An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers

Yutian Zhou; Yu an Tan; Quanxin Zhang; Xiaohui Kuang; Yahong Han; Jingjing Hu

doi:10.1007/s11036-019-01499-x

An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers

Yutian Zhou, Yu an Tan, Quanxin Zhang, Xiaohui Kuang^*, Yahong Han, Jingjing Hu

^*此作品的通讯作者

科研成果: 期刊稿件 › 文章 › 同行评审

2 引用（Scopus）

摘要

Deep neural networks are susceptible to tiny crafted adversarial perturbations which are always added to all the pixels of the image to craft an adversarial example. Most of the existing adversarial attacks can reduce the L₂ distance between the adversarial image and the source image to a minimum but ignore the L₀ distance which is still huge. To address this issue, we introduce a new black-box adversarial attack based on evolutionary method and bisection method, which can greatly reduce the L₀ distance while limiting the L₂ distance. By flipping pixels of the target image, an adversarial example is generated, in which a small number of pixels come from the target image and the rest pixels are from the source image. Experiments show that our attack method is able to generate high quality adversarial examples steadily. Especially for generating adversarial examples for large scale images, our method performs better.

源语言	英语
页（从-至）	1616-1629
页数	14
期刊	Mobile Networks and Applications
卷	26
期	4
DOI	https://doi.org/10.1007/s11036-019-01499-x
出版状态	已出版 - 8月 2021

访问文件

10.1007/s11036-019-01499-x

其它文件与链接

链接到 Scopus 的出版物

引用此

@article{fd18549fa0ce4cc1b45d278a128ecbe1,

title = "An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers",

abstract = "Deep neural networks are susceptible to tiny crafted adversarial perturbations which are always added to all the pixels of the image to craft an adversarial example. Most of the existing adversarial attacks can reduce the L2 distance between the adversarial image and the source image to a minimum but ignore the L0 distance which is still huge. To address this issue, we introduce a new black-box adversarial attack based on evolutionary method and bisection method, which can greatly reduce the L0 distance while limiting the L2 distance. By flipping pixels of the target image, an adversarial example is generated, in which a small number of pixels come from the target image and the rest pixels are from the source image. Experiments show that our attack method is able to generate high quality adversarial examples steadily. Especially for generating adversarial examples for large scale images, our method performs better.",

keywords = "Adversarial examples, Black-box attack, Evolutionary algorithm, Neural networks",

author = "Yutian Zhou and Tan, {Yu an} and Quanxin Zhang and Xiaohui Kuang and Yahong Han and Jingjing Hu",

note = "Publisher Copyright: {\textcopyright} 2020, Springer Science+Business Media, LLC, part of Springer Nature.",

year = "2021",

month = aug,

doi = "10.1007/s11036-019-01499-x",

language = "English",

volume = "26",

pages = "1616--1629",

journal = "Mobile Networks and Applications",

issn = "1383-469X",

publisher = "Springer Netherlands",

number = "4",

}

TY - JOUR

T1 - An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers

AU - Zhou, Yutian

AU - Tan, Yu an

AU - Zhang, Quanxin

AU - Kuang, Xiaohui

AU - Han, Yahong

AU - Hu, Jingjing

PY - 2021/8

Y1 - 2021/8

N2 - Deep neural networks are susceptible to tiny crafted adversarial perturbations which are always added to all the pixels of the image to craft an adversarial example. Most of the existing adversarial attacks can reduce the L2 distance between the adversarial image and the source image to a minimum but ignore the L0 distance which is still huge. To address this issue, we introduce a new black-box adversarial attack based on evolutionary method and bisection method, which can greatly reduce the L0 distance while limiting the L2 distance. By flipping pixels of the target image, an adversarial example is generated, in which a small number of pixels come from the target image and the rest pixels are from the source image. Experiments show that our attack method is able to generate high quality adversarial examples steadily. Especially for generating adversarial examples for large scale images, our method performs better.

AB - Deep neural networks are susceptible to tiny crafted adversarial perturbations which are always added to all the pixels of the image to craft an adversarial example. Most of the existing adversarial attacks can reduce the L2 distance between the adversarial image and the source image to a minimum but ignore the L0 distance which is still huge. To address this issue, we introduce a new black-box adversarial attack based on evolutionary method and bisection method, which can greatly reduce the L0 distance while limiting the L2 distance. By flipping pixels of the target image, an adversarial example is generated, in which a small number of pixels come from the target image and the rest pixels are from the source image. Experiments show that our attack method is able to generate high quality adversarial examples steadily. Especially for generating adversarial examples for large scale images, our method performs better.

KW - Adversarial examples

KW - Black-box attack

KW - Evolutionary algorithm

KW - Neural networks

UR - http://www.scopus.com/inward/record.url?scp=85078288732&partnerID=8YFLogxK

U2 - 10.1007/s11036-019-01499-x

DO - 10.1007/s11036-019-01499-x

M3 - Article

AN - SCOPUS:85078288732

SN - 1383-469X

VL - 26

SP - 1616

EP - 1629

JO - Mobile Networks and Applications

JF - Mobile Networks and Applications

IS - 4

ER -

An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers

摘要

访问文件

其它文件与链接

指纹

引用此