What problem does this paper attempt to address?

The problem that this paper attempts to solve is: How to optimize the classic PGD attack method to achieve imperceptible adversarial attacks without relying on additional complex designs. Specifically, the author believes that existing methods usually enhance the imperceptibility of attacks by introducing perception - related modules or loss terms, but these additional designs may not be necessary. The author proposes that if an attack method can successfully push an image across the decision boundary of the attacked model with the minimum perturbation intensity, then the attack is essentially imperceptible. ### Core problems of the paper 1. **Rethinking the essence of imperceptible attacks**: - The author believes that the key to imperceptible attacks lies in pushing the image across the model's decision boundary at the minimum cost, rather than relying on additional constraints or modules. 2. **Releasing the potential of classic PGD**: - Through two simple and effective strategies - Dynamic Step Size and Adaptive Early Stop, the author aims to optimize the classic PGD attack method so that it can perform well in imperceptible attacks. ### Specific problems and solutions - **Dynamic Step Size**: - The dynamic step - size strategy makes the optimization process more refined by allocating different parts of the total budget in each iteration, so as to find the optimal solution and reach the decision boundary at a lower cost. - The mathematical expression is: \[ \sum_{t = 1}^{T}\alpha_t=\sum_{t = 1}^{T}\eta_t\cdot\beta=\epsilon \] where \(\alpha_t = \eta_t\cdot\beta\), \(\eta_{1:T}\in(0, 1]^T\) is a predefined coefficient sequence, and \(\beta\) is a fixed scale factor. - **Adaptive Early Stop**: - The adaptive early - stop strategy evaluates whether the current result has successfully attacked the classifier in the later iterations. Once successful, the optimization is stopped immediately to minimize the redundant perturbation intensity. - This strategy not only reduces the computational complexity but also improves the robustness of the attack and reduces the sensitivity to the hyperparameters \(\epsilon\) and \(T\). ### Experimental results - **Untargeted Attacks**: - PGD - Imp achieves a 100% attack success rate (ASR) on ResNet - 50, while the l2 distance is only 0.89 and the PSNR reaches 52.93, which is significantly better than existing methods. - **Targeted Attacks**: - PGD - Imp also performs well in targeted attacks against ResNet - 50, achieving a 100% ASR, with l∞ only 0.01, l2 distance of 1.42, and better image quality. ### Conclusion By rethinking the essence of imperceptible attacks and introducing the dynamic step - size and adaptive early - stop strategies, PGD - Imp successfully achieves efficient and imperceptible adversarial attacks without relying on additional complex designs. This not only improves the attack performance but also simplifies the design of the attack method.