Donghua Wang,Li Dong,Rangding Wang,Diqun Yan,Jie Wang

DOI: https://doi.org/10.1109/ACCESS.2020.3006130

IF: 3.9

2020-01-01

IEEE Access

Abstract:Although neural network-based speech recognition models have enjoyed significant success in many acoustic systems, they are susceptible to be attacked by the adversarial examples. In this work, we make first step towards using generative adversarial network (GAN) for constructing the targeted speech adversarial examples. Specifically, we integrate the target speech recognition network with GAN framework, which can then be formulated as a three-party game. The generator in GAN aims at generating perturbation that could make the target network misclassified to a specific target, while simultaneously fooling the discriminator treating the adversarial example as a beguine one. The discriminator is to distinguish the crafted examples from the geniue samples. The classification error of the target network is back-propagated via gradient flow to the generator for updating. The target network is responsible for back-propagating the classification error via gradients to the generator for updating, but the target network itself is freezed. With the carefully designed network architecture, loss function and training strategy, we successfully train a generator that could generate the adversarial perturbation for a given speech clip and a target label. Experiential results show that the generated adversarial examples could effectively fool the state-of-the-art speech classification networks, while attaining an acceptable auditory perception quality. In addition, our proposed method runs much faster than the prevalent optimization-based schemes. To facilitate reproducible research, codes, models and data are publicly available at https://github.com/winterwindwang/SpeechAdvGan.

Tianyi Chu,Wei Xing,Jiafu Chen,Zhizhong Wang,Jiakai Sun,Lei Zhao,Haibo Chen,Huaizhong Lin

DOI: https://doi.org/10.1609/aaai.v38i2.27900

2024-01-01

Abstract:Existing generative adversarial network (GAN) based conditional imagegenerative models typically produce fixed output for the same conditionalinput, which is unreasonable for highly subjective tasks, such as large-maskimage inpainting or style transfer. On the other hand, GAN-based diverse imagegenerative methods require retraining/fine-tuning the network or designingcomplex noise injection functions, which is computationally expensive,task-specific, or struggle to generate high-quality results. Given that manydeterministic conditional image generative models have been able to producehigh-quality yet fixed results, we raise an intriguing question: is it possiblefor pre-trained deterministic conditional image generative models to generatediverse results without changing network structures or parameters? To answerthis question, we re-examine the conditional image generation tasks from theperspective of adversarial attack and propose a simple and efficient plug-inprojected gradient descent (PGD) like method for diverse and controllable imagegeneration. The key idea is attacking the pre-trained deterministic generativemodels by adding a micro perturbation to the input condition. In this way,diverse results can be generated without any adjustment of network structuresor fine-tuning of the pre-trained models. In addition, we can also control thediverse results to be generated by specifying the attack direction according toa reference text or image. Our work opens the door to applying adversarialattack to low-level vision tasks, and experiments on various conditional imagegeneration tasks demonstrate the effectiveness and superiority of the proposedmethod.

Junkun Yuan,Shaofang Zhou,Lanfen Lin,Feng Wang,Jia Cui

DOI: https://doi.org/10.3233/faia200388

2020-01-01

Abstract:For efficient malware detection, there are more and more deep learning methods based on raw software binaries. Recent studies show that deep learning models can easily be fooled to make a wrong decision by introducing subtle perturbations to inputs, which attracts a large influx of work in adversarial attacks. However, most of the existing attack methods are based on manual features (e.g., API calls) or in the white-box setting, making the attacks impractical in current real-world scenarios. In this work, we propose a novel attack framework called GAPGAN, which generates adversarial payloads (padding bytes) with generative adversarial networks (GANs). To the best of our knowledge, it is the first work that performs endto-end black-box attacks at the byte-level against deep learning based malware binaries detection. In our attack framework, we map input discrete malware binaries to continuous space, then feed it to the generator of GAPGAN to generate adversarial payloads. We append payloads to the original binaries to craft an adversarial sample while preserving its functionality. We propose to use a dynamic threshold for reducing the loss of the effectiveness of the payloads when mapping it from continuous format back to the original discrete format. For balancing the attention of the generator to the payloads and the adversarial samples, we use an automatic weight tuning strategy. We train GAPGAN with both malicious and benign software. Once the training is finished, the generator can generate an adversarial sample with only the input malware in less than twenty milliseconds. We apply GAPGAN to attack the state-of-the-art detector MalConv and achieve 100% attack success rate with only appending payloads of 2.5% of the total length of the data for detection. We also attack deep learning models with different structures under different defense methods. The experiments show that GAPGAN outperforms other state-of-the-art attack models in efficiency and effectiveness.

Yankun Ren,Jianbin Lin,Siliang Tang,Jun Zhou,Shuang Yang,Yuan Qi,Xiang Ren

DOI: https://doi.org/10.3233/faia200340

2020-01-01

Abstract:Today text classification models have been widely used. However, these classifiers are found to be easily fooled by adversarial examples. Fortunately, standard attacking methods generate adversarial texts in a pair-wise way, that is, an adversarial text can only be created from a real-world text by replacing a few words. In many applications, these texts are limited in numbers, therefore their corresponding adversarial examples are often not diverse enough and sometimes hard to read, thus can be easily detected by humans and cannot create chaos at a large scale. In this paper, we propose an end to end solution to efficiently generate adversarial texts from scratch using generative models, which are not restricted to perturbing the given texts. We call it unrestricted adversarial text generation. Specifically, we train a conditional variational autoencoder (VAE) with an additional adversarial loss to guide the generation of adversarial examples. Moreover, to improve the validity of adversarial texts, we utilize discrimators and the training framework of generative adversarial networks (GANs) to make adversarial texts consistent with real data. Experimental results on sentiment analysis demonstrate the scalability and efficiency of our method. It can attack text classification models with a higher success rate than existing methods, and provide acceptable quality for humans in the meantime.

Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Shihang Dong,Beijing Chen,Kaijie Ma,Guoying Zhao

DOI: https://doi.org/10.1109/lsp.2024.3365034

2024-03-09

IEEE Signal Processing Letters

Abstract:Active defense is an important approach to counter speech deepfakes that threaten individuals' privacy, property, and reputation. However, the existing works in this field suffer from issues such as time-consuming and ordinary defense effectiveness. This letter proposes a Generative Adversarial Network (GAN) framework for adversarial attacks as a defense against malicious voice conversion. The proposed method uses a generator to produce adversarial perturbations and adds them to the mel-spectrogram of the target audio to craft adversarial example. In addition, in order to enhance the defense effectiveness, a spectrogram waveform conversion simulation module (SWCSM) is designed to simulate the process of reconstructing waveform from the adversarial mel-spectrogram example and re-extracting mel-spectrogram from the reconstructed waveform. Experiments on four state-of-the-art voice conversion models show that our method achieves the overall best performance among five compared methods in both white-box and black-box scenarios in terms of defense effectiveness and generation time.

engineering, electrical & electronic

Qiang Zhang,Jibin Yang,Xiongwei Zhang,Tieyong Cao,Yang, Jibin,Zhang, Xiongwei

DOI: https://doi.org/10.1007/s11042-024-18318-5

IF: 2.577

2024-03-09

Multimedia Tools and Applications

Abstract:By incorporating additive perturbations to real samples, adversarial examples have notably exhibited the capability to deceive deep neural networks. Although the existing audio adversarial methods can successfully attack environmental sound classification (ESC) models, these generated perturbations can be easily perceived by humans. And the perturbations cannot be generated efficiently because of the large adversarial perturbation search space in audio. To address the problems, this paper proposes a Short-time Spectrum Generative Adversarial Network-based (StS-GAN) attack method to improve the performance of generated adversaries. In this method, a GAN is implemented to generate the magnitude spectrum perturbations with real signal magnitude spectra as inputs, and adversarial magnitude spectra are obtained as the superposition of the real signal magnitude spectra and the perturbations. Additionally, a short-time processing scheme is adopted to flexibly adjust the input length of the generator to balance computational complexity and attack performance. Through adversarial training, StS-GAN learns to generate adversarial examples with temporal-spectral characteristics similar to those of real signals. The learned perturbations tend to have smaller energies, making them less significant and less distinguishable by human perception. Thorough experiments show that, compared to existing adversarial attack methods, the proposed method achieves a higher Attack Success Rate (ASR) and efficiency, and the generated perturbations are less likely to be perceived by humans. The average ASR reaches 97% while maintaining a mean energy ratio of above 30 dB between the real signal and the generated perturbation, demonstrating the effectiveness of the proposed method.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Mohammad Esmaeilpour,Patrick Cardinal,Alessandro Lameiras Koerich

DOI: https://doi.org/10.1109/icassp39728.2021.9413626

2021-06-06

Abstract:In this paper we propose a novel defense approach against end-to-end adversarial attacks developed to fool advanced speech-to-text systems such as DeepSpeech and Lingvo. Unlike conventional defense approaches, the proposed approach does not directly employ low-level transformations such as autoencoding a given input signal aiming at removing potential adversarial perturbation. Instead of that, we find an optimal input vector for a class conditional generative adversarial network through minimizing the relative chordal distance adjustment between a given test input and the generator network. Then, we reconstruct the 1D signal from the synthesized spectrogram and the original phase information derived from the given input signal. Hence, this reconstruction does not add any extra noise to the signal and according to our experimental results, our defense-GAN considerably outperforms conventional defense algorithms both in terms of word error rate and sentence level recognition accuracy.

Zhenyu Wang,Li Wan,Biqiao Zhang,Yiteng Huang,Shang-Wen Li,Ming Sun,Xin Lei,Zhaojun Yang

2024-08-24

Abstract:A keyword spotting (KWS) engine that is continuously running on device is exposed to various speech signals that are usually unseen before. It is a challenging problem to build a small-footprint and high-performing KWS model with robustness under different acoustic environments. In this paper, we explore how to effectively apply adversarial examples to improve KWS robustness. We propose datasource-aware disentangled learning with adversarial examples to reduce the mismatch between the original and adversarial data as well as the mismatch across original training datasources. The KWS model architecture is based on depth-wise separable convolution and a simple attention module. Experimental results demonstrate that the proposed learning strategy improves false reject rate by $40.31%$ at $1%$ false accept rate on the internal dataset, compared to the strongest baseline without using adversarial examples. Our best-performing system achieves $98.06%$ accuracy on the Google Speech Commands V1 dataset.

Sound,Artificial Intelligence,Audio and Speech Processing

Weimin Zhao,Qusay H Mahmoud,Sanaa Alwidian

DOI: https://doi.org/10.3390/s23052697

2023-03-01

Abstract:Deep learning has been successfully utilized in many applications, but it is vulnerable to adversarial samples. To address this vulnerability, a generative adversarial network (GAN) has been used to train a robust classifier. This paper presents a novel GAN model and its implementation to defend against L∞ and L2 constraint gradient-based adversarial attacks. The proposed model is inspired by some of the related work, but it includes multiple new designs such as a dual generator architecture, four new generator input formulations, and two unique implementations with L∞ and L2 norm constraint vector outputs. The new formulations and parameter settings of GAN are proposed and evaluated to address the limitations of adversarial training and defensive GAN training strategies, such as gradient masking and training complexity. Furthermore, the training epoch parameter has been evaluated to determine its effect on the overall training results. The experimental results indicate that the optimal formulation of GAN adversarial training must utilize more gradient information from the target classifier. The results also demonstrate that GANs can overcome gradient masking and produce effective perturbation to augment the data. The model can defend PGD L2 128/255 norm perturbation with over 60% accuracy and PGD L∞ 8/255 norm perturbation with around 45% accuracy. The results have also revealed that robustness can be transferred between the constraints of the proposed model. In addition, a robustness-accuracy tradeoff was discovered, along with overfitting and the generalization capabilities of the generator and classifier. These limitations and ideas for future work will be discussed.

Jiawei Zhu,Jiangpeng Li,Dongwei Xu,Chuntao Gu,Qi Xuan,Shunling Wang

DOI: https://doi.org/10.1109/bigcom57025.2022.00013

2022-01-01

Abstract:In the field of signal modulation classification, deep neural networks (DNNs) perform very well and have good generalization ability. However, the DNN model is extremely vulnerable. The model gives a false output with high confidence from an input example, which formed only by deliberately adding tiny disturbances. Such elaborate examples that make the model misclassify are called adversarial examples. In this paper, for the detection of adversarial examples in electromagnetic signals, we propose a method based on generative adversarial networks (GANs), a novel strategy to defend deep neural networks against such attacks. First of all, by experiment we came to the conclusion that the confidence of the DNN model for normal examples is stable, and the confidence for adversarial examples is unstable. We trained a classifier that performs well in extracting electromagnetic signal features. Then, We feed the normal examples to the generative adversarial network, the generator generates examples with similar data distribution to the clean examples. We send such pairs of examples to the classifier to calculate a threshold T, and the same operations will be performed on the test examples. Finally, the absolute error E of each pair of test examples will be calculated and compared with the threshold T to achieve electromagnetic signal adversarial examples detection. We define the method in the paper as Detect-GAN. The experimental results show that Detect-GAN can effectively defend against common and powerful attack algorithm. Comparing with other detection methods, Detect-GAN achieves more competitive performance.

Xiaosen Wang,Kun He,Chuanbiao Song,Liwei Wang,John E. Hopcroft

DOI: https://doi.org/10.48550/arXiv.1904.07793

2019-04-16

Computer Vision and Pattern Recognition

Abstract:Despite the rapid development of adversarial machine learning, most adversarial attack and defense researches mainly focus on the perturbation-based adversarial examples, which is constrained by the input images. In comparison with existing works, we propose non-constrained adversarial examples, which are generated entirely from scratch without any constraint on the input. Unlike perturbation-based attacks, or the so-called unrestricted adversarial attack which is still constrained by the input noise, we aim to learn the distribution of adversarial examples to generate non-constrained but semantically meaningful adversarial examples. Following this spirit, we propose a novel attack framework called AT-GAN (Adversarial Transfer on Generative Adversarial Net). Specifically, we first develop a normal GAN model to learn the distribution of benign data, and then transfer the pre-trained GAN model to estimate the distribution of adversarial examples for the target model. In this way, AT-GAN can learn the distribution of adversarial examples that is very close to the distribution of real data. To our knowledge, this is the first work of building an adversarial generator model that could produce adversarial examples directly from any input noise. Extensive experiments and visualizations show that the proposed AT-GAN can very efficiently generate diverse adversarial examples that are more realistic to human perception. In addition, AT-GAN yields higher attack success rates against adversarially trained models under white-box attack setting and exhibits moderate transferability against black-box models.

Youheng Sun,Shengming Yuan,Xuanhan Wang,Lianli Gao,Jingkuan Song

2024-07-17

Abstract:Targeted adversarial attack, which aims to mislead a model to recognize any image as a target object by imperceptible perturbations, has become a mainstream tool for vulnerability assessment of deep neural networks (DNNs). Since existing targeted attackers only learn to attack known target classes, they cannot generalize well to unknown classes. To tackle this issue, we propose $\bf{G}$eneralized $\bf{A}$dversarial attac$\bf{KER}$ ($\bf{GAKer}$), which is able to construct adversarial examples to any target class. The core idea behind GAKer is to craft a latently infected representation during adversarial example generation. To this end, the extracted latent representations of the target object are first injected into intermediate features of an input image in an adversarial generator. Then, the generator is optimized to ensure visual consistency with the input image while being close to the target object in the feature space. Since the GAKer is class-agnostic yet model-agnostic, it can be regarded as a general tool that not only reveals the vulnerability of more DNNs but also identifies deficiencies of DNNs in a wider range of classes. Extensive experiments have demonstrated the effectiveness of our proposed method in generating adversarial examples for both known and unknown classes. Notably, compared with other generative methods, our method achieves an approximately $14.13\%$ higher attack success rate for unknown classes and an approximately $4.23\%$ higher success rate for known classes. Our code is available in <a class="link-external link-https" href="https://github.com/VL-Group/GAKer" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence

Mingxing Duan,Kailun Jiao,Siyang Yu,Zhibang Yang,Bin Xiao,Kenli Li

DOI: https://doi.org/10.1109/tifs.2024.3356812

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:One area of current research on adversarial attacks is how to generate plausible adversarial examples when only a small number of datasets are available. Current adversarial attack algorithms used to attack these black-box systems face a number of challenges, such as difficulty in training convergence, ambiguous sample images, substitute models collapse, unsatisfactory attack success rates, high query cost, and low defense capability improvement of target models. As a result, constructing plausible adversarial situations in a few known real-world sample circumstances remains difficult. As a solution to the aforementioned issues, this study introduces MC-Net, a novel multi-stage and multi-class balanced generating method based on a limited number of samples to generate realistic adversarial examples. Firstly, a multi-task learning approach is used to train the GAN by fully utilizing the small samples, ensuring that the size of the generated dataset for each category is balanced. In addition, we design a weight-balancing strategy to ensure faster convergence of each sub-network. Then, in the second stage, the generated samples of different categories are used to train a substitute model, and the distillation method is adopted to learn the output distribution of the target model. Finally, adversarial examples are constructed on the generated samples to complete the attack on the target models. Extensive experiments have proven that MC-Net has the following advantages: 1) The substitute model converges quickly using limited samples and queries; 2) High attack success rates can be obtained with a few queries; and 3) The constructed adversarial examples significantly improve the target model's defense. Furthermore, we only utilize a few queries for the Microsoft Azure online model to obtain a satisfactory result. Our code can be found at https://github.com/jiaokailun/A-fast.

computer science, theory & methods,engineering, electrical & electronic

Pouya Samangouei,Maya Kabkab,Rama Chellappa

DOI: https://doi.org/10.48550/arXiv.1805.06605

2018-05-17

Computer Vision and Pattern Recognition

Abstract:In recent years, deep neural network approaches have been widely adopted for machine learning tasks, including classification. However, they were shown to be vulnerable to adversarial perturbations: carefully crafted small perturbations can cause misclassification of legitimate images. We propose Defense-GAN, a new framework leveraging the expressive capability of generative models to defend deep neural networks against such attacks. Defense-GAN is trained to model the distribution of unperturbed images. At inference time, it finds a close output to a given image which does not contain the adversarial changes. This output is then fed to the classifier. Our proposed method can be used with any classification model and does not modify the classifier structure or training procedure. It can also be used as a defense against any attack as it does not assume knowledge of the process for generating the adversarial examples. We empirically show that Defense-GAN is consistently effective against different attack methods and improves on existing defense strategies. Our code has been made publicly available at https://github.com/kabkabm/defensegan

Xuanqing Liu,Cho-Jui Hsieh

DOI: https://doi.org/10.48550/arXiv.1807.10454

2019-04-16

Abstract:We study two important concepts in adversarial deep learning---adversarial training and generative adversarial network (GAN). Adversarial training is the technique used to improve the robustness of discriminator by combining adversarial attacker and discriminator in the training phase. GAN is commonly used for image generation by jointly optimizing discriminator and generator. We show these two concepts are indeed closely related and can be used to strengthen each other---adding a generator to the adversarial training procedure can improve the robustness of discriminators, and adding an adversarial attack to GAN training can improve the convergence speed and lead to better generators. Combining these two insights, we develop a framework called Rob-GAN to jointly optimize generator and discriminator in the presence of adversarial attacks---the generator generates fake images to fool discriminator; the adversarial attacker perturbs real images to fool the discriminator, and the discriminator wants to minimize loss under fake and adversarial images. Through this end-to-end training procedure, we are able to simultaneously improve the convergence speed of GAN training, the quality of synthetic images, and the robustness of discriminator under strong adversarial attacks. Experimental results demonstrate that the obtained classifier is more robust than the state-of-the-art adversarial training approach, and the generator outperforms SN-GAN on ImageNet-143.

Machine Learning,Artificial Intelligence

Dongwei Xu,Ruochen Fang,Qi Xuan,Weiguo Shen,Shilian Zheng,Xiaoniu Yang

DOI: https://doi.org/10.1109/tcsii.2024.3357830

2024-01-01

Abstract:Recently, backdoor attacks posed a new security threat against radio signals modulation models. The attacked model performs well on benign samples, whereas performs abnormally on backdoor samples. Current backdoor attacks usually inject static trigger into benign samples, which can be easily detected with static trigger patterns and large perturbation. In this paper, inspired by the Generative Adversarial Network (GAN), we proposed a backdoor attack against radio signals modulation based on adaptive trigger (AT-GAN) to learn the patterns of adaptive trigger, which can generate different trigger for specific radio signal. AT-GAN is composed of Adaptive Backdoor Generate Network (A-BaN), discriminator and radio signals modulation model. A-BaN is trained to generate adaptive triggers, discriminator is used to limit the perturbation of triggers and modulation model is poisoned based on generated poisoned samples. By a three-player game, A-BaN can generate adaptive triggers with small perturbation. The experimental results on two benchmark datasets demonstrate that our method can achieve better attack performance and reduce the detection rate of backdoor attacks compared to baseline backdoor attacks.

Guanxiong Liu,Issa Khalil,Abdallah Khreishah

DOI: https://doi.org/10.48550/arXiv.1903.02585

IF: 5.414

2019-03-06

Machine Learning

Abstract:Machine learning models, especially neural network (NN) classifiers, are widely used in many applications including natural language processing, computer vision and cybersecurity. They provide high accuracy under the assumption of attack-free scenarios. However, this assumption has been defied by the introduction of adversarial examples -- carefully perturbed samples of input that are usually misclassified. Many researchers have tried to develop a defense against adversarial examples; however, we are still far from achieving that goal. In this paper, we design a Generative Adversarial Net (GAN) based adversarial training defense, dubbed GanDef, which utilizes a competition game to regulate the feature selection during the training. We analytically show that GanDef can train a classifier so it can defend against adversarial examples. Through extensive evaluation on different white-box adversarial examples, the classifier trained by GanDef shows the same level of test accuracy as those trained by state-of-the-art adversarial training defenses. More importantly, GanDef-Comb, a variant of GanDef, could utilize the discriminator to achieve a dynamic trade-off between correctly classifying original and adversarial examples. As a result, it achieves the highest overall test accuracy when the ratio of adversarial examples exceeds 41.7%.

Ke Sun,Zhanxing Zhu,Zhouchen Lin

2019-01-01

Abstract:Deep neural networks have been widely deployed in various machine learning tasks. However, recent works have demonstrated that they are vulnerable to adversarial examples: carefully crafted small perturbations to cause misclassification by the network. In this work, we propose a novel defense mechanism called Boundary Conditional GAN to enhance the robustness of deep neural networks against adversarial examples. Boundary Conditional GAN, a modified version of Conditional GAN, can generate boundary samples with true labels near the decision boundary of a pre-trained classifier. These boundary samples are fed to the pre-trained classifier as data augmentation to make the decision boundary more robust. We empirically show that the model improved by our approach consistently defenses against various types of adversarial attacks successfully. Further quantitative investigations about the improvement of robustness and visualization of decision boundaries are also provided to justify the effectiveness of our strategy. This new defense mechanism that uses boundary samples to enhance the robustness of networks opens up a new way to defense adversarial attacks consistently.

YU Tingyue,WANG Shen,ZHANG Chunrui,WANG Zhenbang,LI Yetian,YU Xiangzhan

DOI: https://doi.org/10.1049/cje.2021.06.009

IF: 1.019

2021-09-01

Chinese Journal of Electronics

Abstract:In recent years, adversarial examples has become one of the most important security threats in deep learning applications. For testing the security of deep learning models in adversarial environment, many researches focus on generating adversarial examples quickly and efficiently. In order to solve the problems of existing generative adversarial networks based methods which can not effectively generate the targeted adversarial examples in black box settings, and to improve the temporal performance of gradient-based generating methods, an adversarial examples generating method based on conditional Variational autoencoder (cVAE) is proposed in this paper, where a cVAE is designed elaborately to generate adversarial examples without most of the detailed information about the attacked deep learning models, of which the output can be controlled arbitrarily by these crafted inputs, used to test the robustness of deep learning models against adversarial examples. The experimental results show that the proposed method can achieve a comparable attack success rate and a better temporal performance than the existing gradient-based generating methods in black box environment.

engineering, electrical & electronic