## Introduction

The adversarial attacks have been widely explored in Neural Network (NN). However, previous studies have sought to create bounded perturbations in a metric manner. Most such work has focused on $$\ell_{p}$$-norm perturbation (i.e., $$\ell_{1}$$, $$\ell_{2}$$, or $$\ell_{\infty}$$) and utilized gradient-based optimization to effectively generate the adversarial example. However, it is possible to extend adversarial perturbations beyond the $$\ell_{p}$$-norm bounds.

We combined the $$\ell_\infty$$-norm and semantic perturbations (i.e., hue, saturation, rotation, brightness, and contrast), and proposed a novel approach – composite adversarial attack (CAA) – capable of generating unified adversarial examples. The main differences between CAA and previously proposed perturbations are a) that CAA incorporates several threat models simultaneously, and b) that CAA’s adversarial examples are semantically similar and/or natural-looking, but nevertheless result in large differences in $$\ell_{p}$$-norm measures.

Figure. The Composite Adversarial Attack (CAA) Framework.

To further demonstrate the proposed idea and familiarize other researchers with the concept of composite adversarial robustness, and ultimately, create more trustworthy AI, we developed this browser-based composite perturbation generation demo along with the adversarial robustness leaderboard, CARBEN (composite adversarial robustness benchmark). CARBEN also features interactive sections which facilitate users’ configuration of the parameters of the attack level and their rapid evaluation of model prediction.

### Composite Perturbations with Custom Order

Try to change the attack order by moving the perturbation blocks with your mouse. Then, click Generate to see the perturbed images. We provide several samples and the inference results from an $$\ell_{\infty}$$-robust model. Note that the picture below the perturbation blocks contains all perturbations before it.

• Original
• Hue
• Saturation
• Rotation
• Brightness
• Contrast
• $$\ell_{\infty}$$
• Warplane (82%)
• Warplane (79%)
• Warplane (54%)
• Wing (40%)
• Wing (40%)
• Wing (56%)

## Craft Your Desired Composite Perturbations

### 1. Select a model

Choose a model
• Trained and tested on ImageNet
• Architecture: ResNet-50
• Clean Accuracy: 76.13%
• Robust Accuracy (Auto Attack: $$\ell_\infty$$, 4/255): 0.0%
• Robust Accuracy (Composite Semantic Attack): 20.6%

### 3. Specify Perturbation Level (Real-time Rendering)

Here, we use CSS and Javascript Canvas to render the perturbed images. In real practice, we use Kornia package to implement the semantic attacks.

### 4. Robustness Statistics

Evaluate model robustness from all test sets. The following chart represents the semantic attacks (w/o $$\ell_\infty$$) robust accuracy of the models. Currently, we support two datasets: CIFAR-10 and ImageNet.

## Use CAA to Evaluate Your Own Models

Quick Start by running the following code! Or,

# !pip install git+https://github.com/IBM/composite-adv.git

base_model = make_model('resnet50', 'cifar10', checkpoint_path="PATH_OF_CHECKPOINT")
model = EvalModel(base_model, input_normalized=False)

# Evaluate the Composite robustness of the model using Composite Attack (Full attack)
composite_attack = CompositeAttack(model,
enabled_attack=(0,1,2,3,4,5),
order_schedule="scheduled")

accuracy, attack_success_rate = robustness_evaluate(model, composite_attack, data_loader)


## Benchmarks

In this benchmark, we evaluate $$\ell_\infty$$ (AutoAttack) and CAA (Full Attacks) robustness. The epsilons of $$\ell_\infty$$ were set to 8/255 for CIFAR-10 and 4/255 for ImageNet.

## Citations

If you find this webpage helpful and useful for your research, please cite our papers as follows:

@inproceedings{hsiung2022caa,
author={Lei Hsiung and Yun-Yun Tsai and Pin-Yu Chen and Tsung-Yi Ho},
booktitle={{IEEE/CVF} Conference on Computer Vision and Pattern Recognition, {CVPR}},
publisher={{IEEE}},
year={2023},
month={June}
}

@inproceedings{hsiung2022carben,