Machine learning adversarial attacks using partial sinkhorn optimization

Journal article

Adversarial attacks are often modeled as pointwise perturbations of individual samples, which can miss structured distributional effects and may waste perturbation budget on examples that are already misclassified. We study a data-driven Wasserstein attack model in which the adversary shifts the empirical distribution under a label-preserving transport budget. Starting from this formulation, we derive a finite-dimensional transport surrogate and an equivalent lifting that makes the role of transport couplings explicit. We then introduce an entropic regularization, obtaining a difference-of-convex formulation that penalizes attacks which mainly amplify the loss of already misclassified samples. This leads to Partial Sinkhorn, an iterative algorithm that combines convex-concave linearization with Sinkhorn-type updates, such that any limit point of a convergent subsequence is a KKT stationary point of the penalized problem. Experiments on synthetic and MNIST tasks show that the proposed method generates stronger attacks than FGSM under comparable perturbation budgets, particularly in the low-distortion regime. The framework also highlights links between adversarial attack, optimal transport, and distributionally robust control.

Authors: Bertolace, A; Gatsis, K; Margellos, K

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: IEEE
• Journal: IEEE Open Journal of Control Systems
• Publication date: 2026-04-01
• Acceptance date: 2026-03-23
• DOI: 10.1109/ojcsys.2026.3679905
• EISSN: 2694-085X
• Language: English
• Keywords: optimal transport; optimization; robust optimization; non-convex optimization; machine learning; adversarial learning