Qianqian Song,Xiangwei Kong,Ziming Wang

DOI: https://doi.org/10.1007/978-3-030-93049-3_4

2021-01-01

Abstract:The accurate interpretation of neural network about how the network works is important. However, a manipulated explanation may have the potential to mislead human users not to trust a reliable network. Therefore, it is necessary to verify interpretation algorithms by designing effective attacks to simulate various possible threats in the real world. In this work, we mainly explore how to mislead interpretation. More specifically, we optimize the noise added to the input, which aims to highlight a certain area that we specify without changing the output category of network. With our proposed algorithm, we demonstrate that the state-of-the-art saliency maps based interpreters, e.g., Grad-CAM, Guided-Feature-Inversion, Grad-CAM++, Score-CAM and Full-Grad can be easily fooled. We propose two situations of fooling, Single-target attack and Multi-target attack, and show that the fooling can be transfered to different interpretation methods as well as generalized to the unseen samples with the universal noise. We also take image patches to fool Grad-CAM. Our results are proved in both qualitative and quantitative ways and we further propose a quantitative metric to measure the effectiveness of algorithm. We believe that our method can serve as an additional evaluation of robustness for future interpretation algorithms.

Tao Wu,Xuechun Wang,Shaojie Qiao,Xingping Xian,Yanbing Liu,Liang Zhang

DOI: https://doi.org/10.1016/j.ins.2021.11.007

IF: 8.1

2022-01-01

Information Sciences

Abstract:Time-series data are widespread in real-world industrial scenarios. To recover and infer missing information in real-world applications, the problem of time-series prediction has been widely studied as a classical research topic in data mining. Deep learning architectures have been viewed as next-generation time-series prediction models. However, recent studies have shown that deep learning models are vulnerable to adversarial attacks. In this study, we prospectively examine the problem of time-series prediction adversarial attacks and propose an attack strategy for generating an adversarial time series by adding malicious perturbations to the original time series to deteriorate the performance of time-series prediction models. Specifically, a perturbation-based adversarial example generation algorithm is proposed using the gradient information of the prediction model. In practice, unlike the imperceptibility to humans in the field of image processing, time-series data are more sensitive to abnormal perturbations and there are more stringent requirements regarding the amount of perturbations. To address this challenge, we craft an adversarial time series based on the importance measurement to slightly perturb the original data. Based on comprehensive experiments conducted on real-world time-series datasets, we verify that the proposed adversarial attack methods not only effectively fool the target time-series prediction model LSTNet, they also attack state-of-the-art CNN-, RNN-, and MHANET-based models. Meanwhile, the results show that the proposed methods achieve a good transferability. That is, the adversarial examples generated for a specific prediction model can significantly affect the performance of the other methods. Moreover, through a comparison with existing adversarial attack approaches, we can see that much smaller perturbations are sufficient for the proposed importance-measurement based adversarial attack method. The methods described in this paper are significant in understanding the impact of adversarial attacks on a time-series prediction and promoting the robustness of such prediction technologies.

Wenbo Yang,Jidong Yuan,Xiaokang Wang,Peixiang Zhao,Wenbo Yang,Jidong Yuan,Xiaokang Wang,Peixiang Zhao

DOI: https://doi.org/10.1016/j.engappai.2022.105218

IF: 8

2022-09-01

Engineering Applications of Artificial Intelligence

Abstract:Deep neural networks (DNNs) for time series classification have potential security concerns due to their vulnerability to adversarial attacks. Previous work that perturbs time series globally requires gradient information to generate adversarial examples, leading to being perceived easily. In this paper, we propose a gradient-free black-box method called TSadv to attack DNNs with local perturbations. First, we formalize the attack as a constrained optimization problem solved by a differential evolution algorithm without any inner information of the target model. Second, with the assumption that time series shapelets provide more discriminative information between different classes, the range of perturbations is designed based on their intervals. Experimental results show that our method can effectively attack DNNs on time series datasets that have potential security concerns and generate imperceptible adversarial samples flexibly. Besides, our approach decreases the mean squared error by approximately two orders of magnitude compared with the state-of-the-art method while retaining competitive attacking success rates.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Aidong Xu,Xuechun Wang,Yunan Zhang,Tao Wu,Xingping Xian

DOI: https://doi.org/10.1145/3485314.3485316

2021-07-09

Abstract:Time series data is widespread in real-world scenarios. To recover and infer missing information in practical domains, such as stock price monitoring, electricity load forecasting, traffic flows analysis, climate trend prediction, etc., the problem of time series prediction has been widely studied as a classical research topic in data mining. Over the past decade, deep learning architectures are introduced as a vital part of the next generation of time series prediction models. However, recent studies showed that deep learning models are vulnerable to adversarial attacks. In this paper, we study the adversarial attacks on the time series prediction models prospectively. We propose an attack strategy to generate adversarial samples by adding imperceptible perturbed data to the original time series with the goal of reducing the accuracy of time series prediction models. Specifically, the perturbation-based adversarial example generation algorithm is proposed using gradient information of time series prediction model. Moreover, adversarial examples should be imperceptible to humans. To address the challenge, we craft adversarial samples based on importance measuring to perturb the original data locally. We evaluate our attacks on state-of-the-art time series prediction models using three time series datasets. Our results demonstrate that our attacks can effectively evade the time series prediction models, and the adversarial attacks mechanisms can be used as robustness metric for constructing robust time series prediction models.

Sichen Liu,Yuan Luo

DOI: https://doi.org/10.3390/electronics13030650

IF: 2.9

2024-01-01

Electronics

Abstract:While deep neural networks (DNNs) have been widely and successfully used for time series classification (TSC) over the past decade, their vulnerability to adversarial attacks has received little attention. Most existing attack methods focus on white-box setups, which are unrealistic as attackers typically only have access to the model’s probability outputs. Defensive methods also have limitations, relying primarily on adversarial retraining which degrades classification accuracy and requires excessive training time. On top of that, we propose two new approaches in this paper: (1) A simulated annealing-based random search attack that finds adversarial examples without gradient estimation, searching only on the l∞-norm hypersphere of allowable perturbations. (2) A post-processing defense technique that periodically reverses the trend of corresponding loss values while maintaining the overall trend, using only the classifier’s confidence scores as input. Experiments applying these methods to InceptionNet models trained on the UCR dataset benchmarks demonstrate the effectiveness of the attack, achieving up to 100% success rates. The defense method provided protection against up to 91.24% of attacks while preserving prediction quality. Overall, this work addresses important gaps in adversarial TSC by introducing novel black-box attack and lightweight defense techniques.

Sichen Liu,Yuan Luo

DOI: https://doi.org/10.3390/electronics13030650

IF: 2.9

2024-02-05

Electronics

Abstract:While deep neural networks (DNNs) have been widely and successfully used for time series classification (TSC) over the past decade, their vulnerability to adversarial attacks has received little attention. Most existing attack methods focus on white-box setups, which are unrealistic as attackers typically only have access to the model's probability outputs. Defensive methods also have limitations, relying primarily on adversarial retraining which degrades classification accuracy and requires excessive training time. On top of that, we propose two new approaches in this paper: (1) A simulated annealing-based random search attack that finds adversarial examples without gradient estimation, searching only on the l∞-norm hypersphere of allowable perturbations. (2) A post-processing defense technique that periodically reverses the trend of corresponding loss values while maintaining the overall trend, using only the classifier's confidence scores as input. Experiments applying these methods to InceptionNet models trained on the UCR dataset benchmarks demonstrate the effectiveness of the attack, achieving up to 100% success rates. The defense method provided protection against up to 91.24% of attacks while preserving prediction quality. Overall, this work addresses important gaps in adversarial TSC by introducing novel black-box attack and lightweight defense techniques.

engineering, electrical & electronic,computer science, information systems,physics, applied

Hongyu Lu,Jiajia Liu,Jimin Peng,Jiazhong Lu

DOI: https://doi.org/10.1016/j.cose.2024.104175

IF: 5.105

2024-11-01

Computers & Security

Abstract:To enhance the robustness of intrusion detection classifiers, we propose a Time Series-based Adversarial Attack Framework (TSAF) targeting the temporal characteristics of network traffic. Initially, adversarial samples are generated using the gradient calculations of CNNs, with updates iterated based on model loss. Different attack schemes are then applied to various traffic types and saved as generic adversarial perturbations. These time series-based perturbations are subsequently injected into the traffic stream. To precisely implement the adversarial perturbations, a masking mechanism is utilized. Our adversarial sample model was evaluated, and the results indicate that our samples can reduce the accuracy and recall rates for detecting four types of malicious network traffic, including botnets, brute force, port scanning, and web attacks, as well as degrade the detection performance of DDoS traffic. The CNN model's accuracy dropped by up to 72.76%, and the SDAE model's accuracy by up to 78.77% with minimal perturbations. Our adversarial sample attack offers a new perspective in the field of cybersecurity and lays the groundwork for designing AI models that can resist adversarial attacks more effectively.

computer science, information systems

Hassan Ismail Fawaz,Germain Forestier,Jonathan Weber,Lhassane Idoumghar,Pierre-Alain Muller

DOI: https://doi.org/10.1109/ijcnn.2019.8851936

2019-07-01

Abstract:Time Series Classification (TSC) problems are encountered in many real life data mining tasks ranging from medicine and security to human activity recognition and food safety. With the recent success of deep neural networks in various domains such as computer vision and natural language processing, researchers started adopting these techniques for solving time series data mining problems. However, to the best of our knowledge, no previous work has considered the vulnerability of deep learning models to adversarial time series examples, which could potentially make them unreliable in situations where the decision taken by the classifier is crucial such as in medicine and security. For computer vision problems, such attacks have been shown to be very easy to perform by altering the image and adding an imperceptible amount of noise to trick the network into wrongly classifying the input image. Following this line of work, we propose to leverage existing adversarial attack mechanisms to add a special noise to the input time series in order to decrease the network’s confidence when classifying instances at test time. Our results reveal that current state-of-the-art deep learning time series classifiers are vulnerable to adversarial attacks which can have major consequences in multiple domains such as food safety and quality assurance.

YANG Wen-bo,YUAN Ji-dong

DOI: https://doi.org/10.11896/jsjkx.210900254

2022-01-01

Abstract:Deep neural networks(DNNs) for time series classification have potential security concerns due to their vulnerability to adversarial attacks.The existing attack methods on time series performglobal perturbation based on gradient information,and the generated adversarial examples are easy to be perceived.This paper proposes a locally black-box method to attack DNNs without gradient information.First,the attack is described as a constrained optimization problem with the assumption that the method cannot get any inner information of the model,then the genetic algorithm is employed to solve it.Second,since time series shapelets provides the most discriminative information among different categories,it is designed as a local perturbation interval.Experimental results on UCR datasets that have potential security concerns indicate that the proposed method can effectively attack DNNs and generate adversarial samples.In addition,compared with the benchmark,the method significantly reduces the mean squared error while keeping a high success rate.

Ziyi Liu,Dengpan Ye,Long Tang,Yunming Zhang,Jiacheng Deng

2024-09-19

Abstract:With the development of artificial intelligence, neural networks play a key role in network intrusion detection systems (NIDS). Despite the tremendous advantages, neural networks are susceptible to adversarial attacks. To improve the reliability of NIDS, many research has been conducted and plenty of solutions have been proposed. However, the existing solutions rarely consider the adversarial attacks against recurrent neural networks (RNN) with time steps, which would greatly affect the application of NIDS in real world. Therefore, we first propose a novel RNN adversarial attack model based on feature reconstruction called \textbf{T}emporal adversarial \textbf{E}xamples \textbf{A}ttack \textbf{M}odel \textbf{(TEAM)}, which applied to time series data and reveals the potential connection between adversarial and time steps in RNN. That is, the past adversarial examples within the same time steps can trigger further attacks on current or future original examples. Moreover, TEAM leverages Time Dilation (TD) to effectively mitigates the effect of temporal among adversarial examples within the same time steps. Experimental results show that in most attack categories, TEAM improves the misjudgment rate of NIDS on both black and white boxes, making the misjudgment rate reach more than 96.68%. Meanwhile, the maximum increase in the misjudgment rate of the NIDS for subsequent original samples exceeds 95.57%.

Cryptography and Security,Artificial Intelligence

Fazle Karim,Somshubra Majumdar,Houshang Darabi

DOI: https://doi.org/10.48550/arXiv.1902.10755

2019-03-01

Abstract:Time series classification models have been garnering significant importance in the research community. However, not much research has been done on generating adversarial samples for these models. These adversarial samples can become a security concern. In this paper, we propose utilizing an adversarial transformation network (ATN) on a distilled model to attack various time series classification models. The proposed attack on the classification model utilizes a distilled model as a surrogate that mimics the behavior of the attacked classical time series classification models. Our proposed methodology is applied onto 1-Nearest Neighbor Dynamic Time Warping (1-NN ) DTW, a Fully Connected Network and a Fully Convolutional Network (FCN), all of which are trained on 42 University of California Riverside (UCR) datasets. In this paper, we show both models were susceptible to attacks on all 42 datasets. To the best of our knowledge, such an attack on time series classification models has never been done before. Finally, we recommend future researchers that develop time series classification models to incorporating adversarial data samples into their training data sets to improve resilience on adversarial samples and to consider model robustness as an evaluative metric.

Machine Learning

Xing Xu,Jiefu Chen,Jinhui Xiao,Zheng Wang,Yang,Heng Tao Shen

DOI: https://doi.org/10.1145/3394171.3413543

2020-01-01

Abstract:A large number of recent studies on adversarial attack have verified that a Deep Neural Network (DNN) model designed for non-sequential recognition (NSR) tasks (e.g., classification, detection and segmentation) can be easily fooled by adversarial examples. However, only a few researches pay attention to the adversarial attack on sequential recognition (SR). They either apply the attack methods proposed for NSR to SR by neglecting the sequential dependencies, or focus on attacking specific SR models without considering the generality. In this paper, we study the adversarial attack on the general and popular DNN structure of CNN+RNN, i.e., the combination of convolutional neural network (CNN) and recurrent neural network (RNN), which has been widely used in various SR tasks. We take the scene text recognition (STR) and image captioning (IC) as case study, and derive the objective function for attacking the CNN+RNN based models with targeted and untargeted attack modes, and then developed an optimization-based algorithm to learn adversarial perturbations from the derived gradients of each character (or word) in sequence by incorporating the sequential dependencies. Extensive experiments show that our proposed method can effective fool several state-of-the-arts including four STR models and two IC models with higher successful rate and less time consumption, comparing to three latest attack methods.

Pradeep Rathore,Arghya Basak,Sri Harsha Nistala,Venkataramana Runkana

DOI: https://doi.org/10.1109/IJCNN48605.2020.9207272

2021-01-13

Abstract:Deep learning based models are vulnerable to adversarial attacks. These attacks can be much more harmful in case of targeted attacks, where an attacker tries not only to fool the deep learning model, but also to misguide the model to predict a specific class. Such targeted and untargeted attacks are specifically tailored for an individual sample and require addition of an imperceptible noise to the sample. In contrast, universal adversarial attack calculates a special imperceptible noise which can be added to any sample of the given dataset so that, the deep learning model is forced to predict a wrong class. To the best of our knowledge these targeted and universal attacks on time series data have not been studied in any of the previous works. In this work, we have performed untargeted, targeted and universal adversarial attacks on UCR time series datasets. Our results show that deep learning based time series classification models are vulnerable to these attacks. We also show that universal adversarial attacks have good generalization property as it need only a fraction of the training data. We have also performed adversarial training based adversarial defense. Our results show that models trained adversarially using Fast gradient sign method (FGSM), a single step attack, are able to defend against FGSM as well as Basic iterative method (BIM), a popular iterative attack.

Machine Learning

Sahar Sadrizadeh,Ljiljana Dolamic,Pascal Frossard

2023-06-16

Abstract:Deep neural networks have been shown to be vulnerable to small perturbations of their inputs, known as adversarial attacks. In this paper, we investigate the vulnerability of Neural Machine Translation (NMT) models to adversarial attacks and propose a new attack algorithm called TransFool. To fool NMT models, TransFool builds on a multi-term optimization problem and a gradient projection step. By integrating the embedding representation of a language model, we generate fluent adversarial examples in the source language that maintain a high level of semantic similarity with the clean samples. Experimental results demonstrate that, for different translation tasks and NMT architectures, our white-box attack can severely degrade the translation quality while the semantic similarity between the original and the adversarial sentences stays high. Moreover, we show that TransFool is transferable to unknown target models. Finally, based on automatic and human evaluations, TransFool leads to improvement in terms of success rate, semantic similarity, and fluency compared to the existing attacks both in white-box and black-box settings. Thus, TransFool permits us to better characterize the vulnerability of NMT models and outlines the necessity to design strong defense mechanisms and more robust NMT systems for real-life applications.

Computation and Language

Taha Belkhouja,Janardhan Rao Doppa

DOI: https://doi.org/10.1613/jair.1.13543

2022-07-10

Abstract:Time-series data arises in many real-world applications (e.g., mobile health) and deep neural networks (DNNs) have shown great success in solving them. Despite their success, little is known about their robustness to adversarial attacks. In this paper, we propose a novel adversarial framework referred to as Time-Series Attacks via STATistical Features (TSA-STAT)}. To address the unique challenges of time-series domain, TSA-STAT employs constraints on statistical features of the time-series data to construct adversarial examples. Optimized polynomial transformations are used to create attacks that are more effective (in terms of successfully fooling DNNs) than those based on additive perturbations. We also provide certified bounds on the norm of the statistical features for constructing adversarial examples. Our experiments on diverse real-world benchmark datasets show the effectiveness of TSA-STAT in fooling DNNs for time-series domain and in improving their robustness. The source code of TSA-STAT algorithms is available at

Computer Science

Lianli Gao,Qilong Zhang,Jingkuan Song,Xianglong Liu,Heng Tao Shen

DOI: https://doi.org/10.1007/978-3-030-58604-1_19

2020-01-01

Abstract:By adding human-imperceptible noise to clean images, the resultant adversarial examples can fool other unknown models. Features of a pixel extracted by deep neural networks (DNNs) are influenced by its surrounding regions, and different DNNs generally focus on different discriminative regions in recognition. Motivated by this, we propose a patch-wise iterative algorithm – a black-box attack towards mainstream normally trained and defense models, which differs from the existing attack methods manipulating pixel-wise noise. In this way, without sacrificing the performance of white-box attack, our adversarial examples can have strong transferability. Specifically, we introduce an amplification factor to the step size in each iteration, and one pixel’s overall gradient overflowing the \(\epsilon \)-constraint is properly assigned to its surrounding regions by a project kernel. Our method can be generally integrated to any gradient-based attack methods. Compared with the current state-of-the-art attacks, we significantly improve the success rate by 9.2% for defense models and 3.7% for normally trained models on average. Our code is available at https://github.com/qilong-zhang/Patch-wise-iterative-attack

Hui Liu,Bo Zhao,Minzhi Ji,Mengchen Li,Peng Liu

DOI: https://doi.org/10.1016/j.ins.2022.08.026

IF: 8.1

2022-10-01

Information Sciences

Abstract:Adversarial examples are well-designed input samples that include perturbations that are imperceptible to the human eye but easily mislead the output of deep neural networks (DNNs). Existing studies synthesize adversarial examples by leveraging simple metrics to penalize perturbations that lack sufficient consideration of the human visual system (HVS), producing noticeable artifacts. To explore why these perturbations are visible,four primary factors that affect the perceptibility of human eyes are summarized in this paper. Based on this investigation, we design a multi-factor metric MulFactorLoss for measuring the perceptual loss between benign examples and adversarial examples. To test the imperceptibility of the multi-factor metric, we propose a novel black-box adversarial attack that is referred to as GreedyFool. GreedyFool applies differential evolution to evaluate the effects of perturbed pixels on the confidence of a target DNN and introduces greedy approximation to automatically generate adversarial perturbations. We conduct extensive experiments on the ImageNet and CIFRA-10 datasets and a comprehensive user study with 60 participants. The experimental results demonstrate that MulFactorLoss is a more imperceptible metric than the existing pixelwise metrics, and GreedyFool achieves a 100% success rate in a black-box manner.

computer science, information systems

S. M. Fazle Rabby Labib,Joyanta Jyoti Mondal,Meem Arafat Manab,Sarfaraz Newaz,Xi Xiao

2024-08-30

Abstract:The susceptibility of deep neural networks (DNNs) to adversarial attacks undermines their reliability across numerous applications, underscoring the necessity for an in-depth exploration of these vulnerabilities and the formulation of robust defense strategies. The DeepFool algorithm by Moosavi-Dezfooli et al. (2016) represents a pivotal step in identifying minimal perturbations required to induce misclassification of input images. Nonetheless, its generic methodology falls short in scenarios necessitating targeted interventions. Additionally, previous research studies have predominantly concentrated on the success rate of attacks without adequately addressing the consequential distortion of images, the maintenance of image quality, or the confidence threshold required for misclassification. To bridge these gaps, we introduce the Enhanced Targeted DeepFool (ET DeepFool) algorithm, an evolution of DeepFool that not only facilitates the specification of desired misclassification targets but also incorporates a configurable minimum confidence score. Our empirical investigations demonstrate the superiority of this refined approach in maintaining the integrity of images and minimizing perturbations across a variety of DNN architectures. Unlike previous iterations, such as the Targeted DeepFool by Gajjar et al. (2022), our method grants unparalleled control over the perturbation process, enabling precise manipulation of model responses. Preliminary outcomes reveal that certain models, including AlexNet and the advanced Vision Transformer, display commendable robustness to such manipulations. This discovery of varying levels of model robustness, as unveiled through our confidence level adjustments, could have far-reaching implications for the field of image recognition. Our code will be made public upon acceptance of the paper.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Daizong Ding,Mi Zhang,Yuanmin Huang,Xudong Pan,Fuli Feng,Erling Jiang,Min Yang

DOI: https://doi.org/10.1109/icde53745.2022.00100

2022-01-01

Abstract:As a fundamental task in modern data mining, time series classification is powering mission-critical tasks including stock price prediction and network traffic analysis. Due to the non-linear structure of deep neural networks (DNN), deep learning has established as a promising solution to time series classification. However, the excessive learning capacity of DNNs may make them prone to threats of backdoor attacks, where an attacker embeds hidden functionalities (i.e., backdoor) to DNNs and activates the backdoor by specially-designed inputs (i.e., triggers). Despite extensive studies concerning backdoor attacks on image and text domains, there is little known about the vulnerability of DNN based time series classifiers against backdoor attacks. Due to the unique characteristics of time series data, most existing backdoor attack techniques fail to threaten time series classifiers. In this paper, through analyzing the key factors which influence the effectiveness of a backdoor, we systematize a list of practical principles for designing triggers on time series data. In this light, we propose a novel framework called TimeTrojan, which aims to learn to form the trigger pattern through a constrained multi-objective optimization. To solve the hereafter challenging optimization issue, we further design an iterative learning algorithm. Remarkably, the proposed framework is agnostic to a wide range of DNN classifiers. Extensive empirical results on 6 representative DNN classifiers and 6 real-world datasets validate the effectiveness of the proposed attack framework. In most cases, TimeTrojan successfully injects backdoors with 100% attack success rate without affecting the model accuracy on clean samples, which implies the complete control of the behavior of the DNN classifiers by the adversary.

Jinyin Chen,Haibin Zheng,Hui Xiong,Ruoxi Chen,Tianyu Du,Zhen Hong,Shouling Ji

DOI: https://doi.org/10.1016/j.cose.2021.102220

2021-05-01

Abstract:Deep neural networks (DNNs) have various applications owing to their feature learning ability. However, recent studies have shown that DNNs are vulnerable to adversarial examples. Currently, research on the generation of adversarial examples primarily focuses on improving the attack success rate (ASR) while reducing the perturbation size. By visualizing of heat maps, previous works have found that the feature extraction effect of DNNs is owing to the precise location of object contours and the provision of the correct attention to those areas. Therefore, the perturbations in adversarial examples will weaken the location of object contours in deep hidden layers and reduce the attention scope of the object area, which will lead to successful attacks. Inspired by this observation, we propose FineFool, a novel adversarial attack based on the attention perturbation adversarial technique, which includes channel-spatial attention and pixel-spatial attention. The former reduces the area of concern using DNNs while the latter achieves the error location of the object contours. By using the attention perturbation adversarial technique to target positions that are more vulnerable in legitimate examples, FineFool achieves a higher ASR with fewer perturbations compared with that of state-of-the-art adversarial attacks. Extensive experiments are carried out on MNIST, CIFAR10, and ImageNet datasets against six models. The results show that FineFool can achieve the best performance compared with the six baselines. More specifically, the mean ASR values of untargeted/targeted attack are 99.23% and 98.26% for FineFool on all datasets, respectively, which is the highest under white-box attack situations. The code of FineFool is open sourced at https://zenodo.org/record/4421611#.X.

computer science, information systems