Publications by Francesco Croce

Adversarially Robust CLIP Models Can Induce Better (Robust) Perceptual Metrics

Measuring perceptual similarity is a key tool in computer vision. In recent years perceptual metrics based on features extracted from neural networks with large and diverse training sets, e.g. CLIP, have become popular. At the same time, the metrics extrac ...

IEEE2025

Towards Reliable Evaluation and Fast Training of Robust Semantic Segmentation Models

Francesco Croce

Adversarial robustness has been studied extensively in image classification, especially for the ℓ∞-threat model, but significantly less so for related tasks such as object detection and semantic segmentation, where attacks turn out to be a much harder opti ...

Springer Science and Business Media Deutschland GmbH2025

Sparse-RS: A Versatile Framework for Query-Efficient Sparse Black-Box Adversarial Attacks

Nicolas Henri Bernard Flammarion, Maksym Andriushchenko, Francesco Croce

We propose a versatile framework based on random search, Sparse-RS, for score-based sparse targeted and untargeted attacks in the black-box setting. Sparse-RS does not rely on substitute models and achieves state-of-the-art success rate and query efficienc ...

ASSOC ADVANCEMENT ARTIFICIAL INTELLIGENCE2022

Sparse-RS: a versatile framework for query-efficient sparse black-box adversarial attacks

Nicolas Henri Bernard Flammarion, Maksym Andriushchenko, Francesco Croce

A large body of research has focused on adversarial attacks which require to modify all input features with small l2- or l∞-norms. In this paper we instead focus on query-efficient sparse attacks in the black-box setting. Our versatile framework, Sparse-RS ...

2020

Square Attack: a query-efficient black-box adversarial attack via random search

Nicolas Henri Bernard Flammarion, Maksym Andriushchenko, Francesco Croce

We propose the Square Attack, a new score-based black-box

l_2

and

l_\infty

adversarial attack that does not rely on local gradient information and thus is not affected by gradient masking. The Square Attack is based on a randomized search scheme where ...

2020