Amnesia as a Catalyst for Enhancing Black Box Pixel Attacks in Image Classification and Object Detection

🔼 This figure illustrates the workflow of the RFPAR attack, which consists of two main processes: Remember and Forget. The Remember process uses reinforcement learning to iteratively generate and refine adversarial images by maximizing rewards. The Forget process resets the model and memory, leveraging the best-performing adversarial image from the Remember process to start a new iteration. This cycle repeats until convergence or a maximum number of iterations is reached.

read the caption

Figure 2: The model architecture of RFPAR: the Remember and Forget process. During the Remember process, the RL model generates perturbed images and corresponding rewards. Memory compares these with previously stored values and retains only the highest reward and its associated image. Once the rewards converge to a certain value, the Forget process starts and resets the RL agent and memory, then reintroduces the perturbed images that gained the highest reward to the Remember process. The process continues until an adversarial image is generated or a predefined number of cycles is reached, at which point it terminates.

🔼 This ablation study analyzes the impact of Initialization (I) and Memory (M) on the RFPAR model’s performance. The four bars for each model represent: the baseline RFPAR; RFPAR without initialization (I); RFPAR without memory (M); and RFPAR with both initialization and memory. The results show that both Initialization and Memory significantly improve the attack success rate, indicating that the RL agent benefits from both resetting and storing high-reward image information.

read the caption

Figure 3: Ablation study. The x and y axes show different victim models and the attack success rate, respectively. The notation 1 signifies the inclusion of the initialization step in the Forget process, and M denotes that the Remember process incorporates memory.

🔼 This figure shows several examples of adversarial attacks generated by the RFPAR method on the ImageNet dataset. Each row presents a clean image, the difference between the clean image and the adversarial image (delta), and the resulting adversarial image. The labels predicted by the model are shown below each image, demonstrating the impact of the adversarial attacks.

read the caption

Figure 4: Adversarial examples generated by RFPAR on the ImageNet dataset. The 'Original Image' is the original unaltered image, the 'Delta' represents the difference between the Original Image and the Adversarial Image, and the 'Adversarial Image' is the image with the altered prediction. The predicted labels are shown below the Original Image and the Adversarial Image.

🔼 This figure shows the results of applying the RFPAR attack on the MS-COCO dataset for object detection. It demonstrates the impact of varying the attack intensity (controlled by parameter α) on both the generated perturbations (Delta Images) and the resulting adversarial images. The figure shows that as α increases, more pixels are modified, leading to more significant changes in the detected objects.

read the caption

Figure 5: Adversarial examples generated by RFPAR on the MS-COCO dataset. The Original Image represents the unaltered image, and the Delta shows the difference between the Original Image and the Adversarial Image. The parameter α is a hyperparameter that determines the attack level; a higher value of α attacks more pixels. We conducted experiments with α ranging from 0.01 to 0.05. The Delta Image resulting from α values of 0.01 to 0.05 is presented in columns 2 to 6, and the Adversarial Image generated from the same α values is shown in columns 7 to 11. The Adversarial Image typically indicates an image with a changed prediction, but in this context, it also includes unsuccessful attacks. We present the results of Delta and Adversarial Images according to different values of α.

🔼 This table presents the results of the RFPAR attack on two object detection models, YOLOv8 and DDQ. It shows the average percentage of removed objects (RM), the mean average precision drop (mAP), the average L0 norm (Lo - number of pixels changed), and the average number of queries needed for the attack at different pixel attack rates (α). Lower mAP and Lo values, as well as higher RM values, represent better attack performance.

read the caption

Table 2: Attack Results on Object Detection Models. The subscripts after RFPAR denote a pixel attack rate, a. RM indicates the average percentage of objects removed from the clean image. Lo represents the average ||δ||0. Query denotes the average number of queries made to the victim model. Higher RM, lower mAP, lower Lo, and lower Query values indicate better performance.

🔼 This table compares the performance of three query-based black-box attacks (PRFA, GARSDC, and RFPAR) on the YOLO object detection model. The results show the reduction in mean Average Precision (mAP) and the number of queries required for each attack. RFPAR demonstrates comparable performance to GARSDC in terms of mAP reduction while significantly reducing the number of queries needed.

read the caption

Table 3: Comparison to other methods. RD means reduction in mAP.

🔼 This table compares the performance of the RFPAR attack on the MS-COCO and Argoverse datasets. It shows the average percentage of objects removed (RM), the reduction in mean Average Precision (mAP), the percentage of the image area attacked (ATA), and the average number of queries made to the victim model. The results demonstrate that RFPAR is effective in removing objects across different datasets, although its effectiveness in reducing mAP is limited in datasets with a high density of objects. Specifically, on Argoverse with higher image resolution, RFPAR achieved a high object removal rate while attacking a small portion of the image.

read the caption

Table 4: Comparison on dataset. ATA means the ratio of altered pixels to the image size.

🔼 This table presents the results of adversarial attacks on different transformer-based image classification models: ViT-L, Swin-V2, and Deit. For each model, it shows the success rate (SR), the average L0 norm (representing the number of pixels modified), and the average number of queries needed to generate an adversarial example. Higher success rates and lower L0 norms and query counts indicate better attack performance. The table compares the performance of three different attack methods: OnePixel, Pixle, and RFPAR (the proposed method).

read the caption

Table 5: The results of transformer-based classifiers.

🔼 This table compares the performance of the RFPAR attack with different pixel attack rates (from 0.01 to 0.05) on two object detection models: YOLOv8 and DDQ. The metrics used are RM (the average percentage of objects removed), mAP (mean Average Precision), Lo (the average number of perturbed pixels), and Query (the average number of queries made to the model). Higher RM and lower mAP values indicate better attack performance, while lower Lo and Query values indicate greater efficiency.

read the caption

Table 6: The results of object detection models.

🔼 This table presents the results of applying the RFPAR attack to various transformer-based models (ViT-B, ViT-L, ViT-H, Swin-V2, and DeiT-B) with two different maximum iteration limits: 100 and 200. It shows the success rate of the attacks (higher is better), the L0 norm (lower is better, representing the sparsity of the attack), and the number of queries required (lower is better). Comparing the results across different models and iteration limits helps to understand the impact of these factors on RFPAR’s effectiveness.

read the caption

Table 7: The performance of RFPAR on transformer-based models with different iteration limits

🔼 This table presents the results of adversarial attacks against adversarially trained models (Adv. ViT and Adv. ResNeXt101). It compares the performance of OnePixel, Pixle, and RFPAR in terms of success rate (higher is better), L0 norm (lower is better, representing the number of pixels changed), and the number of queries (lower is better). The results show that RFPAR outperforms the other methods on both models, demonstrating its effectiveness even against adversarially trained models.

read the caption

Table 8: The results of adversarial trained models.

🔼 This table presents the number of queries required for different attack methods in an ablation study. The ablation study focuses on evaluating the impact of Initialization (I) and Memory (M) on the model’s performance. RFPAR represents the baseline attack method without I and M, while RFPARI, RFPARM, and RFPARM+I represent variations of the method with different combinations of I and M. The table shows that the inclusion of memory significantly increases the number of queries required, while the addition of initialization does not significantly affect the query count.

read the caption

Table 9: Query for ablation study.

🔼 This table presents a comparison of different adversarial attack methods (OnePixel, ScratchThat, Pixle, and RFPAR) on various image classification models (VIT-B, ResNeXt50, RegNetX-32GF, DenseNet161, MNASNet, and MobileNet-V3) using the ImageNet dataset. The metrics used for comparison are success rate (higher is better), L∞ norm (lower is better, indicating fewer pixels modified), and the number of queries (lower is better, indicating higher efficiency). RFPAR’s performance is highlighted in bold, showing its superior performance compared to other methods.

read the caption

Table 1: The results of adversarial attacks on the ImageNet dataset. Each score represents the mean success rate of the attack, mean L∞ norm and mean the number of queries. In terms of the success rate, a higher value signifies better performance, whereas for the L∞ norm and the number of queries, lower values are indicative of superior performance. The best method is highlighted in bold.