Exploring Sparsity and Smoothness of Arbitrary p Norms in Adversarial Attacks

Abstract

Adversarial attacks against deep neural networks are commonly constructed under p norm constraints, most often using p=1, p=2 or p=∞, and potentially regularized for specific demands such as sparsity or smoothness. These choices are typically made without a systematic investigation of how the norm parameter \( p \) influences the structural and perceptual properties of adversarial perturbations. In this work, we study how the choice of \( p \) affects sparsity and smoothness of adversarial attacks generated under \( p \) norm constraints for values of p ∈ [1,2]. To enable a quantitative analysis, we adopt two established sparsity measures from the literature and introduce three smoothness measures. In particular, we propose a general framework for deriving smoothness measures based on smoothing operations and additionally introduce a smoothness measure based on first-order Taylor approximations. Using these measures, we conduct a comprehensive empirical evaluation across multiple real-world image datasets and a diverse set of model architectures, including both convolutional and transformer-based networks. We show that the choice of 1 or 2 is suboptimal in most cases and the optimal p value is dependent on the specific task. In our experiments, using p norms with p∈ [1.3, 1.5] yields the best trade-off between sparse and smooth attacks. These findings highlight the importance of principled norm selection when designing and evaluating adversarial attacks.