Toward feature space adversarial attack in the frequency domain

Yajie Wang, Yu an Tan, Haoran Lyu, Shangbo Wu, Yuhang Zhao, Yuanzhang Li*

*此作品的通讯作者

科研成果: 期刊稿件文章同行评审

4 引用 (Scopus)

摘要

Recent researchers have shown that deep neural networks (DNNs) are vulnerable to adversarial exemplars, making them unsuitable for security-critical applications. Transferability of adversarial examples is crucial for attacking black-box models, which facilitates adversarial attacks in more practical scenarios. We propose a novel adversarial attack with high transferability. Unlike existing attacks that directly modify the input pixels, our attack is executed in the feature space. More specifically, we corrupt the abstract features by maximizing the feature distance between the adversarial example and clean images with a perceptual similarity network, inducing model misclassification. In addition, we apply a spectral transformation to the input, thus narrowing the search space in the frequency domain to enhance the transferability of adversarial examples. The disruption of crucial features in a specific frequency component achieves greater transferability. Extensive evaluations illustrate that our approach is easily compatible with many existing frameworks for transfer attacks and can significantly improve the baseline performance of black-box attacks. Moreover, we can obtain a higher fooling rate even if the model has a defense technique. We achieve a maximum black-box fooling rate of 61.70% on the defense model. Our work indicates that existing pixel space defense techniques are difficult to guarantee the robustness of the feature space, and the feature space from a frequency perspective is promising for developing more robust models.

源语言英语
页(从-至)11019-11036
页数18
期刊International Journal of Intelligent Systems
37
12
DOI
出版状态已出版 - 12月 2022

指纹

探究 'Toward feature space adversarial attack in the frequency domain' 的科研主题。它们共同构成独一无二的指纹。

引用此