School of Electronics and Information Engineering, Soochow University, Suzhou 215006, PR China.
School of Electronics and Information Engineering, Soochow University, Suzhou 215006, PR China.
Neural Netw. 2023 Aug;165:925-937. doi: 10.1016/j.neunet.2023.06.031. Epub 2023 Jun 30.
Deep neural networks are sensitive to adversarial examples and would produce wrong results with high confidence. However, most existing attack methods exhibit weak transferability, especially for adversarially trained models and defense models. In this paper, two methods are proposed to generate highly transferable adversarial examples, namely Adaptive Inertia Iterative Fast Gradient Sign Method (AdaI-FGSM) and Amplitude Spectrum Dropout Method (ASDM). Specifically, AdaI-FGSM aims to integrate adaptive inertia into the gradient-based attack, and leverage the looking ahead property to search for a flatter maximum, which is essential to strengthen the transferability of adversarial examples. By introducing a loss-preserving transformation in the frequency domain, the proposed ASDM with the dropout invariance property can craft the copies of input images to overcome the poor generalization on the surrogate models. Furthermore, AdaI-FGSM and ASDM can be naturally integrated as an efficient gradient-based attack method to yield more transferable adversarial examples. Extensive experimental results on the ImageNet-compatible dataset demonstrate that higher transferability is achieved by our method than some advanced gradient-based attacks.
深度神经网络对对抗样本很敏感,并且会以高置信度产生错误的结果。然而,大多数现有的攻击方法表现出较弱的迁移能力,特别是对于对抗训练的模型和防御模型。在本文中,提出了两种生成高度可迁移对抗样本的方法,即自适应惯性迭代快速梯度符号法(AdaI-FGSM)和幅度谱随机失活法(ASDM)。具体来说,AdaI-FGSM 旨在将自适应惯性集成到基于梯度的攻击中,并利用前瞻性属性来搜索更平坦的最大值,这对于增强对抗样本的迁移能力至关重要。通过在频域中引入保损失变换,具有随机失活不变性的所提出的 ASDM 可以制作输入图像的副本,以克服在替代模型上的较差泛化能力。此外,AdaI-FGSM 和 ASDM 可以自然地集成作为一种有效的基于梯度的攻击方法,以产生更具迁移能力的对抗样本。在 ImageNet 兼容数据集上的广泛实验结果表明,我们的方法比一些先进的基于梯度的攻击方法实现了更高的迁移能力。
