Adaptive Multi-scale Degradation-Based Attack for Boosting the Adversarial Transferability

IF 8.4 1区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Multimedia Pub Date : 2024-07-23 DOI:10.1109/TMM.2024.3428311

Ran Ran;Jiwei Wei;Chaoning Zhang;Guoqing Wang;Yang Yang;Heng Tao Shen

{"title":"Adaptive Multi-scale Degradation-Based Attack for Boosting the Adversarial Transferability","authors":"Ran Ran;Jiwei Wei;Chaoning Zhang;Guoqing Wang;Yang Yang;Heng Tao Shen","doi":"10.1109/TMM.2024.3428311","DOIUrl":null,"url":null,"abstract":"The vulnerability of deep neural networks to adversarial examples has raised huge concerns about the security of these algorithms. Black-box adversarial attacks have received a lot of attention as an influential method for evaluating model robustness. While various sophisticated adversarial attack methods have been proposed, the success rate in the black-box scenario still needs to be improved. To address these issues, we develop an Adaptive Multi-scale Degradation-based Attack method called \n<bold>AMDA</b>\n. The intuitive motivation behind our approach is that different models tend to have similar attention regions for low-scale images. Specifically, AMDA uses degraded images to generate perturbations at different scales and fuses these perturbations to generate adversarial examples that are insensitive to model changes. Furthermore, we design an adaptive multi-scale perturbation fusion that evaluates the transferability of perturbations at different scales based on noise and adaptively allocates fusion weights to prioritize strong transferability attacks and avoid being compromised by local optima. Extensive experimental results on the ImageNet, CIFAR-100, and CIFAR-10 datasets demonstrate that the proposed AMDA algorithm exhibits competitive performance for both normally trained models and defense models.","PeriodicalId":13273,"journal":{"name":"IEEE Transactions on Multimedia","volume":"26 ","pages":"10979-10990"},"PeriodicalIF":8.4000,"publicationDate":"2024-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Multimedia","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10607921/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The vulnerability of deep neural networks to adversarial examples has raised huge concerns about the security of these algorithms. Black-box adversarial attacks have received a lot of attention as an influential method for evaluating model robustness. While various sophisticated adversarial attack methods have been proposed, the success rate in the black-box scenario still needs to be improved. To address these issues, we develop an Adaptive Multi-scale Degradation-based Attack method called AMDA . The intuitive motivation behind our approach is that different models tend to have similar attention regions for low-scale images. Specifically, AMDA uses degraded images to generate perturbations at different scales and fuses these perturbations to generate adversarial examples that are insensitive to model changes. Furthermore, we design an adaptive multi-scale perturbation fusion that evaluates the transferability of perturbations at different scales based on noise and adaptively allocates fusion weights to prioritize strong transferability attacks and avoid being compromised by local optima. Extensive experimental results on the ImageNet, CIFAR-100, and CIFAR-10 datasets demonstrate that the proposed AMDA algorithm exhibits competitive performance for both normally trained models and defense models.

查看原文本刊更多论文

基于多尺度退化的自适应攻击，提升逆向可转移性

深度神经网络在对抗性示例面前的脆弱性引起了人们对这些算法安全性的极大关注。黑盒对抗攻击作为评估模型鲁棒性的一种有影响力的方法，受到了广泛关注。虽然已经提出了各种复杂的对抗攻击方法，但黑盒场景下的成功率仍有待提高。为了解决这些问题，我们开发了一种基于多尺度退化的自适应攻击方法，称为 AMDA。我们的方法背后的直观动机是，对于低尺度图像，不同模型往往有相似的关注区域。具体来说，AMDA 利用降级图像生成不同尺度的扰动，并融合这些扰动生成对模型变化不敏感的对抗示例。此外，我们还设计了一种自适应多尺度扰动融合方法，可根据噪声评估不同尺度扰动的可转移性，并自适应地分配融合权重，以优先处理强转移性攻击，避免受到局部最优的影响。在 ImageNet、CIFAR-100 和 CIFAR-10 数据集上的大量实验结果表明，所提出的 AMDA 算法对于正常训练的模型和防御模型都表现出了极具竞争力的性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Multimedia 工程技术-电信学

CiteScore

11.70

自引率

11.00%

发文量

576

审稿时长

5.5 months

期刊介绍： The IEEE Transactions on Multimedia delves into diverse aspects of multimedia technology and applications, covering circuits, networking, signal processing, systems, software, and systems integration. The scope aligns with the Fields of Interest of the sponsors, ensuring a comprehensive exploration of research in multimedia.