Give me your attention: dot-product attention considered harmful for adversarial patch robustness

Conference item

Neural architectures based on attention such as vision transformers are revolutionizing image recognition. Their main benefit is that attention allows reasoning about all parts of a scene jointly. In this paper, we show how the global reasoning of (scaled) dot-product attention can be the source of a major vulnerability when confronted with adversarial patch attacks. We provide a theoretical understanding of this vulnerability and relate it to an adversary’s ability to misdirect the attention of all queries to a single key token under the control of the adversarial patch. We propose novel adversarial objectives for crafting adversarial patches which target this vulnerability explicitly. We show the effectiveness of the proposed patch attacks on popular image classification (ViTs and DeiTs) and object detection models (DETR). We find that adversarial patches occupying 0.5% of the input can lead to robust accuracies as low as 0% for ViT on ImageNet, and reduce the mAP of DETR on MS COCO to less than 3%.

Authors: Lovisotto, G; Finnie, N; Munoz, M; Mummadi, CK; Metzen, JH

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: IEEE
• Host title: Proceedings of the Conference on Computer Vision and Pattern Recognition (CVPR 2022)
• Pages: 15213-15222
• Publication date: 2022-09-27
• Acceptance date: 2022-03-02
• Event title: Conference on Computer Vision and Pattern Recognition (CVPR 2022)
• Event location: New Orleans, Louisiana, USA
• Event website: https://cvpr2022.thecvf.com/
• Event start date: 2022-06-19
• Event end date: 2022-06-24
• DOI: 10.1109/CVPR52688.2022.01480
• EISSN: 2575-7075
• ISSN: 1063-6919
• EISBN: 978-1-6654-6946-3
• ISBN: 978-1-6654-6947-0
• Language: English
• Keywords: FFR