Yaguan Qian,Jiamin Wang,Xiang Ling,Zhaoquan Gu,Bin Wang,Chunming Wu

2021-01-01

Abstract:Recently, to deal with the vulnerability to generate examples of CNNs, there are many advanced algorithms that have been proposed. These algorithms focus on modifying global pixels directly with small perturbations, and some work involves modifying local pixels. However, the global attacks have the problem of perturbations’ redundancy and the local attacks are not effective. To overcome this challenge, we achieve a trade-off between the perturbation power and the number of perturbed pixels in this paper. The key idea is to find the feature contributive regions (FCRs) of the images. Furthermore, in order to create an adversarial example similar to the corresponding clean image as much as possible, we redefine a loss function as the objective function of the optimization in this paper and then using gradient descent optimization algorithm to find the efficient perturbations. Various experiments have been carried out on CIFAR-10 and ILSVRC2012 datasets, which show the excellence of this method, and in addition, the FCRs attack shows strong attack ability in both white-box and black-box settings.

Zichao Li,Li Liu,Zeyu Wang,Yuyin Zhou,Cihang Xie

DOI: https://doi.org/10.48550/arxiv.2209.02684

2022-01-01

Abstract:Adversarial training (AT) with samples generated by Fast Gradient Sign Method (FGSM), also known as FGSM-AT, is a computationally simple method to train robust networks. However, during its training procedure, an unstable mode of "catastrophic overfitting" has been identified in arXiv:2001.03994 [cs.LG], where the robust accuracy abruptly drops to zero within a single training step. Existing methods use gradient regularizers or random initialization tricks to attenuate this issue, whereas they either take high computational cost or lead to lower robust accuracy. In this work, we provide the first study, which thoroughly examines a collection of tricks from three perspectives: Data Initialization, Network Structure, and Optimization, to overcome the catastrophic overfitting in FGSM-AT. Surprisingly, we find that simple tricks, i.e., a) masking partial pixels (even without randomness), b) setting a large convolution stride and smooth activation functions, or c) regularizing the weights of the first convolutional layer, can effectively tackle the overfitting issue. Extensive results on a range of network architectures validate the effectiveness of each proposed trick, and the combinations of tricks are also investigated. For example, trained with PreActResNet-18 on CIFAR-10, our method attains 49.8% accuracy against PGD-50 attacker and 46.4% accuracy against AutoAttack, demonstrating that pure FGSM-AT is capable of enabling robust learners. The code and models are publicly available at https://github.com/UCSC-VLAA/Bag-of-Tricks-for-FGSM-AT.

Muhammad Luqman Naseem,Naseem, Muhammad Luqman

DOI: https://doi.org/10.1007/s11042-024-18475-7

IF: 2.577

2024-02-10

Multimedia Tools and Applications

Abstract:Deep neural networks (DNNs) are popular in image processing but are vulnerable to adversarial attacks, which makes their deployment in security-sensitive systems risky. Adversarial attacks reduce the performance of DNNs by generating adversarial examples (AEs). In this paper, we propose a novel method called Trans-IFFT-FGSM (Transformer Inverse Finite Fourier Transform Fast Gradient Sign Method) to generate adversarial examples. Unlike others, we apply multiple steps, adding imperceptible perturbation and saving input noise information to create strong AEs, while emphasizing simplicity, efficiency, robustness through iterations, and analytical precision on specific models. We evaluate and compare perturbation generated by Trans-IFFT-FGSM and other attack methods, including FGSM, PGD, DeepFool, and C &W on ImageNet and MNIST, and evaluation results suggest that Trans-IFFT-FGSM achieves a high attack success rate (ASR) and attack accuracy. In addition, we compare Trans-IFFT-FGSM and other attack methods under the existence of a defense method, which denoises the AEs generated by these methods, and the evaluation results also suggest Trans-IFFT-FGSM outperforms other methods.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Dian Hong,Deng Chen,Yanduo Zhang,Huabing Zhou,Liang Xie,Jianping Ju,Jianyin Tang

DOI: https://doi.org/10.3390/electronics13132464

IF: 2.9

2024-06-25

Electronics

Abstract:Adversarial example generation is a technique that involves perturbing inputs with imperceptible noise to induce misclassifications in neural networks, serving as a means to assess the robustness of such models. Among the adversarial attack algorithms, momentum iterative fast gradient sign Method (MI-FGSM) and its variants constitute a class of highly effective offensive strategies, achieving near-perfect attack success rates in white-box settings. However, these methods' use of sign activation functions severely compromises gradient information, which leads to low success rates in black-box attacks and results in large adversarial perturbations. In this paper, we introduce a novel adversarial attack algorithm, NA-FGTM. Our method employs the Tanh activation function instead of the sign which can accurately preserve gradient information. In addition, it utilizes the Adam optimization algorithm as well as the Nesterov acceleration, which is able to stabilize gradient update directions and expedite gradient convergence. Above all, the transferability of adversarial examples can be enhanced. Through integration with data augmentation techniques such as DIM, TIM, and SIM, NA-FGTM can further improve the efficacy of black-box attacks. Extensive experiments on the ImageNet dataset demonstrate that our method outperforms the state-of-the-art approaches in terms of black-box attack success rate and generates adversarial examples with smaller perturbations.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jaydip Sen,Subhasis Dasgupta

2023-07-05

Abstract:This chapter introduces the concept of adversarial attacks on image classification models built on convolutional neural networks (CNN). CNNs are very popular deep-learning models which are used in image classification tasks. However, very powerful and pre-trained CNN models working very accurately on image datasets for image classification tasks may perform disastrously when the networks are under adversarial attacks. In this work, two very well-known adversarial attacks are discussed and their impact on the performance of image classifiers is analyzed. These two adversarial attacks are the fast gradient sign method (FGSM) and adversarial patch attack. These attacks are launched on three powerful pre-trained image classifier architectures, ResNet-34, GoogleNet, and DenseNet-161. The classification accuracy of the models in the absence and presence of the two attacks are computed on images from the publicly accessible ImageNet dataset. The results are analyzed to evaluate the impact of the attacks on the image classification task.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Hetvi Waghela,Jaydip Sen,Sneha Rakshit

2024-08-20

Abstract:Adversarial attacks, particularly the Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) pose significant threats to the robustness of deep learning models in image classification. This paper explores and refines defense mechanisms against these attacks to enhance the resilience of neural networks. We employ a combination of adversarial training and innovative preprocessing techniques, aiming to mitigate the impact of adversarial perturbations. Our methodology involves modifying input data before classification and investigating different model architectures and training strategies. Through rigorous evaluation of benchmark datasets, we demonstrate the effectiveness of our approach in defending against FGSM and PGD attacks. Our results show substantial improvements in model robustness compared to baseline methods, highlighting the potential of our defense strategies in real-world applications. This study contributes to the ongoing efforts to develop secure and reliable machine learning systems, offering practical insights and paving the way for future research in adversarial defense. By bridging theoretical advancements and practical implementation, we aim to enhance the trustworthiness of AI applications in safety-critical domains.

Cryptography and Security,Computer Vision and Pattern Recognition

Jiabao Liu,Qixiang Zhang,Kanghua Mo,Xiaoyu Xiang,Jin Li,Debin Cheng,Rui Gao,Beishui Liu,Kongyang Chen,Guanjie Wei

DOI: https://doi.org/10.1016/j.csi.2021.103612

2022-08-01

Abstract:Most existing deep neural networks are susceptible to the influence of adversarial examples, which may cause them to output incorrect prediction results. An adversarial example is the addition of small noise disturbances to the input data samples, which will deceive the classification. Generally, these modifications are very small noise disturbances, which are not easily noticed by the human eye. However, most existing adversarial attacks achieve only low success rates in typical black-box settings, where the attackers have no prior knowledge about the model structures and/or model parameters. To tackle this problem, we propose an iterative algorithm based on an acceleration gradient to enhance the adversary attack. Our method accumulates the gradient of the loss function in each iteration and uses the next gradient information to influence the future gradient. We also introduce the scaling invariance principle of a deep neural network to optimize the input images for black-box attacks. In addition, to handle the drawbacks of a traditional iterative fast gradient sign method, we further present two gradient optimization methods. Experimental results on the ImageNet dataset show that our attack methods can achieve good transferability. In addition, those models obtained by integrated adversarial training with strong defense capability are also quite vulnerable to our black-box attack.

computer science, software engineering, hardware & architecture

Da-Tian Peng,Jianmin Dong,Mingjiang Zhang,Jungang Yang,Zhen Wang

DOI: https://doi.org/10.1109/tifs.2024.3402385

IF: 7.231

2024-06-07

IEEE Transactions on Information Forensics and Security

Abstract:Extensive studies have revealed that the prevalent deep neural networks (DNNs) are vulnerable to adversarial examples in image recognition tasks. However, previous adversarial example attacks always work in either the global semantic space or local semantic attributes, resulting that these attacks may violate the sophisticated attackers' least-effort intentions, whereas adversarial perturbations due to the explicit semantic variations are probably perceived by human vision. In this paper, we propose a two-phase optimization modeling framework to devise a novel Critical Semantic Fusion guided least-effort Adversarial example attack (CSFAdv). Specifically, the first phase fuses the coarse-&fine-grained semantic maps to localize the latent critical semantic attention region (CSAR) from genuine image. Under the friendly guidance of CSAR-feasibility, the second phase absorbs the ReLU-penalization, -regularization and -limitation to formulate a Top-1&Top-2 misclassification optimization problem, which can characterize the holistic least-effort tampering behaviors embodied in localizing the most critical semantic space, doctoring the least amounts of pixels, injecting the limited amplitudes of perturbations and launching the most readily adversarial attacks. Further, to solve this NP-hard problem mildly, we adapt the gradient renewal by means of merging the momentum (past gradient), present gradient and Hessian (future gradient) to formalize a generalized gradient descent algorithm for generating an optimal adversarial image. Finally, we perform numerical experiments to verify the validity of our CSFAdv against seven types of DNN-based image classifiers on three public ImageNet, MNIST and CIFAR10. Empirical illustrations from ten evaluations indices shed light on the superiority of CSFAdv over eight kinds of state-of-the-art attacks and also offer key clues in reinforcing the DNNs' robustness.

computer science, theory & methods,engineering, electrical & electronic

P. Sathish Kumar,K.V.D. Kiran

DOI: https://doi.org/10.52711/2321-581x.2023.00002

2023-06-30

Research Journal of Engineering and Technology

Abstract:Deep neural networks (DNNs) are particularly vulnerable to adversarial samples when used as machine learning (ML) models. These kinds of samples are typically created by combining real-world samples with low-level sounds so they can mimic and deceive the target models. Since adversarial samples may switch between many models, black-box type attacks can be used in a variety of real-world scenarios. The main goal of this project is to produce an adversarial assault (white box) using PyTorch and then offer a defense strategy as a countermeasure. We developed a powerful offensive strategy known as the MI-FGSM (Momentum Iterative Fast Gradient Sign Method). It can perform better than the I-FGSM because to its adaptation (Iterative Fast Gradient Sign Method). The usage of MI-FGSM will greatly enhance transferability. The other objective of this project is to combine machine learning algorithms with quantum annealing solvers for the execution of adversarial attack and defense. Here, we'll take model-based actions based on the existence of attacks. Finally, we provide the experimental findings to show the validity of the developed attacking method by assessing the strengths of various models as well as the defensive strategies.

Dhairya Vyas,Viral V. Kapadia

DOI: https://doi.org/10.7717/peerj-cs.1868

2024-03-09

PeerJ Computer Science

Abstract:Adversarial attacks pose a significant challenge to deep neural networks used in image classification systems. Although deep learning has achieved impressive success in various tasks, it can easily be deceived by adversarial patches created by adding subtle yet deliberate distortions to natural images. These attacks are designed to remain hidden from both human and computer-based classifiers. Considering this, we propose novel model designs that enhance adversarial strength with incorporating feature denoising blocks. Exclusively, proposed model utilizes Gaussian data augmentation (GDA) and spatial smoothing (SS) to denoise the features. These techniques are reasonable and can be mixed in a joint finding context to accomplish superior recognition levels versus adversarial assaults while also balancing other defenses. We tested the proposed approach on the ImageNet and CIFAR-10 datasets using 10-iteration projected gradient descent (PGD), fast gradient sign method (FGSM), and DeepFool attacks. The proposed method achieved an accuracy of 95.62% in under four minutes, which is highly competitive compared to existing approaches. We also conducted a comparative analysis with existing methods.

computer science, information systems, artificial intelligence, theory & methods

Xu Han,Anmin Liu,Chenxuan Yao,Yanbo Fan,Kun He

2023-07-06

Abstract:Deep neural networks are known to be vulnerable to adversarial examples crafted by adding human-imperceptible perturbations to the benign input. After achieving nearly 100% attack success rates in white-box setting, more focus is shifted to black-box attacks, of which the transferability of adversarial examples has gained significant attention. In either case, the common gradient-based methods generally use the sign function to generate perturbations on the gradient update, that offers a roughly correct direction and has gained great success. But little work pays attention to its possible limitation. In this work, we observe that the deviation between the original gradient and the generated noise may lead to inaccurate gradient update estimation and suboptimal solutions for adversarial transferability. To this end, we propose a Sampling-based Fast Gradient Rescaling Method (S-FGRM). Specifically, we use data rescaling to substitute the sign function without extra computational cost. We further propose a Depth First Sampling method to eliminate the fluctuation of rescaling and stabilize the gradient update. Our method could be used in any gradient-based attacks and is extensible to be integrated with various input transformation or ensemble methods to further improve the adversarial transferability. Extensive experiments on the standard ImageNet dataset show that our method could significantly boost the transferability of gradient-based attacks and outperform the state-of-the-art baselines.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Yuling Chen,Hao Yang,Xuewei Wang,Qi Wang,Huiyu Zhou

DOI: https://doi.org/10.3390/e25030461

2023-03-06

Abstract:The adversarial attack is crucial to improving the robustness of deep learning models; they help improve the interpretability of deep learning and also increase the security of the models in real-world applications. However, existing attack algorithms mainly focus on image classification tasks, and they lack research targeting object detection. Adversarial attacks against image classification are global-based with no focus on the intrinsic features of the image. In other words, they generate perturbations that cover the whole image, and each added perturbation is quantitative and undifferentiated. In contrast, we propose a global-to-local adversarial attack based on object detection, which destroys important perceptual features of the object. More specifically, we differentially extract gradient features as a proportion of perturbation additions to generate adversarial samples, as the magnitude of the gradient is highly correlated with the model's point of interest. In addition, we reduce unnecessary perturbations by dynamically suppressing excessive perturbations to generate high-quality adversarial samples. After that, we improve the effectiveness of the attack using the high-frequency feature gradient as a motivation to guide the next gradient attack. Numerous experiments and evaluations have demonstrated the effectiveness and superior performance of our from global to Local gradient attacks with high-frequency momentum guidance (GLH), which is more effective than previous attacks. Our generated adversarial samples also have excellent black-box attack ability.

Jiadong Lin,Chuanbiao Song,Kun He,Liwei Wang,John E. Hopcroft

DOI: https://doi.org/10.48550/arxiv.1908.06281

2020-01-01

Abstract:Deep learning models are vulnerable to adversarial examples crafted by applying human-imperceptible perturbations on benign inputs. However, under the black-box setting, most existing adversaries often have a poor transferability to attack other defense models. In this work, from the perspective of regarding the adversarial example generation as an optimization process, we propose two new methods to improve the transferability of adversarial examples, namely Nesterov Iterative Fast Gradient Sign Method (NI-FGSM) and Scale-Invariant attack Method (SIM). NI-FGSM aims to adapt Nesterov accelerated gradient into the iterative attacks so as to effectively look ahead and improve the transferability of adversarial examples. While SIM is based on our discovery on the scale-invariant property of deep learning models, for which we leverage to optimize the adversarial perturbations over the scale copies of the input images so as to avoid "overfitting" on the white-box model being attacked and generate more transferable adversarial examples. NI-FGSM and SIM can be naturally integrated to build a robust gradient-based attack to generate more transferable adversarial examples against the defense models. Empirical results on ImageNet dataset demonstrate that our attack methods exhibit higher transferability and achieve higher attack success rates than state-of-the-art gradient-based attacks.

Qikun Zhang,Yuzhi Zhang,Yanling Shao,Mengqi Liu,Jianyong Li,Junling Yuan,Ruifang Wang

DOI: https://doi.org/10.3390/electronics12061464

IF: 2.9

2023-03-21

Electronics

Abstract:Deep neural networks are extremely vulnerable to attacks and threats from adversarial examples. These adversarial examples deliberately crafted by attackers can easily fool classification models by adding imperceptibly tiny perturbations on clean images. This brings a great challenge to image security for deep learning. Therefore, studying and designing attack algorithms for generating adversarial examples is essential for building robust models. Moreover, adversarial examples are transferable in that they can mislead multiple different classifiers across models. This makes black-box attacks feasible for practical applications. However, most attack methods have low success rates and weak transferability against black-box models. This is because they often overfit the model during the production of adversarial examples. To address this issue, we propose a Nadam iterative fast gradient method (NAI-FGM), which combines an improved Nadam optimizer with gradient-based iterative attacks. Specifically, we introduce the look-ahead momentum vector and the adaptive learning rate component based on the Momentum Iterative Fast Gradient Sign Method (MI-FGSM). The look-ahead momentum vector is dedicated to making the loss function converge faster and get rid of the poor local maximum. Additionally, the adaptive learning rate component is used to help the adversarial example to converge to a better extreme point by obtaining adaptive update directions according to the current parameters. Furthermore, we also carry out different input transformations to further enhance the attack performance before using NAI-FGM for attack. Finally, we consider attacking the ensemble model. Extensive experiments show that the NAI-FGM has stronger transferability and black-box attack capability than advanced momentum-based iterative attacks. In particular, when using the adversarial examples produced by way of ensemble attack to test the adversarially trained models, the NAI-FGM improves the success rate by 8% to 11% over the other attack methods. Last but not least, the NAI-DI-TI-SI-FGM combined with the input transformation achieves a success rate of 91.3% on average.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jinyin Chen,Yangyang Wu,Xuanheng Xu,Yixian Chen,Haibin Zheng,Qi Xuan

2018-01-01

Abstract:Network embedding maps a network into a low-dimensional Euclidean space, and thus facilitate many network analysis tasks, such as node classification, link prediction and community detection etc, by utilizing machine learning methods. In social networks, we may pay special attention to user privacy, and would like to prevent some target nodes from being identified by such network analysis methods in certain cases. Inspired by successful adversarial attack on deep learning models, we propose a framework to generate adversarial networks based on the gradient information in Graph Convolutional Network (GCN). In particular, we extract the gradient of pairwise nodes based on the adversarial network, and select the pair of nodes with maximum absolute gradient to realize the Fast Gradient Attack (FGA) and update the adversarial network. This process is implemented iteratively and terminated until certain condition is satisfied, i.e., the number of modified links reaches certain predefined value. Comprehensive attacks, including unlimited attack, direct attack and indirect attack, are performed on six well-known network embedding methods. The experiments on real-world networks suggest that our proposed FGA behaves better than some baseline methods, i.e., the network embedding can be easily disturbed using FGA by only rewiring few links, achieving state-of-the-art attack performance.

Wenqiang Zheng,Yan-Fu Li

DOI: https://doi.org/10.1109/issrew53611.2021.00058

2021-01-01

Abstract:Deep learning (DL) technology has been widely applied in the safety-critical area, for instance, autopilot system in which the misbehavior will have a huge influence. Hence the reliability of DL system should be tested thoroughly. DL reliability testing is mainly achieved via adversarial attack, however, the existing attack methods lack mathematical proof whether the convergence of the attack can be guaranteed. This paper proposes a novel adversarial attack method, i.e., Monte Carlo-Fast Gradient Sign Method (MC-FGSM) to test the DL robustness. This method does not require any knowledge of the victim DL system. Specifically, this method first approximates the gradient of the input variable via Monte Carlo sampling technique, and then the gradient-based method is applied to generate adversarial attacks. Moreover, a strict mathematical proof has shown the gradient estimation is unbiased and the time complexity is $\boldsymbol{O}(1)$, while the existing method is $\boldsymbol{O}(N)$. The effectiveness of the proposed method is demonstrated by numerical experiments. This method can work as the reliability evaluation tool of the autopilot system.

Ling Pang,Lulu Wang,Yi Zhang,Hu Li

DOI: https://doi.org/10.1109/icsip52628.2021.9688913

2021-01-01

Abstract:With the development of deep neural network techniques, an explosion of neural network structures are designed and gained great success in the field of image-based SAR automatic target recognition. Recent studies have shown that machine learning networks are vulnerable to adversarial attacks, which may cause severe security issue. In this paper, a convolution neural network (CNN) for SAR target classification is designed and then attacked by adversarial examples using fast gradient sign method (FGSM) and basic iteration method (BIM). Experiments shown that although the classification accuracy of the model is quite high for real SAR image dataset, elaborately designed tiny perturbation on the data will magnificently reduce the classification performance.

Chengyuan Zhang,Ping Wang

DOI: https://doi.org/10.1007/s00521-023-09045-3

2023-11-13

Neural Computing and Applications

Abstract:To improve the defense of CNN network traffic classifiers against adversarial sample attacks, the author proposes a batch adversarial training method that utilizes the characteristics of backpropagation errors during the training process, and completing both sample gradient and parameter gradient calculations in one backpropagation process can significantly improve training efficiency. Meanwhile, since the adversarial samples used for training are generated on the target model, they can effectively defend against white box attacks. The author proposes an enhanced adversarial training method to further defend against black box attacks and overcome the transferability of adversarial samples. Using multiple models to generate adversarial samples with inconsistent sample gradients increases the diversity of adversarial samples and enhances the ability to defend against black box attacks. Through experiments on the actual traffic dataset USTC-TFC2016, we generate network traffic for adversarial samples to simulate attacks. With classification accuracy rates for FGSM adversarial samples of 49.72% and 54.32%, respectively, the experimental results show that the enhanced adversarial approach proposed by the author has a more vital ability to defend adversarial samples than defense distillation and adversarial sample detection. The classification accuracy of enhanced adversarial training can reach 75.37%, significantly higher than defense distillation and adversarial sample detection. The authors suggested adversarial training strategy can successfully improve CNN traffic classifiers’ defense capabilities.

computer science, artificial intelligence

Zheng Yuan,Jie Zhang,Zhaoyan Jiang,Liangliang Li,Shiguang Shan

DOI: https://doi.org/10.1109/tpami.2024.3367773

IF: 23.6

2024-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:In recent years, the security of deep learning models achieves more and more attentions with the rapid development of neural networks, which are vulnerable to adversarial examples. Almost all existing gradient-based attack methods use the sign function in the generation to meet the requirement of perturbation budget on L_∞ norm. However, we find that the sign function may be improper for generating adversarial examples since it modifies the exact gradient direction. Instead of using the sign function, we propose to directly utilize the exact gradient direction with a scaling factor for generating adversarial perturbations, which improves the attack success rates of adversarial examples even with fewer perturbations. At the same time, we also theoretically prove that this method can achieve better black-box transferability. Moreover, considering that the best scaling factor varies across different images, we propose an adaptive scaling factor generator to seek an appropriate scaling factor for each image, which avoids the computational cost for manually searching the scaling factor. Our method can be integrated with almost all existing gradient-based attack methods to further improve their attack success rates. Extensive experiments on the CIFAR10 and ImageNet datasets show that our method exhibits higher transferability and outperforms the state-of-the-art methods.

computer science, artificial intelligence,engineering, electrical & electronic

Kun Li,Fan Zhang,Wei Guo

2023-05-22

Abstract:Malware detection models based on deep learning have been widely used, but recent research shows that deep learning models are vulnerable to adversarial attacks. Adversarial attacks are to deceive the deep learning model by generating adversarial samples. When adversarial attacks are performed on the malware detection model, the attacker will generate adversarial malware with the same malicious functions as the malware, and make the detection model classify it as benign software. Studying adversarial malware generation can help model designers improve the robustness of malware detection models. At present, in the work on adversarial malware generation for byte-to-image malware detection models, there are mainly problems such as large amount of injection perturbation and low generation efficiency. Therefore, this paper proposes FGAM (Fast Generate Adversarial Malware), a method for fast generating adversarial malware, which iterates perturbed bytes according to the gradient sign to enhance adversarial capability of the perturbed bytes until the adversarial malware is successfully generated. It is experimentally verified that the success rate of the adversarial malware deception model generated by FGAM is increased by about 84\% compared with existing methods.

Cryptography and Security,Artificial Intelligence