Arrow Research search

Author name cluster

Thomas Paniagua

Possible papers associated with this exact author name in Arrow. This page groups case-insensitive exact name matches and is not a full identity disambiguation profile.

3 papers
2 author rows

Possible papers

3

ICML Conference 2025 Conference Paper

Adversarial Perturbations Are Formed by Iteratively Learning Linear Combinations of the Right Singular Vectors of the Adversarial Jacobian

  • Thomas Paniagua
  • Chinmay Savadikar
  • Tianfu Wu 0001

White-box targeted adversarial attacks reveal core vulnerabilities in Deep Neural Networks (DNNs), yet two key challenges persist: (i) How many target classes can be attacked simultaneously in a specified order, known as the ordered top-$K$ attack problem ($K \geq 1$)? (ii) How to compute the corresponding adversarial perturbations for a given benign image directly in the image space? We address both by showing that ordered top-$K$ perturbations can be learned via iteratively optimizing linear combinations of the $\underline{ri}ght\text{ } \underline{sing}ular$ vectors of the adversarial Jacobian (i. e. , the logit-to-image Jacobian constrained by target ranking). These vectors span an orthogonal, informative subspace in the image domain. We introduce RisingAttacK, a novel Sequential Quadratic Programming (SQP)-based method that exploits this structure. We propose a holistic figure-of-merits (FoM) metric combining attack success rates (ASRs) and $\ell_p$-norms ($p=1, 2, \infty$). Extensive experiments on ImageNet-1k across six ordered top-$K$ levels ($K=1, 5, 10, 15, 20, 25, 30$) and four models (ResNet-50, DenseNet-121, ViT-B, DEiT-B) show RisingAttacK consistently surpasses the state-of-the-art QuadAttacK.

Details

NeurIPS Conference 2023 Conference Paper

QuadAttac$K$: A Quadratic Programming Approach to Learning Ordered Top-$K$ Adversarial Attacks

  • Thomas Paniagua
  • Ryan Grainger
  • Tianfu Wu

The adversarial vulnerability of Deep Neural Networks (DNNs) has been well-known and widely concerned, often under the context of learning top-$1$ attacks (e. g. , fooling a DNN to classify a cat image as dog). This paper shows that the concern is much more serious by learning significantly more aggressive ordered top-$K$ clear-box targeted attacks proposed in~\citep{zhang2020learning}. We propose a novel and rigorous quadratic programming (QP) method of learning ordered top-$K$ attacks with low computing cost, dubbed as \textbf{QuadAttac$K$}. Our QuadAttac$K$ directly solves the QP to satisfy the attack constraint in the feature embedding space (i. e. , the input space to the final linear classifier), which thus exploits the semantics of the feature embedding space (i. e. , the principle of class coherence). With the optimized feature embedding vector perturbation, it then computes the adversarial perturbation in the data space via the vanilla one-step back-propagation. In experiments, the proposed QuadAttac$K$ is tested in the ImageNet-1k classification using ResNet-50, DenseNet-121, and Vision Transformers (ViT-B and DEiT-S). It successfully pushes the boundary of successful ordered top-$K$ attacks from $K=10$ up to $K=20$ at a cheap budget ($1\times 60$) and further improves attack success rates for $K=5$ for all tested models, while retaining the performance for $K=1$.

PDF Details

AAAI Conference 2020 Short Paper

A Simple Deconvolutional Mechanism for Point Clouds and Sparse Unordered Data (Student Abstract)

  • Thomas Paniagua
  • John Lagergren
  • Greg Foderaro

This paper presents a novel deconvolution mechanism, called the Sparse Deconvolution, that generalizes the classical transpose convolution operation to sparse unstructured domains, enabling the fast and accurate generation and upsampling of point clouds and other irregular data. Specifically, the approach uses deconvolutional kernels, which each map an input feature vector and set of trainable scalar weights to the feature vectors of multiple child output elements. Unlike previous approaches, the Sparse Deconvolution does not require any voxelization or structured formulation of data, it is scalable to a large number of elements, and it is capable of utilizing local feature information. As a result, these capabilities allow for the practical generation of unstructured data in unsupervised settings. Preliminary experiments are performed here, where Sparse Deconvolution layers are used as a generator within an autoencoder trained on the 3D MNIST dataset.

PDF Details