Exploring Sparsity and Smoothness of Arbitrary lp-Norms in Adversarial Attacks

Duhme, Christof; Eilers, Florian; Jiang, Xiaoyi

Abstract

Adversarial attacks against deep neural networks are commonly constructed under lp norm constraints, most often using p=1, p=2 or p=inf, and potentially regularized for specific demands such as sparsity or smoothness. These choices are typically made without a systematic investigation of how the norm parameter p influences the structural and perceptual properties of adversarial perturbations. In this work, we study how the choice of p affects sparsity and smoothness of adversarial attacks generated under lp norm constraints for values of p in [1, 2]. To enable a quantitative analysis, we adopt two established sparsity measures from the literature and introduce three smoothness measures. In particular, we propose a general framework for deriving smoothness measures based on smoothing operations and additionally introduce a smoothness measure based on first-order Taylor approximations. Using these measures, we conduct a comprehensive empirical evaluation across multiple real-world image datasets and a diverse set of model architectures, including both convolutional and transformer-based networks. We show that the choice of l1 or l2 is suboptimal in most cases and the optimal p value is dependent on the specific task. In our experiments, using lp norms with p in [1.3, 1.5] yields the best trade-off between sparse and smooth attacks. These findings highlight the importance of principled norm selection when designing and evaluating adversarial attacks.