch Adversarial Attacks on Visual Odometry Systems

Deep neural networks are known to be susceptible to adversarial perturba...

Amicable Aid: Turning Adversarial Attack to Benefit Classification

While adversarial attacks on deep image classification models pose serio...

An Efficient and Margin-Approaching Zero-Confidence Adversarial Attack

There are two major paradigms of white-box adversarial attacks that atte...

Code Repositories


Concolic Testing for Deep Neural Networks

view repo


Tool for generating spatial-transfermed or additive universarial perturbations, see paper 'Generalizing Universal Adversarial Attacks Beyond Additive Perturbations' in ICDM2020

view repo


Code for paper 'Generalizing Universal Adversarial Attacks Beyond Additive Perturbations' (ICDM2020)

view repo

Please sign up or login with your details

Forgot password? Click here to reset