One run to attack them all: finding simultaneously multiple targeted adversarial perturbations

Deep neural networks are ubiquitous in computer vision applications such as autonomous vehicles, face recognition, and medical imaging. However, deep neural networks may be subject to adversarial perturbations (also called adversarial attacks) which, when performed in high-stakes environments, may lead to severe consequences. A particular class of adversarial attacks, called universal adversarial attacks, consists of attacks that do not fool a single image. Instead, they aim to fool as many images as possible. Universal adversarial attacks may be either untargeted or targeted. While the goal of an untargeted attack is to deceive the neural network under attack without caring about its output, a targeted attack aims to “steer” the predictions of the neural network towards a specific target. In this work, we propose a method, based on the clonal selection algorithm, to generate targeted universal adversarial attacks for multiple target classes in a single run of the algorithm. Our results show that our approach is able to find multiple targeted universal adversarial attacks for the network under attack, with good success rates. Moreover, by visualizing the attacked images, we observe that our algorithm is able to produce adversarial attacks that fool the network by attacking a relatively small number of pixels. Finally, by analyzing how the attacks generalize on different architectures, we observe intriguing properties of the discovered universal adversarial attacks.