An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers

Yutian Zhou; Yu an Tan; Quanxin Zhang; Xiaohui Kuang; Yahong Han; Jingjing Hu

doi:10.1007/s11036-019-01499-x

An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers

Yutian Zhou, Yu an Tan, Quanxin Zhang, Xiaohui Kuang^*, Yahong Han, Jingjing Hu

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

2 Citations (Scopus)

Abstract

Deep neural networks are susceptible to tiny crafted adversarial perturbations which are always added to all the pixels of the image to craft an adversarial example. Most of the existing adversarial attacks can reduce the L₂ distance between the adversarial image and the source image to a minimum but ignore the L₀ distance which is still huge. To address this issue, we introduce a new black-box adversarial attack based on evolutionary method and bisection method, which can greatly reduce the L₀ distance while limiting the L₂ distance. By flipping pixels of the target image, an adversarial example is generated, in which a small number of pixels come from the target image and the rest pixels are from the source image. Experiments show that our attack method is able to generate high quality adversarial examples steadily. Especially for generating adversarial examples for large scale images, our method performs better.

Original language	English
Pages (from-to)	1616-1629
Number of pages	14
Journal	Mobile Networks and Applications
Volume	26
Issue number	4
DOIs	https://doi.org/10.1007/s11036-019-01499-x
Publication status	Published - Aug 2021

Keywords

Adversarial examples
Black-box attack
Evolutionary algorithm
Neural networks

Access to Document

10.1007/s11036-019-01499-x

Cite this

@article{fd18549fa0ce4cc1b45d278a128ecbe1,

title = "An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers",

abstract = "Deep neural networks are susceptible to tiny crafted adversarial perturbations which are always added to all the pixels of the image to craft an adversarial example. Most of the existing adversarial attacks can reduce the L2 distance between the adversarial image and the source image to a minimum but ignore the L0 distance which is still huge. To address this issue, we introduce a new black-box adversarial attack based on evolutionary method and bisection method, which can greatly reduce the L0 distance while limiting the L2 distance. By flipping pixels of the target image, an adversarial example is generated, in which a small number of pixels come from the target image and the rest pixels are from the source image. Experiments show that our attack method is able to generate high quality adversarial examples steadily. Especially for generating adversarial examples for large scale images, our method performs better.",

keywords = "Adversarial examples, Black-box attack, Evolutionary algorithm, Neural networks",

author = "Yutian Zhou and Tan, {Yu an} and Quanxin Zhang and Xiaohui Kuang and Yahong Han and Jingjing Hu",

note = "Publisher Copyright: {\textcopyright} 2020, Springer Science+Business Media, LLC, part of Springer Nature.",

year = "2021",

month = aug,

doi = "10.1007/s11036-019-01499-x",

language = "English",

volume = "26",

pages = "1616--1629",

journal = "Mobile Networks and Applications",

issn = "1383-469X",

publisher = "Springer Netherlands",

number = "4",

}

TY - JOUR

T1 - An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers

AU - Zhou, Yutian

AU - Tan, Yu an

AU - Zhang, Quanxin

AU - Kuang, Xiaohui

AU - Han, Yahong

AU - Hu, Jingjing

PY - 2021/8

Y1 - 2021/8

N2 - Deep neural networks are susceptible to tiny crafted adversarial perturbations which are always added to all the pixels of the image to craft an adversarial example. Most of the existing adversarial attacks can reduce the L2 distance between the adversarial image and the source image to a minimum but ignore the L0 distance which is still huge. To address this issue, we introduce a new black-box adversarial attack based on evolutionary method and bisection method, which can greatly reduce the L0 distance while limiting the L2 distance. By flipping pixels of the target image, an adversarial example is generated, in which a small number of pixels come from the target image and the rest pixels are from the source image. Experiments show that our attack method is able to generate high quality adversarial examples steadily. Especially for generating adversarial examples for large scale images, our method performs better.

AB - Deep neural networks are susceptible to tiny crafted adversarial perturbations which are always added to all the pixels of the image to craft an adversarial example. Most of the existing adversarial attacks can reduce the L2 distance between the adversarial image and the source image to a minimum but ignore the L0 distance which is still huge. To address this issue, we introduce a new black-box adversarial attack based on evolutionary method and bisection method, which can greatly reduce the L0 distance while limiting the L2 distance. By flipping pixels of the target image, an adversarial example is generated, in which a small number of pixels come from the target image and the rest pixels are from the source image. Experiments show that our attack method is able to generate high quality adversarial examples steadily. Especially for generating adversarial examples for large scale images, our method performs better.

KW - Adversarial examples

KW - Black-box attack

KW - Evolutionary algorithm

KW - Neural networks

UR - http://www.scopus.com/inward/record.url?scp=85078288732&partnerID=8YFLogxK

U2 - 10.1007/s11036-019-01499-x

DO - 10.1007/s11036-019-01499-x

M3 - Article

AN - SCOPUS:85078288732

SN - 1383-469X

VL - 26

SP - 1616

EP - 1629

JO - Mobile Networks and Applications

JF - Mobile Networks and Applications

IS - 4

ER -

An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this