Robustness and Transferability of Adversarial Attacks on Different Image Classification Neural Networks

Kamilya Smagulova,Lina Bacha,Mohammed E. Fouda,Rouwaida Kanj,Ahmed Eltawil
DOI: https://doi.org/10.3390/electronics13030592
IF: 2.9
2024-02-01
Electronics
Abstract:Recent works demonstrated that imperceptible perturbations to input data, known as adversarial examples, can mislead neural networks' output. Moreover, the same adversarial sample can be transferable and used to fool different neural models. Such vulnerabilities impede the use of neural networks in mission-critical tasks. To the best of our knowledge, this is the first paper that evaluates the robustness of emerging CNN- and transformer-inspired image classifier models such as SpinalNet and Compact Convolutional Transformer (CCT) against popular white- and black-box adversarial attacks imported from the Adversarial Robustness Toolbox (ART). In addition, the adversarial transferability of the generated samples across given models was studied. The tests were carried out on the CIFAR-10 dataset, and the obtained results show that the level of susceptibility of SpinalNet against the same attacks is similar to that of the traditional VGG model, whereas CCT demonstrates better generalization and robustness. The results of this work can be used as a reference for further studies, such as the development of new attacks and defense mechanisms.
engineering, electrical & electronic,computer science, information systems,physics, applied
What problem does this paper attempt to address?
The problem that this paper attempts to solve is to evaluate the robustness and transferability of different image - classification neural - network models against adversarial attacks. Specifically, the paper studies the robustness of emerging CNN (Convolutional Neural Network) and Transformer - based image - classifier models (such as SpinalNet and Compact Convolutional Transformer, CCT) when facing popular white - box and black - box adversarial attacks from the Adversarial Robustness Toolbox (ART), and explores the transferability of these adversarial samples among different models. Through tests on the CIFAR - 10 dataset, the paper aims to provide references for subsequent research, such as developing new attack and defense mechanisms. ### Main contributions of the paper: 1. **Evaluated the robustness of SpinalNet and CCT models against popular targeted and non - targeted attacks**. 2. **Evaluated the transferability of non - targeted attacks among VGG, SpinalNet and CCT models**. ### Main findings: - **The SpinalNet model is slightly more robust than its corresponding VGG model in some cases**, but overall, the two react similarly to all applied attacks. - **The CCT - 7/3Γ—1 model shows higher robustness in most cases**, especially in detecting simple adversarial samples (such as FGSM and PixelAttack). - **The C&W β„“2 attack shows a high sensitivity to the CCT model**, resulting in an accuracy drop of up to 40.7%, while the SpinalNet and VGG models perform similarly to the C&W β„“in f attack in this regard. ### Conclusion: The research results show that different types of neural - network models exhibit different robustness when facing adversarial attacks. The CCT model shows stronger robustness under certain attacks, which provides a valuable reference for the development of future defense mechanisms. At the same time, the research also emphasizes the transferability of adversarial samples, which is of great significance for designing more secure neural - network systems.