ML Security PapersExploring Sparsity and Smoothness of Arbitrary $\ell_p$ Norms in Adversarial Attacks
Florian Eilers , Christof Duhme , Xiaoyi Jiang
Published on arXiv
2602.06578
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
ℓp norms with p ∈ [1.3, 1.5] yield the best trade-off between sparse and smooth adversarial attacks, with the standard choices of p=1 and p=2 being suboptimal in most evaluated settings.
Smoothness Measure Framework
Novel technique introduced
Adversarial attacks against deep neural networks are commonly constructed under $\ell_p$ norm constraints, most often using $p=1$, $p=2$ or $p=\infty$, and potentially regularized for specific demands such as sparsity or smoothness. These choices are typically made without a systematic investigation of how the norm parameter \( p \) influences the structural and perceptual properties of adversarial perturbations. In this work, we study how the choice of \( p \) affects sparsity and smoothness of adversarial attacks generated under \( \ell_p \) norm constraints for values of $p \in [1,2]$. To enable a quantitative analysis, we adopt two established sparsity measures from the literature and introduce three smoothness measures. In particular, we propose a general framework for deriving smoothness measures based on smoothing operations and additionally introduce a smoothness measure based on first-order Taylor approximations. Using these measures, we conduct a comprehensive empirical evaluation across multiple real-world image datasets and a diverse set of model architectures, including both convolutional and transformer-based networks. We show that the choice of $\ell_1$ or $\ell_2$ is suboptimal in most cases and the optimal $p$ value is dependent on the specific task. In our experiments, using $\ell_p$ norms with $p\in [1.3, 1.5]$ yields the best trade-off between sparse and smooth attacks. These findings highlight the importance of principled norm selection when designing and evaluating adversarial attacks.
Key Contributions
- General framework for constructing smoothness measures from smoothing operations, plus a Taylor-approximation-based smoothness measure
- Systematic empirical analysis of how the ℓp norm parameter p ∈ [1,2] affects sparsity and smoothness of adversarial perturbations across diverse architectures and datasets
- Finding that standard choices p=1 or p=2 are suboptimal in most cases, with p ∈ [1.3, 1.5] yielding the best sparsity–smoothness trade-off
🛡️ Threat Analysis
Directly studies adversarial perturbations — gradient-based attacks crafted to cause misclassification at inference time under ℓp norm constraints — and proposes evaluation metrics for their structural properties.