Fast-UAP: An algorithm for expediting universal adversarial perturbation generation using the orientations of perturbation vectors

Convolutional neural networks (CNNs), which are popular machine-learning tools, are being applied in various tasks. However, CNN models are vulnerable to universal perturbations, which despite being usu-ally quasi-imperceptible to the human eye can cause natural images to be misclassified with high probability. The original algorithm of generating universal perturbations (the algorithm is called UAP for brevity) only aggregates minimal perturbations in each iteration without considering the orientations of perturbation vectors; consequently, the magnitude of the universal perturbation cannot efficiently increase at each iteration, thereby resulting in slow universal perturbation generation. Hence, we propose an optimized algorithm to enhance the performance of generating universal perturbations based on the orientations of perturbation vectors. At each iteration, rather than choosing the minimal perturbation vector, we choose the perturbation whose orientation is similar to that of the current universal perturbation; therefore, the magnitude of the aggregation of both the perturbations will be maximized. The experimental results show that compared with UAP, we could generate universal perturbations in a shorter time using a smaller number of training images. Furthermore, we empirically observed that compared with the universal perturbations generated using UAP, the ones generated using our proposed algorithm achieved an average fooling-rate increment of 9% in white-box and black-box attacks. (c) 2020 Elsevier B.V. All rights reserved.

Automated summary

An optimized algorithm based on the orientations of perturbation vectors is proposed to enhance the performance of generating universal perturbations in CNN models. Experimental results show that the proposed algorithm can generate universal perturbations in a shorter time with a higher fooling-rate increment in both white-box and black-box attacks compared to the original algorithm.