Yixuan Wang,Wei Hong,Xueqin Zhang,Qing Zhang,Chunhua Gu

DOI: https://doi.org/10.1016/j.knosys.2024.112152

IF: 8.139

2024-01-01

Knowledge-Based Systems

Abstract:Deep neural networks (DNNs) perform excellently in various vision tasks, however, they are susceptible to the adversarial samples. These samples are crafted by injecting subtle perturbations into benign images that are barely detectable to humans. Due to the differences between the substitute model and target model, the efficacy of black-box attack still yield suboptimal results. To address this issue, we propose a black-box attack approach, SD-FI2M, based on the momentum iterative fast gradient sign method, which can craft potent adversarial samples by inducing diverse inputs in the frequency domain and the saliency distribution of images. To enhance the diversity of input samples in frequency domain, a spectrum transformation technique utilizing the discrete cosine transform was used to craft adversarial samples with higher transferability. Further, Guided Grad-CAM was employed to obtain the saliency distribution of benign images, reducing indiscriminate damage to image features and alleviating the overfitting problem in adversarial samples. Extensive experiments on ImageNet have verified the superior attack performance and transferability of the proposed method.

Jiayang Liu,Siyu Zhu,Siyuan Liang,Jie Zhang,Han Fang,Weiming Zhang,Ee-Chien Chang

2023-11-18

Abstract:Deep neural networks (DNNs) are susceptible to adversarial examples, which introduce imperceptible perturbations to benign samples, deceiving DNN predictions. While some attack methods excel in the white-box setting, they often struggle in the black-box scenario, particularly against models fortified with defense mechanisms. Various techniques have emerged to enhance the transferability of adversarial attacks for the black-box scenario. Among these, input transformation-based attacks have demonstrated their effectiveness. In this paper, we explore the potential of leveraging data generated by Stable Diffusion to boost adversarial transferability. This approach draws inspiration from recent research that harnessed synthetic data generated by Stable Diffusion to enhance model generalization. In particular, previous work has highlighted the correlation between the presence of both real and synthetic data and improved model generalization. Building upon this insight, we introduce a novel attack method called Stable Diffusion Attack Method (SDAM), which incorporates samples generated by Stable Diffusion to augment input images. Furthermore, we propose a fast variant of SDAM to reduce computational overhead while preserving high adversarial transferability. Our extensive experimental results demonstrate that our method outperforms state-of-the-art baselines by a substantial margin. Moreover, our approach is compatible with existing transfer-based attacks to further enhance adversarial transferability.

Computer Vision and Pattern Recognition

Shanjun Xu,Linghui Li,Kaiguo Yuan,Bingyu Li

2024-11-11

Abstract:Deep neural networks can be vulnerable to adversarially crafted examples, presenting significant risks to practical applications. A prevalent approach for adversarial attacks relies on the transferability of adversarial examples, which are generated from a substitute model and leveraged to attack unknown black-box models. Despite various proposals aimed at improving transferability, the success of these attacks in targeted black-box scenarios is often hindered by the tendency for adversarial examples to overfit to the surrogate models. In this paper, we introduce a novel framework based on Salient region & Weighted Feature Drop (SWFD) designed to enhance the targeted transferability of adversarial examples. Drawing from the observation that examples with higher transferability exhibit smoother distributions in the deep-layer outputs, we propose the weighted feature drop mechanism to modulate activation values according to weights scaled by norm distribution, effectively addressing the overfitting issue when generating adversarial examples. Additionally, by leveraging salient region within the image to construct auxiliary images, our method enables the adversarial example's features to be transferred to the target category in a model-agnostic manner, thereby enhancing the transferability. Comprehensive experiments confirm that our approach outperforms state-of-the-art methods across diverse configurations. On average, the proposed SWFD raises the attack success rate for normally trained models and robust models by 16.31% and 7.06% respectively.

Information Retrieval

Cihang Xie,Zhishuai Zhang,Yuyin Zhou,Song Bai,Jianyu Wang,Zhou Ren,Alan L. Yuille

DOI: https://doi.org/10.1109/cvpr.2019.00284

2019-06-01

Abstract:Though CNNs have achieved the state-of-the-art performance on various vision tasks, they are vulnerable to adversarial examples — crafted by adding human-imperceptible perturbations to clean images. However, most of the existing adversarial attacks only achieve relatively low success rates under the challenging black-box setting, where the attackers have no knowledge ofthe model structure and parameters. To this end, we propose to improve the transferability of adversarial examples by creating diverse input patterns. Instead of only using the original images to generate adversarial examples, our method applies random transformations to the input images at each iteration. Extensive experiments on ImageNet show that the proposed attack method can generate adversarial examples that transfer much better to different networks than existing baselines. By evaluating our method against top defense solutions and official baselines from NIPS 2017 adversarial competition, the enhanced attack reaches an average success rate of 73.0%, which outperforms the top-1 attack submission in the NIPS competition by a large margin of 6.6%. We hope that our proposed attack strategy can serve as a strong benchmark baseline for evaluating the robustness of networks to adversaries and the effectiveness of different defense methods in the future. Code is available at https://github.com/cihangxie/DI-2-FGSM.

Yiheng Duan,Yunjie Ge,Zixuan Wang,Jiayi Yu,Shenyi Zhang,Libing Wu

DOI: https://doi.org/10.1109/icme57554.2024.10688210

2024-01-01

Abstract:Transfer-based adversarial attacks highlight a critical security concern in the vulnerability of deep neural networks (DNNs). By generating deceptive inputs on a surrogate model, these attacks efficiently transfer the malicious examples to target models, even those with different architectures. However, current transfer-based adversarial attacks face a significant challenge. Existing strategies, including gradient optimization, input transformation, and model ensemble methods, struggle to strike an effective balance between computational cost and transferability. To alleviate this issue, we introduce a novel method, dubbed Noise Injection Augmentation (NIA). NIA enhances the transferability of the generated adversarial examples by introducing randomness into the surrogate models. The key idea of NIA is to explore the regularization properties of noise injection. Furthermore, we achieve stronger transferability by combining NIA with the idea of model self-ensemble. Extensive experiments show that NIA significantly enhances the attack performance of various potent adversarial attacks such as MI-FGSM, MDTI-FGSM, and S 2 I-FGSM by 28%, 20.4%, and 18.6%. On average, combined with the state-of-the-art transfer-based attack, NIA further improves transferability to 93.8% on normally trained models and 72% on robust models.

Dian Zhang,Yunwei Dong,Yun Yang

DOI: https://doi.org/10.1016/j.asoc.2024.111733

IF: 8.7

2024-01-01

Applied Soft Computing

Abstract:With the widespread application of deep learning, the vulnerability of neural networks has attracted considerable attention, raising reliability and security concerns. Therefore, research on the robustness of neural networks has become increasingly critical. In this paper, we propose a novel sample-analysis based robustness evaluation method that overcomes the drawbacks of existing techniques, such as solving difficulty, single strategy, and loose radius. Our algorithm comprises two parts: robustness evaluation and adversarial attacks. Specifically, we introduce formal definitions of multiple sample types and a general solution to the problem of adversarial samples. We formulate a disturbance model-based description of adversarial samples in the adversarial attack algorithm and utilize saliency map to solve them. Our experimental results demonstrate that our adversarial attack algorithm not only achieves a high attack success rate in a relatively small disturbance range but also generates multiple adversarial examples for each clean example. Our algorithm can evaluate the robustness of complex datasets and models, overcome the lack of a single strategy in solving adversarial examples, and provide a more accurate radius of robustness.

Jianping Zhang,Jen-tse Huang,Wenxuan Wang,Yichen Li,Weibin Wu,Xiaosen Wang,Yuxin Su,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.2303.15735

2023-03-28

Abstract:Deep neural networks have achieved unprecedented success on diverse vision tasks. However, they are vulnerable to adversarial noise that is imperceptible to humans. This phenomenon negatively affects their deployment in real-world scenarios, especially security-related ones. To evaluate the robustness of a target model in practice, transfer-based attacks craft adversarial samples with a local model and have attracted increasing attention from researchers due to their high efficiency. The state-of-the-art transfer-based attacks are generally based on data augmentation, which typically augments multiple training images from a linear path when learning adversarial samples. However, such methods selected the image augmentation path heuristically and may augment images that are semantics-inconsistent with the target images, which harms the transferability of the generated adversarial samples. To overcome the pitfall, we propose the Path-Augmented Method (PAM). Specifically, PAM first constructs a candidate augmentation path pool. It then settles the employed augmentation paths during adversarial sample generation with greedy search. Furthermore, to avoid augmenting semantics-inconsistent images, we train a Semantics Predictor (SP) to constrain the length of the augmentation path. Extensive experiments confirm that PAM can achieve an improvement of over 4.8% on average compared with the state-of-the-art baselines in terms of the attack success rates.

Computer Vision and Pattern Recognition

Shuai Zhao,Tuo Li,Boyuan Zhang,Yang Zhai,Ziyi Liu,Yahong Han

DOI: https://doi.org/10.1109/icme57554.2024.10688238

2024-01-01

Abstract:Adversarial attacks deceive deep neural networks by adding subtle perturbations to benign examples, threatening various applications. However, traditional methods lack effective transferability to unknown black-box networks. Addressing this, we introduce a new method, Patch-based Transfer Attack (PTA), comprising Sensitive Area Localization (SAL) and Robust Perturbations Generation (RPG). SAL identifies highly activated regions, while RPG employs adversarial fine-tuning (AFT) and adversarial feature mixing (AFM) to target robust features, enhancing transferability. AFT adapts the surrogate model to current adversarial examples, and AFM combines adversarial and clean example features, compelling the focus on robust features. Our comprehensive tests demonstrate PTA’s superior transferability, outperforming existing methods, especially when integrated with other techniques.

Han Wu,Guanyan Ou,Weibin Wu,Zibin Zheng

DOI: https://doi.org/10.1109/cvpr52733.2024.02324

2024-01-01

Abstract:Various transfer attack methods have been proposed to evaluate the robustness of deep neural networks (DNNs). Although manifesting remarkable performance in generating untargeted adversarial perturbations, existing proposals still fail to achieve high targeted transferability. In this work, we discover that the adversarial perturbations' over-fitting towards source models of mediocre generalization capability can hurt their targeted transferability. To address this issue, we focus on enhancing the source model's gener-alization capability to improve its ability to conduct trans-ferable targeted adversarial attacks. In pursuit of this goal, we propose a novel model self-enhancement method that in-corporates two major components: Sharpness-Aware Self-Distillation (SASD) and Weight Scaling (WS). Specifically, SASD distills a fine-tuned auxiliary model, which mirrors the source model's structure, into the source model while flattening the source model's loss landscape. WS obtains an approximate ensemble of numerous pruned models to per-form model augmentation, which can be conveniently syn-ergized with SASD to elevate the source model's generalization capability and thus improve the resultant targeted per-turbations' transferability. Extensive experiments corrobo-rate the effectiveness of the proposed method. Notably, under the black-box setting, our approach can outperform the state-of-the-art baselines by a significant margin of 12.2% on average in terms of the obtained targeted transferability. Code is available at https://github.com/g4alllf/SASD.

Yuchen Ren,Hegui Zhu,Xiaoyan Sui,Chong Liu

DOI: https://doi.org/10.1016/j.ins.2023.119273

IF: 8.1

2023-01-01

Information Sciences

Abstract:Adversarial attacks play a vital role in the development of deep learning techniques, which can evaluate the robustness of deep neural networks (DNNs) as well as explore their decision mechanism. Recently, feature-level attacks have been proposed to contaminate the internal feature maps of the source model at each iteration, providing a new method to produce transferable adversarial examples. In this paper, we uncover two neglected problems behind current feature-level attacks and propose an ingenious Salient Feature Variance Attack (SFVA). Concretely, we first apply a Combined Feature Enhancement Transformation (CFET) on the copies of clean images to estimate the optimal feature weight. Then we construct an efficient objective based on the variance of salient features and adopt a classical attack MI-FGSM (MI) to add adversarial noises to the clean image along the direction of gradients. Moreover, we also make it possible to combine the ensemble strategy with feature-level attacks. Abundant experiments on the ImageNet dataset forcefully confirm the superiority of SFVA, which has become a state-of-the-art feature-level attack. Furthermore, we also evaluate the robustness of the practical online model with SFVA, where the 90% attack success rate reveals a worrying fact that the real-world deployed models are subject to serious security threats.

Yinpeng Dong,Tianyu Pang,Hang Su,Jun Zhu

2018-01-01

Abstract:Deep neural networks are vulnerable to adversarial examples, which can mislead classifiers by adding imperceptible perturbations. An intriguing property of adversarial examples is their good transferability, making black-box attacks feasible in real-world applications. Due to the threat of adversarial attacks, many methods have been proposed to improve the robustness, and several state-of-the-art defenses are shown to be robust against transferable adversarial examples. In this paper, we identify the attention shift phenomenon, which may hinder the transferability of adversarial examples to the defense models. It indicates that the defenses rely on different discriminative regions to make predictions compared with normally trained models. Therefore, we propose an attention-invariant attack method to generate more transferable adversarial examples. Extensive experiments on the ImageNet dataset validate the …

Donghua Wang,Wen Yao,Tingsong Jiang,Xiaohu Zheng,Junqi Wu,Xiaoqian Chen

2024-07-09

Abstract:Despite the success of input transformation-based attacks on boosting adversarial transferability, the performance is unsatisfying due to the ignorance of the discrepancy across models. In this paper, we propose a simple but effective feature augmentation attack (FAUG) method, which improves adversarial transferability without introducing extra computation costs. Specifically, we inject the random noise into the intermediate features of the model to enlarge the diversity of the attack gradient, thereby mitigating the risk of overfitting to the specific model and notably amplifying adversarial transferability. Moreover, our method can be combined with existing gradient attacks to augment their performance further. Extensive experiments conducted on the ImageNet dataset across CNN and transformer models corroborate the efficacy of our method, e.g., we achieve improvement of +26.22% and +5.57% on input transformation-based attacks and combination methods, respectively.

Computer Vision and Pattern Recognition

Weihan Zhang,Ying Guo

DOI: https://doi.org/10.1016/j.phycom.2024.102330

IF: 2.379

2024-01-01

Physical Communication

Abstract:Adversarial examples (AE) have become a huge threat to the security and robustness of deep neural networks (DNN). The transferability of AE reveals the vulnerability of DNN even in a black-box situation. Due to the different structure and decision boundary of DNN models, the transferability of an AE generated on one model is limited to deceive another model with a different representation ability. To this end, we propose a dynamic ensemble attack (DEA), which generates AE on several models with an Elastic Soft Attention Layer (ESAL) to boost the transferability of AE. The EASL allocates the weights of models according to the distance from the benign image to the perturbed image in the feature space and the predicted probability of the models. Compared to the ensemble attack with equal weights, DEA breaks structural of the picture and expands the distance between AE and the benign example in the feature space. The experimental results on two benchmark datasets validate that DEA has superior transferability to the traditional ensemble attack. DEA could effectively improve the black-box attack success rate. We also conduct a visual analysis of the attacking effect of AE during generation and validate the advantage of DEA.

Yao Zhu,Yuefeng Chen,Xiaodan Li,Kejiang Chen,Yuan He,Xiang Tian,Bolun Zheng,Yaowu Chen,Qingming Huang

DOI: https://doi.org/10.1109/tip.2022.3211736

IF: 10.6

2022-01-01

IEEE Transactions on Image Processing

Abstract:Transferable adversarial attacks against Deep neural networks (DNNs) have received broad attention in recent years. An adversarial example can be crafted by a surrogate model and then attack the unknown target model successfully, which brings a severe threat to DNNs. The exact underlying reasons for the transferability are still not completely understood. Previous work mostly explores the causes from the model perspective, e.g., decision boundary, model architecture, and model capacity. Here, we investigate the transferability from the data distribution perspective and hypothesize that pushing the image away from its original distribution can enhance the adversarial transferability. To be specific, moving the image out of its original distribution makes different models hardly classify the image correctly, which benefits the untargeted attack, and dragging the image into the target distribution misleads the models to classify the image as the target class, which benefits the targeted attack. Towards this end, we propose a novel method that crafts adversarial examples by manipulating the distribution of the image. We conduct comprehensive transferable attacks against multiple DNNs to demonstrate the effectiveness of the proposed method. Our method can significantly improve the transferability of the crafted attacks and achieves state-of-the-art performance in both untargeted and targeted scenarios, surpassing the previous best method by up to 40% in some cases. In summary, our work provides new insight into studying adversarial transferability and provides a strong counterpart for future research on adversarial defense.

Huangyi Zhang,Ximeng Liu

DOI: https://doi.org/10.1145/3672919.3672953

2024-01-01

Abstract:In recent years, extensive research has been conducted on the attack and defense of adversarial examples within the domain of deep learning. In particular, the transferability of adversarial examples in black-box attack scenarios has garnered significant attention. The generation of highly transferable adversarial examples presents a notable challenge. Traditional approaches involve modifying the intermediate layers of surrogate model networks or utilizing data augmentation on input images for the generation of transferable adversarial examples. However, generating adversarial examples with enhanced transferability poses a significant challenge. Thus, in this paper, we proposes a novel methodology that integrates model ensemble and a distribution perspective. It entails initial fine-tuning of a surrogate model, subsequent utilization of the fine-tuned surrogate model to create a network pool, and then leveraging this network pool for the generation of adversarial examples. Subsequently, these generated adversarial examples are employed to attack other network structures. Empirical findings confirm the effectiveness of our approach in achieving a notably high success rate in adversarial attacks.

Huanhuan Li,He Huang

DOI: https://doi.org/10.1109/ccdc58219.2023.10327160

2023-01-01

Abstract:Transferability of adversarial examples aims at fooling unknown models, which means that adversarial attacks can be conducted in practical scenarios. However, existing adversarial attacks usually exhibit weak transferability owing to the overfitting on the surrogate model and falling into the model-specific local optimum. To alleviate the overfitting issue, a Salient Feature Disruption Adversarial Transformation Generator (SFD-AT-Gen) based attack method is proposed in this paper, which generates highly transferable adversarial examples efficiently. Specifically, the generative model is leveraged to learn generating adversarial perturbations for disrupting the salient object-aware features that dominate the model output. Based on the framework, an adversarial transformation network is further introduced to eliminate the adversarial perturbations and require the generated adversarial examples to be resistant to the introduced transformation, which makes the adversarial examples more robust and transferable. Extensive experimental results on the CIFAR-10 dataset show higher attack success rates are achieved in both white-box and black-box settings than some advanced attacks.

Chenxu Wang,Ming Zhang,Jinjing Zhao,Xiaohui Kuang,Han Zhang,Xuhong Zhang

DOI: https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys57074.2022.00115

2022-01-01

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial examples, which are maliciously crafted to fool DNN models. Adversarial examples often exhibit the property of transferability, which means that adversarial examples generated for one model can also fool another. Most existing transfer-based black-box attacks require the training data of the target model to improve the transferability of adversarial examples. However, it is difficult to obtain the training data in reality. In this paper, we propose a data-free black-box attack for crafting adversarial examples. The attack needs no knowledge about the training data of the target model. We first construct a dataset with a classification task similar to the target model. Then we train surrogate models based on the pretrained models by using transfer learning. Finally, the surrogate models are ensembled for generating adversarial examples to attack the target model. Extensive experiments show that the adversarial examples crafted by our method can effectively transfer to the target model. Our method outperforms the baselines and the best ensemble-based attack improves the attack success rates by a margin of 15% ∼ 21 %. Our research shows that DNN s are still at risk even if attackers cannot access the training data.

Huanhuan Li,Wenbo Yu,He Huang

DOI: https://doi.org/10.1016/j.neunet.2023.06.031

Abstract:Deep neural networks are sensitive to adversarial examples and would produce wrong results with high confidence. However, most existing attack methods exhibit weak transferability, especially for adversarially trained models and defense models. In this paper, two methods are proposed to generate highly transferable adversarial examples, namely Adaptive Inertia Iterative Fast Gradient Sign Method (AdaI2-FGSM) and Amplitude Spectrum Dropout Method (ASDM). Specifically, AdaI2-FGSM aims to integrate adaptive inertia into the gradient-based attack, and leverage the looking ahead property to search for a flatter maximum, which is essential to strengthen the transferability of adversarial examples. By introducing a loss-preserving transformation in the frequency domain, the proposed ASDM with the dropout invariance property can craft the copies of input images to overcome the poor generalization on the surrogate models. Furthermore, AdaI2-FGSM and ASDM can be naturally integrated as an efficient gradient-based attack method to yield more transferable adversarial examples. Extensive experimental results on the ImageNet-compatible dataset demonstrate that higher transferability is achieved by our method than some advanced gradient-based attacks.

Zeliang Zhang,Peihan Liu,Xiaosen Wang,Chenliang Xu

DOI: https://doi.org/10.48550/arXiv.2301.12968

2023-01-30

Abstract:Deep neural networks are widely known to be vulnerable to adversarial examples, especially showing significantly poor performance on adversarial examples generated under the white-box setting. However, most white-box attack methods rely heavily on the target model and quickly get stuck in local optima, resulting in poor adversarial transferability. The momentum-based methods and their variants are proposed to escape the local optima for better transferability. In this work, we notice that the transferability of adversarial examples generated by the iterative fast gradient sign method (I-FGSM) exhibits a decreasing trend when increasing the number of iterations. Motivated by this finding, we argue that the information of adversarial perturbations near the benign sample, especially the direction, benefits more on the transferability. Thus, we propose a novel strategy, which uses the Scheduled step size and the Dual example (SD), to fully utilize the adversarial information near the benign sample. Our proposed strategy can be easily integrated with existing adversarial attack methods for better adversarial transferability. Empirical evaluations on the standard ImageNet dataset demonstrate that our proposed method can significantly enhance the transferability of existing adversarial attacks.

Machine Learning

Pengfei Xie,Shuhao Shi,Wanjing Xie,Ruoxi Qin,Jinjin Hai,Linyuan Wang,Jian Chen,Guoen Hu,Bin Yan

DOI: https://doi.org/10.1088/1742-6596/2203/1/012026

2022-01-01

Journal of Physics Conference Series

Abstract:Deep neural networks (DNNs) can be attacked by adversarial examples that are undetectable by humans. Generation-based approaches have recently gained popularity because they directly translate the input distribution to the distribution of adversarial instances, making them more effective and efficient. However, existing techniques are susceptible to overfitting on the substitute model, limiting the transferability of adversarial examples. In this paper, we introduce data augmentation into AdvGAN, called AdvGAN-DE, which can dramatically improve the transferability of adversarial examples. Experiments demonstrate that we enhance the success rate by 31.09% for defense models and 10.23% for typically trained models on average when compared to AdvGAN.