YU Tingyue,WANG Shen,ZHANG Chunrui,WANG Zhenbang,LI Yetian,YU Xiangzhan

DOI: https://doi.org/10.1049/cje.2021.06.009

IF: 1.019

2021-09-01

Chinese Journal of Electronics

Abstract:In recent years, adversarial examples has become one of the most important security threats in deep learning applications. For testing the security of deep learning models in adversarial environment, many researches focus on generating adversarial examples quickly and efficiently. In order to solve the problems of existing generative adversarial networks based methods which can not effectively generate the targeted adversarial examples in black box settings, and to improve the temporal performance of gradient-based generating methods, an adversarial examples generating method based on conditional Variational autoencoder (cVAE) is proposed in this paper, where a cVAE is designed elaborately to generate adversarial examples without most of the detailed information about the attacked deep learning models, of which the output can be controlled arbitrarily by these crafted inputs, used to test the robustness of deep learning models against adversarial examples. The experimental results show that the proposed method can achieve a comparable attack success rate and a better temporal performance than the existing gradient-based generating methods in black box environment.

engineering, electrical & electronic

Jianzhang Zheng,Fan Yang,Hao Shen,Xuan Tang,Mingsong Chen,Liang Song,Xian Wei

DOI: https://doi.org/10.48550/arxiv.2203.07027

2022-01-01

Abstract: Adversarial attacks are often considered as threats to the robustness of Deep Neural Networks (DNNs). Various defending techniques have been developed to mitigate the potential negative impact of adversarial attacks against task predictions. This work analyzes adversarial attacks from a different perspective. Namely, adversarial examples contain implicit information that is useful to the predictions i.e., image classification, and treat the adversarial attacks against DNNs for data self-expression as extracted abstract representations that are capable of facilitating specific learning tasks. We propose an algorithmic framework that leverages the advantages of the DNNs for data self-expression and task-specific predictions, to improve image classification. The framework jointly learns a DNN for attacking Variational Autoencoder (VAE) networks and a DNN for classification, coined as Attacking VAE for Improve Classification (AVIC). The experiment results show that AVIC can achieve higher accuracy on standard datasets compared to the training with clean examples and the traditional adversarial training.

Lei Xu,Junhai Zhai

DOI: https://doi.org/10.26599/tst.2023.9010004

2024-04-01

Abstract:Deep neural network (DNN) has strong representation learning ability, but it is vulnerable and easy to be fooled by adversarial examples. In order to handle the vulnerability of DNN, many methods have been proposed. The general idea of existing methods is to reduce the chance of DNN models being fooled by observing some designed adversarial examples, which are generated by adding perturbations to the original images. In this paper, we propose a novel adversarial example generation method, called DCVAE-adv. Different from the existing methods, DCVAE-adv constructs adversarial examples by mixing both explicit and implicit perturbations without using original images. Furthermore, the proposed method can be applied to both white box and black box attacks. In addition, in the inference stage, the adversarial examples can be generated without loading the original images into memory, which greatly reduces the memory overhead. We compared DCVAE-adv with three most advanced adversarial attack algorithms: FGSM, AdvGAN, and AdvGAN++. The experimental results demonstrate that DCVAE-adv is superior to these state-of-the-art methods in terms of attack success rate and transfer ability for targeted attack. Our code is available at https://github.com/xzforeverlove/DCVAE-adv.

computer science, information systems,engineering, electrical & electronic, software engineering

Prashnna K Gyawali,Rudra Saha,Linwei Wang,VSR Veeravasarapu,Maneesh Singh

DOI: https://doi.org/10.48550/arXiv.1911.05627

2019-10-26

Abstract:Variational Autoencoders (VAE) are probabilistic deep generative models underpinned by elegant theory, stable training processes, and meaningful manifold representations. However, they produce blurry images due to a lack of explicit emphasis over high-frequency textural details of the images, and the difficulty to directly model the complex joint probability distribution over the high-dimensional image space. In this work, we approach these two challenges with a novel wavelet space VAE that uses the decoder to model the images in the wavelet coefficient space. This enables the VAE to emphasize over high-frequency components within an image obtained via wavelet decomposition. Additionally, by decomposing the complex function of generating high-dimensional images into inverse wavelet transformation and generation of wavelet coefficients, the latter becomes simpler to model by the VAE. We empirically validate that deep generative models operating in the wavelet space can generate images of higher quality than the image (RGB) space counterparts. Quantitatively, on benchmark natural image datasets, we achieve consistently better FID scores than VAE based architectures and competitive FID scores with a variety of GAN models for the same architectural and experimental setup. Furthermore, the proposed wavelet-based generative model retains desirable attributes like disentangled and informative latent representation without losing the quality in the generated samples.

Computer Vision and Pattern Recognition,Machine Learning,Image and Video Processing

Omid Poursaeed,Tianxing Jiang,Yordanos Goshu,Harry Yang,Serge Belongie,Ser-Nam Lim

DOI: https://doi.org/10.48550/arXiv.1911.09058

2020-10-23

Abstract:We propose a novel approach for generating unrestricted adversarial examples by manipulating fine-grained aspects of image generation. Unlike existing unrestricted attacks that typically hand-craft geometric transformations, we learn stylistic and stochastic modifications leveraging state-of-the-art generative models. This allows us to manipulate an image in a controlled, fine-grained manner without being bounded by a norm threshold. Our approach can be used for targeted and non-targeted unrestricted attacks on classification, semantic segmentation and object detection models. Our attacks can bypass certified defenses, yet our adversarial images look indistinguishable from natural images as verified by human evaluation. Moreover, we demonstrate that adversarial training with our examples improves performance of the model on clean images without requiring any modifications to the architecture. We perform experiments on LSUN, CelebA-HQ and COCO-Stuff as high resolution datasets to validate efficacy of our proposed approach.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Fangcheng Liu,Chao Zhang,Hongyang Zhang

DOI: https://doi.org/10.48550/arXiv.2201.01102

2022-12-27

Abstract:Transfer-based adversarial example is one of the most important classes of black-box attacks. However, there is a trade-off between transferability and imperceptibility of the adversarial perturbation. Prior work in this direction often requires a fixed but large $\ell_p$-norm perturbation budget to reach a good transfer success rate, leading to perceptible adversarial perturbations. On the other hand, most of the current unrestricted adversarial attacks that aim to generate semantic-preserving perturbations suffer from weaker transferability to the target model. In this work, we propose a geometry-aware framework to generate transferable adversarial examples with minimum changes. Analogous to model selection in statistical machine learning, we leverage a validation model to select the best perturbation budget for each image under both the $\ell_{\infty}$-norm and unrestricted threat models. We propose a principled method for the partition of training and validation models by encouraging intra-group diversity while penalizing extra-group similarity. Extensive experiments verify the effectiveness of our framework on balancing imperceptibility and transferability of the crafted adversarial examples. The methodology is the foundation of our entry to the CVPR'21 Security AI Challenger: Unrestricted Adversarial Attacks on ImageNet, in which we ranked 1st place out of 1,559 teams and surpassed the runner-up submissions by 4.59% and 23.91% in terms of final score and average image quality level, respectively. Code is available at <a class="link-external link-https" href="https://github.com/Equationliu/GA-Attack" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Wenjie Wang,Li Xiong,Jian Lou

2023-03-22

Abstract:Adversarial examples are crafted by adding indistinguishable perturbations to normal examples in order to fool a well-trained deep learning model to misclassify. In the context of computer vision, this notion of indistinguishability is typically bounded by $L_{\infty}$ or other norms. However, these norms are not appropriate for measuring indistinguishiability for time series data. In this work, we propose adversarial examples in the Wasserstein space for time series data for the first time and utilize Wasserstein distance to bound the perturbation between normal examples and adversarial examples. We introduce Wasserstein projected gradient descent (WPGD), an adversarial attack method for perturbing univariant time series data. We leverage the closed-form solution of Wasserstein distance in the 1D space to calculate the projection step of WPGD efficiently with the gradient descent method. We further propose a two-step projection so that the search of adversarial examples in the Wasserstein space is guided and constrained by Euclidean norms to yield more effective and imperceptible perturbations. We empirically evaluate the proposed attack on several time series datasets in the healthcare domain. Extensive results demonstrate that the Wasserstein attack is powerful and can successfully attack most of the target classifiers with a high attack success rate. To better study the nature of Wasserstein adversarial example, we evaluate a strong defense mechanism named Wasserstein smoothing for potential certified robustness defense. Although the defense can achieve some accuracy gain, it still has limitations in many cases and leaves space for developing a stronger certified robustness method to Wasserstein adversarial examples on univariant time series data.

Machine Learning,Artificial Intelligence

Jun Yan,Huilin Yin,Xiaoyang Deng,Ziming Zhao,Wancheng Ge,Hao Zhang,Gerhard Rigoll

DOI: https://doi.org/10.48550/arXiv.2206.03727

2022-06-08

Abstract:Adversarial training methods are state-of-the-art (SOTA) empirical defense methods against adversarial examples. Many regularization methods have been proven to be effective with the combination of adversarial training. Nevertheless, such regularization methods are implemented in the time domain. Since adversarial vulnerability can be regarded as a high-frequency phenomenon, it is essential to regulate the adversarially-trained neural network models in the frequency domain. Faced with these challenges, we make a theoretical analysis on the regularization property of wavelets which can enhance adversarial training. We propose a wavelet regularization method based on the Haar wavelet decomposition which is named Wavelet Average Pooling. This wavelet regularization module is integrated into the wide residual neural network so that a new WideWaveletResNet model is formed. On the datasets of CIFAR-10 and CIFAR-100, our proposed Adversarial Wavelet Training method realizes considerable robustness under different types of attacks. It verifies the assumption that our wavelet regularization method can enhance adversarial robustness especially in the deep wide neural networks. The visualization experiments of the Frequency Principle (F-Principle) and interpretability are implemented to show the effectiveness of our method. A detailed comparison based on different wavelet base functions is presented. The code is available at the repository: \url{<a class="link-external link-https" href="https://github.com/momo1986/AdversarialWaveletTraining" rel="external noopener nofollow">this https URL</a>}.

Computer Vision and Pattern Recognition

Yongwei Wang,Mingquan Feng,Rabab Ward,Z. Jane Wang,Lanjun Wang

DOI: https://doi.org/10.48550/arXiv.2011.05254

2020-10-30

Computer Vision and Pattern Recognition

Abstract:Deep neural networks are vulnerable to adversarial attacks. White-box adversarial attacks can fool neural networks with small adversarial perturbations, especially for large size images. However, keeping successful adversarial perturbations imperceptible is especially challenging for transfer-based black-box adversarial attacks. Often such adversarial examples can be easily spotted due to their unpleasantly poor visual qualities, which compromises the threat of adversarial attacks in practice. In this study, to improve the image quality of black-box adversarial examples perceptually, we propose structure-aware adversarial attacks by generating adversarial images based on psychological perceptual models. Specifically, we allow higher perturbations on perceptually insignificant regions, while assigning lower or no perturbation on visually sensitive regions. In addition to the proposed spatial-constrained adversarial perturbations, we also propose a novel structure-aware frequency adversarial attack method in the discrete cosine transform (DCT) domain. Since the proposed attacks are independent of the gradient estimation, they can be directly incorporated with existing gradient-based attacks. Experimental results show that, with the comparable attack success rate (ASR), the proposed methods can produce adversarial examples with considerably improved visual quality for free. With the comparable perceptual quality, the proposed approaches achieve higher attack success rates: particularly for the frequency structure-aware attacks, the average ASR improves more than 10% over the baseline attacks.

Siyu Zhai,Zhibo He,Xiaofeng Cong,Junming Hou,Jie Gui,Jian Wei You,Xin Gong,James Tin-Yau Kwok,Yuan Yan Tang

2024-09-10

Abstract:Learning-based methods for underwater image enhancement (UWIE) have undergone extensive exploration. However, learning-based models are usually vulnerable to adversarial examples so as the UWIE models. To the best of our knowledge, there is no comprehensive study on the adversarial robustness of UWIE models, which indicates that UWIE models are potentially under the threat of adversarial attacks. In this paper, we propose a general adversarial attack protocol. We make a first attempt to conduct adversarial attacks on five well-designed UWIE models on three common underwater image benchmark datasets. Considering the scattering and absorption of light in the underwater environment, there exists a strong correlation between color correction and underwater image enhancement. On the basis of that, we also design two effective UWIE-oriented adversarial attack methods Pixel Attack and Color Shift Attack targeting different color spaces. The results show that five models exhibit varying degrees of vulnerability to adversarial attacks and well-designed small perturbations on degraded images are capable of preventing UWIE models from generating enhanced results. Further, we conduct adversarial training on these models and successfully mitigated the effectiveness of adversarial attacks. In summary, we reveal the adversarial vulnerability of UWIE models and propose a new evaluation dimension of UWIE models.

Image and Video Processing,Computer Vision and Pattern Recognition

Zhaoyu Chen,Bo Li,Shuang Wu,Kaixun Jiang,Shouhong Ding,Wenqiang Zhang

2023-11-29

Abstract:Unrestricted adversarial attacks typically manipulate the semantic content of an image (e.g., color or texture) to create adversarial examples that are both effective and photorealistic, demonstrating their ability to deceive human perception and deep neural networks with stealth and success. However, current works usually sacrifice unrestricted degrees and subjectively select some image content to guarantee the photorealism of unrestricted adversarial examples, which limits its attack performance. To ensure the photorealism of adversarial examples and boost attack performance, we propose a novel unrestricted attack framework called Content-based Unrestricted Adversarial Attack. By leveraging a low-dimensional manifold that represents natural images, we map the images onto the manifold and optimize them along its adversarial direction. Therefore, within this framework, we implement Adversarial Content Attack based on Stable Diffusion and can generate high transferable unrestricted adversarial examples with various adversarial contents. Extensive experimentation and visualization demonstrate the efficacy of ACA, particularly in surpassing state-of-the-art attacks by an average of 13.3-50.4% and 16.8-48.0% in normally trained models and defense methods, respectively.

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security

Yubo Wang,Chaohu Liu,Yanqiu Qu,Haoyu Cao,Deqiang Jiang,Linli Xu

2024-10-09

Abstract:Large vision-language models (LVLMs) integrate visual information into large language models, showcasing remarkable multi-modal conversational capabilities. However, the visual modules introduces new challenges in terms of robustness for LVLMs, as attackers can craft adversarial images that are visually clean but may mislead the model to generate incorrect answers. In general, LVLMs rely on vision encoders to transform images into visual tokens, which are crucial for the language models to perceive image contents effectively. Therefore, we are curious about one question: Can LVLMs still generate correct responses when the encoded visual tokens are attacked and disrupting the visual information? To this end, we propose a non-targeted attack method referred to as VT-Attack (Visual Tokens Attack), which constructs adversarial examples from multiple perspectives, with the goal of comprehensively disrupting feature representations and inherent relationships as well as the semantic properties of visual tokens output by image encoders. Using only access to the image encoder in the proposed attack, the generated adversarial examples exhibit transferability across diverse LVLMs utilizing the same image encoder and generality across different tasks. Extensive experiments validate the superior attack performance of the VT-Attack over baseline methods, demonstrating its effectiveness in attacking LVLMs with image encoders, which in turn can provide guidance on the robustness of LVLMs, particularly in terms of the stability of the visual feature space.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Haobo Wang,Chenxi Zhu,Yangjie Cao,Yan Zhuang,Jie Li,Xianfu Chen

DOI: https://doi.org/10.3390/electronics12040816

IF: 2.9

2023-01-01

Electronics

Abstract:Deep neural networks are susceptible to interference from deliberately crafted noise, which can lead to incorrect classification results. Existing approaches make less use of latent space information and conduct pixel-domain modification in the input space instead, which increases the computational cost and decreases the transferability. In this work, we propose an effective adversarial distribution searching-driven attack (ADSAttack) algorithm to generate adversarial examples against deep neural networks. ADSAttack introduces an affiliated network to search for potential distributions in image latent space for synthesizing adversarial examples. ADSAttack uses an edge-detection algorithm to locate low-level feature mapping in input space to sketch the minimum effective disturbed area. Experimental results demonstrate that ADSAttack achieves higher transferability, better imperceptible visualization, and faster generation speed compared to traditional algorithms. To generate 1000 adversarial examples, ADSAttack takes 11.08s and, on average, achieves a success rate of 98.01%.

Jun Yan,Huilin Yin,Wancheng Ge,Li Liu

DOI: https://doi.org/10.1016/j.displa.2023.102479

IF: 3.074

2023-07-08

Displays

Abstract:The research on universal adversarial perturbations (UAPs) is significant to trustworthy deep learning. To disentangle the UAPs with the training data dependency and the target model dependency, the exploration of procedural noise functions is a feasible method. However, the current procedural adversarial noise attack method has several characteristics like visually significant anisotropy and gradient artifacts that may impact the stealthiness of adversarial examples. This study proposes a novel model-free and data-free UAP method based on the procedural noise functions with two variants: Simplex noise attack and Worley noise attack. The attack method can achieve deceit on the neural networks with a more aesthetic rendering effect. A detailed empirical study is provided to validate the effectiveness of the proposed attack method. The extensive experiments show that the UAPs generated by the proposed method achieve considerable attack performance on the ImageNet dataset and the CIFAR-10 dataset. Moreover, this study implements the performance evaluation and robustness analysis of existing defense methods against the proposed UAPs. It has the potential to enhance research on the robustness of neural networks in real applications. The code is available at https://github.com/momo1986/adversarial_example_simplex_worley .

engineering, electrical & electronic,instruments & instrumentation,optics,computer science, hardware & architecture

Bo Luo,Yannan Liu,Lingxiao Wei,Qiang Xu

DOI: https://doi.org/10.1609/aaai.v32i1.11499

2018-04-25

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Machine learning systems based on deep neural networks, being able to produce state-of-the-art results on various perception tasks, have gained mainstream adoption in many applications. However, they are shown to be vulnerable to adversarial example attack, which generates malicious output by adding slight perturbations to the input. Previous adversarial example crafting methods, however, use simple metrics to evaluate the distances between the original examples and the adversarial ones, which could be easily detected by human eyes. In addition, these attacks are often not robust due to the inevitable noises and deviation in the physical world. In this work, we present a new adversarial example attack crafting method, which takes the human perceptual system into consideration and maximizes the noise tolerance of the crafted adversarial example. Experimental results demonstrate the efficacy of the proposed technique.

Jianxin Yang,Mingwen Shao,Huan Liu,Xinkai Zhuang

DOI: https://doi.org/10.1007/s13042-023-01778-w

2023-01-01

International Journal of Machine Learning and Cybernetics

Abstract:Existing adversarial attack methods usually add perturbations directly to the pixel space of an image, resulting in significant local noise in the image. Besides, the performance of existing attack methods is affected by various pixel-space based defense strategies. In this paper, we propose a novel method to generate adversarial examples by adding perturbations to the feature space. Specifically, the perturbation of the feature space is induced by a style-shifting-based network architecture called AdvAdaIN. Furthermore, we expose the feature space to the attacker via an encoder, and then the perturbation is injected into the feature space by AdvAdaIN. Simultaneously, due to the specificity of feature space perturbations, we trained a decoder to reflect the changes in feature space to pixel space and ensure that the perturbations are not easily detected. Meanwhile, we align the original image with another image in the feature space, adding additional adversarial information to the model. In addition, we can generate diverse adversarial samples by varying the perturbation parameters, which mainly change the overall color and brightness of the image. Experiments demonstrate that the proposed method outperforms existing methods and produces more natural adversarial samples when facing defensive strategies.

Yuexin Xiang,Tiantian Li,Wei Ren,Tianqing Zhu,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/j.jisa.2023.103662

2022-08-04

Abstract:With the increasing attention to deep neural network (DNN) models, attacks are also upcoming for such models. For example, an attacker may carefully construct images in specific ways (also referred to as adversarial examples) aiming to mislead the DNN models to output incorrect classification results. Similarly, many efforts are proposed to detect and mitigate adversarial examples, usually for certain dedicated attacks. In this paper, we propose a novel digital watermark-based method to generate image adversarial examples to fool DNN models. Specifically, partial main features of the watermark image are embedded into the host image almost invisibly, aiming to tamper with and damage the recognition capabilities of the DNN models. We devise an efficient mechanism to select host images and watermark images and utilize the improved discrete wavelet transform (DWT) based Patchwork watermarking algorithm with a set of valid hyperparameters to embed digital watermarks from the watermark image dataset into original images for generating image adversarial examples. The experimental results illustrate that the attack success rate on common DNN models can reach an average of 95.47% on the CIFAR-10 dataset and the highest at 98.71%. Besides, our scheme is able to generate a large number of adversarial examples efficiently, concretely, an average of 1.17 seconds for completing the attacks on each image on the CIFAR-10 dataset. In addition, we design a baseline experiment using the watermark images generated by Gaussian noise as the watermark image dataset that also displays the effectiveness of our scheme. Similarly, we also propose the modified discrete cosine transform (DCT) based Patchwork watermarking algorithm. To ensure repeatability and reproducibility, the source code is available on GitHub.

Computer Vision and Pattern Recognition,Cryptography and Security

Wenrong Xie,Fashan Dong,Haiyang Yu,Zhaoquan Gu,Le Wang,Zhihong Tian

DOI: https://doi.org/10.1109/dsc53577.2021.00044

2021-01-01

Abstract:With the rapid development of artificial intelligence technology, artificial intelligence-based systems and applications have shown explosive growth, bringing great convenience to people's lives. As a representative of artificial intelligence, deep learning, whose excellent performance in the classification task has been proved, can obtain high-precision classification models by effectively training from large amounts of data. However, recent studies have shown that deep neural networks are vulnerable to attacks. By carefully constructing input data, Deep Neural Networks can export the output results expected by the attacker. In general, it is difficult to detect the difference between the carefully constructed data and the original data, but it can induce the neural network to output wrong results. This kind of attack is called adversarial example attack, and the carefully constructed data used to deceive deep learning is called adversarial examples. This paper proposes a generation method of adversarial example that combines the distribution of image entropy. The areas with high entropy values in the image tend to have complex tones, so the added perturbation cannot be noticed by naked eyes easily, and experiments have proved that the adversarial examples generated by adding perturbations in this area are more aggressive. This paper proposes that the greater the entropy in a region of an image, the greater the weight assigned to the position of the Adversarial Perturbation; the smaller the entropy in a region of the image, the lower the weight is assigned to the position of the Adversarial Perturbation, so that an adversarial example with lower disturbance and less noticeable is generated, and at the same time, the adversarial example is more aggressive.

Zongyao Hu,Lixiong Liu,Qingbing Sang,Chongwen Wang

DOI: https://doi.org/10.1016/j.knosys.2024.111655

IF: 8.139

2024-03-22

Knowledge-Based Systems

Abstract:Most currently developed video quality assessment (VQA) algorithms have achieved excellent performance by using deep neural network (DNN). However, DNN is vulnerable to adversarial attacks, as an efficient surrogate for validating the model robustness, and there lack adversarial attack methods against VQA models. To this end, we propose a spatiotemporal attack network to generate adversarial examples for evaluating the robustness of VQA models that contains a spatial subnetwork and a temporal subnetwork. The proposed network, dubbed the Space-Time Quality Attack Network (STQA-Net 1 ), first computes the just noticeable difference (JND) maps of a video sequence as the input of the spatial subnetwork. The spatial subnetwork encodes the computed maps as spatial features and feeds the spatial features to the temporal subnetwork. Then, the spatial features are fused with the output of the temporal subnetwork and the fused features are decoded as attack weight maps. A visual constraint is used to control the visibility of perturbations and guide the generation of perturbation maps by multiplying JND maps with attack weight maps. Finally, the generated perturbation maps are added to the original video to form an adversarial example. Further, we also try to design a two-branch network to generate two opposite examples in a targeted attack scenario. The proposed attack methods against six state-of-the-art VQA algorithms are thoroughly tested on three VQA databases. The experimental results show that the proposed attack methods are very effective for testing the robustness of VQA models.

computer science, artificial intelligence

Qi Guo,Shanmin Pang,Xiaojun Jia,Yang Liu,Qing Guo

2024-07-23

Abstract:Adversarial attacks, particularly \textbf{targeted} transfer-based attacks, can be used to assess the adversarial robustness of large visual-language models (VLMs), allowing for a more thorough examination of potential security flaws before deployment. However, previous transfer-based adversarial attacks incur high costs due to high iteration counts and complex method structure. Furthermore, due to the unnaturalness of adversarial semantics, the generated adversarial examples have low transferability. These issues limit the utility of existing methods for assessing robustness. To address these issues, we propose AdvDiffVLM, which uses diffusion models to generate natural, unrestricted and targeted adversarial examples via score matching. Specifically, AdvDiffVLM uses Adaptive Ensemble Gradient Estimation to modify the score during the diffusion model's reverse generation process, ensuring that the produced adversarial examples have natural adversarial targeted semantics, which improves their transferability. Simultaneously, to improve the quality of adversarial examples, we use the GradCAM-guided Mask method to disperse adversarial semantics throughout the image rather than concentrating them in a single area. Finally, AdvDiffVLM embeds more target semantics into adversarial examples after multiple iterations. Experimental results show that our method generates adversarial examples 5x to 10x faster than state-of-the-art transfer-based adversarial attacks while maintaining higher quality adversarial examples. Furthermore, compared to previous transfer-based adversarial attacks, the adversarial examples generated by our method have better transferability. Notably, AdvDiffVLM can successfully attack a variety of commercial VLMs in a black-box environment, including GPT-4V.

Computer Vision and Pattern Recognition