PDF
(7725KB)
Abstract
Deep neural networks are extremely vulnerable to externalities from intentionally generated adversarial examples which are achieved by overlaying tiny noise on the clean images. However, most existing transfer-based attack methods are chosen to add perturbations on each pixel of the original image with the same weight, resulting in redundant noise in the adversarial examples, which makes them easier to be detected. Given this deliberation, a novel attention-guided sparse adversarial attack strategy with gradient dropout that can be readily incorporated with existing gradient-based methods is introduced to minimize the intensity and the scale of perturbations and ensure the effectiveness of adversarial examples at the same time. Specifically, in the gradient dropout phase, some relatively unimportant gradient information is randomly discarded to limit the intensity of the perturbation. In the attention-guided phase, the influence of each pixel on the model output is evaluated by using a soft mask-refined attention mechanism, and the perturbation of those pixels with smaller influence is limited to restrict the scale of the perturbation. After conducting thorough experiments on the NeurIPS 2017 adversarial dataset and the ILSVRC 2012 validation dataset, the proposed strategy holds the potential to significantly diminish the superfluous noise present in adversarial examples, all while keeping their attack efficacy intact. For instance, in attacks on adversarially trained models, upon the integration of the strategy, the average level of noise injected into images experiences a decline of 8.32%. However, the average attack success rate decreases by only 0.34%. Furthermore, the competence is possessed to substantially elevate the attack success rate by merely introducing a slight degree of perturbation.
Keywords
deep neural network
/
adversarial attack
/
sparse adversarial attack
/
adversarial transferability
/
adversarial example
Cite this article
Download citation ▾
Hongzhi ZHAO, Lingguang HAO, Kuangrong HAO, Bing WEI, Xiaoyan LIU.
Attention-Guided Sparse Adversarial Attacks with Gradient Dropout.
Journal of Donghua University(English Edition), 2024, 41(5): 545-556 DOI:10.19884/j.1672-5220.202312003
| [1] |
SHELHAMER E, LONG J, DARRELL T. Fully convolutional networks for semantic segmentation[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2017, 39(4):640-651.
|
| [2] |
CHEN L C, PAPANDREOU G, KOKKINOS I, et al. DeepLab:semantic image segmentation with deep convolutional nets,atrous convolution,and fully connected CRFs[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2018, 40(4):834-848.
|
| [3] |
GIRSHICK R. Fast R-CNN[C]//2015 IEEE International Conference on Computer Vision (ICCV). New York: IEEE, 2015:1440-1448.
|
| [4] |
REDMON J, DIVVALA S, GIRSHICK R, et al. You only look once:unified,real-time object detection[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2016:779-788.
|
| [5] |
LI C Z, WEI K H, ZHAO Y B, et al. Improvement of high-speed detection algorithm for nonwoven material defects based on machine vision[J]. Journal of Donghua University (English Edition), 2024, 41(4):416-427.
|
| [6] |
SIMONYAN K, ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[EB/OL].(2015-04-10)[2023-12-01]. https://arxiv.org/pdf/1409.1556.
|
| [7] |
HE K M, ZHANG X Y, REN S Q, et al. Deep residual learning for image recognition[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2016:770-778.
|
| [8] |
LUO X, XIA D M, TAO R, et al. Fabric image retrieval based on fine-grained features[J]. Journal of Donghua University (English Edition), 2024, 41(2):115-129.
|
| [9] |
KURAKIN A, GOODFELLOW I, BENGIO S, et al. Adversarial attacks and defences competition[M]//The NIPS’17 Competition:Building Intelligent Systems. Cham: Springer International Publishing, 2018:195-231.
|
| [10] |
ILYAS A, ENGSTROM L, ATHALYE A, et al. Black-box adversarial attacks with limited queries and information[C]//35th International Conference on Machine Learning (ICML). New York: ACM, 2018:2137-2146.
|
| [11] |
VIDNEROVÁ P, NERUDA R. Vulnerability of classifiers to evolutionary generated adversarial examples[J]. Neural Networks, 2020,127:168-181.
|
| [12] |
ZHOU W, HOU X, CHEN Y J, et al. Transferable adversarial perturbations[M]//Computer Vision-ECCV 2018. Cham: Springer International Publishing, 2018:471-486.
|
| [13] |
DONG Y P, PANG T Y, SU H, et al. Evading defenses to transferable adversarial examples by translation-invariant attacks[C]//2019IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2019:4307-4316.
|
| [14] |
GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL].(2015-03-20)[2023-12-01]. https://arxiv.org/pdf/1412.6572.
|
| [15] |
DONG Y P, LIAO F Z, PANG T Y, et al. Boosting adversarial attacks with momentum[C]//2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2018:9185-9193.
|
| [16] |
LIN J D, SONG C B, HE K, et al. Nesterov accelerated gradient and scale invariance for adversarial attacks[EB/OL].(2020-02-03)[2023-12-01]. https://arxiv.org/pdf/1908.06281.
|
| [17] |
WANG X S, HE K. Enhancing the transferability of adversarial attacks through variance tuning[C]//2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2021:1924-1933.
|
| [18] |
LIU Y P, CHEN X Y, LIU C, et al. Delving into transferable adversarial examples and black-box attacks[EB/OL].(2017-02-07)[2023-12-01]. https://arxiv.org/pdf/1611.02770.
|
| [19] |
HAO L G, HAO K R, WEI B, et al. Boosting the transferability of adversarial examples via stochastic serial attack[J]. Neural Networks, 2022,150:58-67.
|
| [20] |
ZHAO H Z, HAO L G, HAO K R, et al. Remix:towards the transferability of adversarial examples[J]. Neural Networks, 2023,163:367-378.
|
| [21] |
XIE C H, ZHANG Z S, ZHOU Y Y, et al.Improving transferability of adversarial examples with input diversity[C]//2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2019:2725-2734.
|
| [22] |
ZHOU B L, KHOSLA A, LAPEDRIZA A, et al.Learning deep features for discriminative localization[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2016:2921-2929.
|
| [23] |
SELVARAJU R R, COGSWELL M, DAS A, et al. Grad-CAM:visual explanations from deep networks via gradient-based localization[J]. International Journal of Computer Vision, 2020, 128(2):336-359.
|
| [24] |
JIANG P T, ZHANG C B, HOU Q B, et al. LayerCAM:exploring hierarchical class activation maps for localization[J]. IEEE Transactions on Image Processing, 2021,30:5875-5888.
|
| [25] |
DONG X Y, HAN J F, CHEN D D, et al.Robust superpixel-guided attentional adversarial attack[C]//2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2020:12892-12901.
|
| [26] |
SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL].(2014-02-19)[2023-12-01]. https://arxiv.org/pdf/1312.6199.
|
| [27] |
KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial examples in the physical world[EB/OL].(2017-02-11)[2023-12-01]. https://arxiv.org/pdf/1607.02533.
|
| [28] |
SONG C B, HE K, LIN J D, et al. Robust local features for improving the generalization of adversarial training[EB/OL].(2020-02-02)[2023-12-01]. https://arxiv.org/pdf/1909.10147.
|
| [29] |
ZHANG S F, HUANG K Z, ZHU J K, et al. Manifold adversarial training for supervised and semi-supervised learning[J]. Neural Networks, 2021,140:282-293.
|
| [30] |
CHEN S H, SHEN H J, WANG R, et al. Towards improving fast adversarial training in multi-exit network[J]. Neural Networks, 2022,150:1-11.
|
| [31] |
LAMB A, VERMA V, KAWAGUCHI K, et al. Interpolated adversarial training:achieving robust neural networks without sacrificing too much accuracy[J]. Neural Networks, 2022,154:218-233.
|
| [32] |
TRAMÈR F, KURAKIN A, PAPERNOT N, et al. Ensemble adversarial training:attacks and defenses[EB/OL].(2020-04-26)[2023-12-01]. https://arxiv.org/pdf/1705.07204.
|
| [33] |
GUO C, RANA M, CISSÉ M, et al. Countering adversarial images using input transformations[EB/OL].(2018-01-25)[2023-12-01]. https://arxiv.org/pdf/1711.00117.
|
| [34] |
XIE C H, WANG J Y, ZHANG Z S, et al. Mitigating adversarial effects through randomization[EB/OL].(2018-02-28)[2023-12-01]. https://arxiv.org/pdf/1711.01991.
|
| [35] |
COHEN J M, ROSENFELD E, KOLTER J Z. Certified adversarial robustness via randomized smoothing[C]//36th International Conference on Machine Learning (ICML). New York: ACM, 2019:1310-1320.
|
| [36] |
NASEER M, KHAN S, HAYAT M, et al. A self-supervised approach for adversarial robustness[C]//2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2020:259-268.
|
| [37] |
SHI Y C, WANG S Y, HAN Y H. Curls & Whey:boosting black-box adversarial attacks[C]//2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2019:6512-6520.
|
| [38] |
LIU F C, ZHANG C, ZHANG H Y. Towards transferable adversarial perturbations with minimum norm[C]//38th International Conference on Machine Learning (ICML). New York: ACM, 2021:1-9.
|
| [39] |
HUANG Q F, LIAN Z C, LI Q M. Attention based adversarial attacks with low perturbations[C]//2022 IEEE International Conference on Multimedia and Expo (ICME). New York: IEEE, 2022:1-6.
|
| [40] |
ILYAS A, SANTURKAR S, TSIPRAS D, et al. Adversarial examples are not bugs,they are features[EB/OL].(2019-08-12)[2023-12-01]. https://arxiv.org/pdf/1905.02175v4.
|
| [41] |
LIN C H, HAN S C, ZHU J L, et al. Sensitive region-aware black-box adversarial attacks[J]. Information Sciences, 2023,637:118929.
|
| [42] |
TSIPRAS D, SANTURKAR S, ENGSTROM L, et al. Robustness may be at odds with accuracy[EB/OL].(2019-09-09)[2023-12-01]. https://arxiv.org/pdf/1805.12152.
|
| [43] |
LI C, YAO W, WANG H D, et al. Adaptive momentum variance for attention-guided sparse adversarial attacks[J]. Pattern Recognition, 2023,133:108979.
|
| [44] |
YANG R J, GUO Y F, WANG R K, et al. Exploring the impact of adding adversarial perturbation onto different image regions[C]//2022 IEEE International Symposium on Circuits and Systems (ISCAS). New York: IEEE, 2022:2363-2367.
|
| [45] |
SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the inception architecture for computer vision[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2016:2818-2826.
|
| [46] |
HUANG G, LIU Z, et al. Densely connected convolutional networks[C]//2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2017:2261-2269.
|
| [47] |
CHEN Y P, LI J N, XIAO H X, et al. Dual path networks[EB/OL].(2017-08-01)[2023-12-01]. https://arxiv.org/pdf/1707.01629V2.
|
| [48] |
WANG G Q, YAN H Q, WEI X X. Enhancing transferability of adversarial examples with spatial momentum[M]//Pattern Recognition and Computer Vision. Cham: Springer International Publishing, 2022:593-604.
|
| [49] |
ZHANG R, ISOLA P, EFROS A A, et al. The unreasonable effectiveness of deep features as a perceptual metric[C]//2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2018:586-595.
|
| [50] |
HE Z Y, DUAN Y X, ZHANG W, et al. Boosting adversarial attacks with transformed gradient[J]. Computers & Security, 2022,118:102720.
|
| [51] |
HEUSEL M, RAMSAUER H, UNTERTHINER T, et al. GANs trained by a two time-scale update rule converge to a local Nash equilibrium[C]//Proceedings of the 31st International Conference on Neural Information Processing Systems. New York: ACM, 2017:6629-6640.
|
Funding
Fundamental Research Funds for the Central Universities, China(2232021A-10)
Shanghai Sailing Program, China(22YF1401300)
Natural Science Foundation of Shanghai, China(20ZR1400400)
Shanghai Pujiang Program, China(22PJ1423400)
