Probabilistic Jacobian-Based Saliency Maps Attacks

Abstract

Neural network classifiers (NNCs) are known to be vulnerable to malicious adversarial perturbations of inputs including those modifying a small fraction of the input features named sparse or (Formula presented.) attacks. Effective and fast (Formula presented.) attacks, such as the widely used Jacobian-based Saliency Map Attack (JSMA) are practical to fool NNCs but also to improve their robustness. In this paper, we show that penalising saliency maps of JSMA by the output probabilities and the input features of the NNC leads to more powerful attack algorithms that better take into account each input’s characteristics. This leads us to introduce improved versions of JSMA, named Weighted JSMA (WJSMA) and Taylor JSMA (TJSMA), and demonstrate through a variety of white-box and black-box experiments on three different datasets (MNIST, CIFAR-10 and GTSRB), that they are both significantly faster and more efficient than the original targeted and non-targeted versions of JSMA. Experiments also demonstrate, in some cases, very competitive results of our attacks in comparison with the Carlini-Wagner (CW) (Formula presented.) attack, while remaining, like JSMA, significantly faster (WJSMA and TJSMA are more than 50 times faster than CW (Formula presented.) on CIFAR-10). Therefore, our new attacks provide good trade-offs between JSMA and CW for (Formula presented.) real-time adversarial testing on datasets such as the ones previously cited.