Exploring Black-box Adversarial Attacks on Low-rank Constrained Neural Networks

Low-rank compression has been shown as an effective tool to reduce parameter counts of convolutional and vision transformer architectures; however, low-rank training often reduces the models robustness to adversarial perturbations. In this work, we explore the effects of low-rank training on black-box attacks, where attacked images are generated without knowledge of the low-rank parameters. We find that low-rank training is not sufficient as a black-box defense and can sometimes produce worse than expected as compared to baseline models. Influencing the spectrum of the low-rank models during training improves adversarial robustness similar to white-box attacks.