|
|
|
|
| LEADER |
01000naa a22002652 4500 |
| 001 |
NLM364585129 |
| 003 |
DE-627 |
| 005 |
20231226095736.0 |
| 007 |
cr uuu---uuuuu |
| 008 |
231226s2023 xx |||||o 00| ||eng c |
| 024 |
7 |
|
|a 10.1109/TIP.2023.3331582
|2 doi
|
| 028 |
5 |
2 |
|a pubmed24n1215.xml
|
| 035 |
|
|
|a (DE-627)NLM364585129
|
| 035 |
|
|
|a (NLM)37966925
|
| 040 |
|
|
|a DE-627
|b ger
|c DE-627
|e rakwb
|
| 041 |
|
|
|a eng
|
| 100 |
1 |
|
|a Wei, Zhipeng
|e verfasserin
|4 aut
|
| 245 |
1 |
0 |
|a Towards Transferable Adversarial Attacks on Image and Video Transformers
|
| 264 |
|
1 |
|c 2023
|
| 336 |
|
|
|a Text
|b txt
|2 rdacontent
|
| 337 |
|
|
|a ƒaComputermedien
|b c
|2 rdamedia
|
| 338 |
|
|
|a ƒa Online-Ressource
|b cr
|2 rdacarrier
|
| 500 |
|
|
|a Date Revised 24.11.2023
|
| 500 |
|
|
|a published: Print-Electronic
|
| 500 |
|
|
|a Citation Status PubMed-not-MEDLINE
|
| 520 |
|
|
|a The transferability of adversarial examples across different convolutional neural networks (CNNs) makes it feasible to perform black-box attacks, resulting in security threats for CNNs. However, fewer endeavors have been made to investigate transferable attacks for vision transformers (ViTs), which achieve superior performance on various computer vision tasks. Unlike CNNs, ViTs establish relationships between patches extracted from inputs by the self-attention module. Thus, adversarial examples crafted on CNNs might hardly attack ViTs. To assess the security of ViTs comprehensively, we investigate the transferability across different ViTs in both untargetd and targeted scenarios. More specifically, we propose a Pay No Attention (PNA) attack, which ignores attention gradients during backpropagation to improve the linearity of backpropagation. Additionally, we introduce a PatchOut/CubeOut attack for image/video ViTs. They optimize perturbations within a randomly selected subset of patches/cubes during each iteration, preventing over-fitting to the white-box surrogate ViT model. Furthermore, we maximize the L2 norm of perturbations, ensuring that the generated adversarial examples deviate significantly from the benign ones. These strategies are designed to be harmoniously compatible. Combining them can enhance transferability by jointly considering patch-based inputs and the self-attention of ViTs. Moreover, the proposed combined attack seamlessly integrates with existing transferable attacks, providing an additional boost to transferability. We conduct experiments on ImageNet and Kinetics-400 for image and video ViTs, respectively. Experimental results demonstrate the effectiveness of the proposed method
|
| 650 |
|
4 |
|a Journal Article
|
| 700 |
1 |
|
|a Chen, Jingjing
|e verfasserin
|4 aut
|
| 700 |
1 |
|
|a Goldblum, Micah
|e verfasserin
|4 aut
|
| 700 |
1 |
|
|a Wu, Zuxuan
|e verfasserin
|4 aut
|
| 700 |
1 |
|
|a Goldstein, Tom
|e verfasserin
|4 aut
|
| 700 |
1 |
|
|a Jiang, Yu-Gang
|e verfasserin
|4 aut
|
| 700 |
1 |
|
|a Davis, Larry S
|e verfasserin
|4 aut
|
| 773 |
0 |
8 |
|i Enthalten in
|t IEEE transactions on image processing : a publication of the IEEE Signal Processing Society
|d 1992
|g 32(2023) vom: 15., Seite 6346-6358
|w (DE-627)NLM09821456X
|x 1941-0042
|7 nnns
|
| 773 |
1 |
8 |
|g volume:32
|g year:2023
|g day:15
|g pages:6346-6358
|
| 856 |
4 |
0 |
|u http://dx.doi.org/10.1109/TIP.2023.3331582
|3 Volltext
|
| 912 |
|
|
|a GBV_USEFLAG_A
|
| 912 |
|
|
|a SYSFLAG_A
|
| 912 |
|
|
|a GBV_NLM
|
| 912 |
|
|
|a GBV_ILN_350
|
| 951 |
|
|
|a AR
|
| 952 |
|
|
|d 32
|j 2023
|b 15
|h 6346-6358
|