Adaptive momentum variance for attention-guided sparse adversarial attacks. (January 2023)
- Record Type:
- Journal Article
- Title:
- Adaptive momentum variance for attention-guided sparse adversarial attacks. (January 2023)
- Main Title:
- Adaptive momentum variance for attention-guided sparse adversarial attacks
- Authors:
- Li, Chao
Yao, Wen
Wang, Handing
Jiang, Tingsong - Abstract:
- Highlights: Our method considers two kinds of momentum variances, namely the forward momentum variance and the historical momentum variance, to adaptively stabilize the attack direction and escape from local optima. We refine the generated perturbation matrix to prevent the overfitting of the adversarial examples. We use the attention mechanism to perform the transfer-based sparse attack and assist in studying the relationship between the number of pixels attacked and attack performance. Abstract: The phenomenon that deep neural networks are vulnerable to adversarial examples has been found for several years. Under the black-box setting, transfer-based methods usually produce the adversarial examples on a white-box model, which serves as the surrogate model in the black-box attack, and hope that the same adversarial examples can also fool the black-box model. However, these methods have high success rates for the surrogate model and exhibit weak transferability for the black-box model. In addition, some studies have shown that deep neural networks are also vulnerable to sparse alterations of the input, but existing sparse attacks mainly focus on the number of attacked pixels without restricting the size of the perturbations, which is perceptible to human eyes. To address the above problems, we propose a transfer-based sparse attack method, called adaptive momentum variance based iterative gradient method with a class activation map, where the method considers a simpleHighlights: Our method considers two kinds of momentum variances, namely the forward momentum variance and the historical momentum variance, to adaptively stabilize the attack direction and escape from local optima. We refine the generated perturbation matrix to prevent the overfitting of the adversarial examples. We use the attention mechanism to perform the transfer-based sparse attack and assist in studying the relationship between the number of pixels attacked and attack performance. Abstract: The phenomenon that deep neural networks are vulnerable to adversarial examples has been found for several years. Under the black-box setting, transfer-based methods usually produce the adversarial examples on a white-box model, which serves as the surrogate model in the black-box attack, and hope that the same adversarial examples can also fool the black-box model. However, these methods have high success rates for the surrogate model and exhibit weak transferability for the black-box model. In addition, some studies have shown that deep neural networks are also vulnerable to sparse alterations of the input, but existing sparse attacks mainly focus on the number of attacked pixels without restricting the size of the perturbations, which is perceptible to human eyes. To address the above problems, we propose a transfer-based sparse attack method, called adaptive momentum variance based iterative gradient method with a class activation map, where the method considers a simple adaptive momentum variance and a refining perturbation mechanism to improve the transferability of adversarial examples. Also, a class activation map, which is also known as attention mechanism, is employed to explore the relationship between the number of the perturbed pixels and the attack performance in the case of limiting the intensity of perturbation. The proposed method is compared with a number of the state-of-the-art transfer-based adversarial attack methods on the ImageNet dataset, and the empirical results demonstrate that our method achieves a significant increase in transferability with only attacking about 50% of the pixels. … (more)
- Is Part Of:
- Pattern recognition. Volume 133(2023)
- Journal:
- Pattern recognition
- Issue:
- Volume 133(2023)
- Issue Display:
- Volume 133, Issue 2023 (2023)
- Year:
- 2023
- Volume:
- 133
- Issue:
- 2023
- Issue Sort Value:
- 2023-0133-2023-0000
- Page Start:
- Page End:
- Publication Date:
- 2023-01
- Subjects:
- Deep neural networks -- Black-box adversarial attacks -- Transferability -- Momentum variances
Pattern perception -- Periodicals
Perception des structures -- Périodiques
Patroonherkenning
006.4 - Journal URLs:
- http://www.sciencedirect.com/science/journal/00313203 ↗
http://www.sciencedirect.com/ ↗ - DOI:
- 10.1016/j.patcog.2022.108979 ↗
- Languages:
- English
- ISSNs:
- 0031-3203
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 24024.xml