发布求助

文献互助智能选刊最新文献

Lp-norm distortion-efficient adversarial attack

IF 3.4 3区工程技术 Q2 ENGINEERING, ELECTRICAL & ELECTRONIC

Signal Processing-Image Communication Pub Date : 2025-02-01 DOI:10.1016/j.image.2024.117241

Chao Zhou , Yuan-Gen Wang , Zi-Jia Wang , Xiangui Kang

{"title":"Lp-norm distortion-efficient adversarial attack","authors":"Chao Zhou , Yuan-Gen Wang , Zi-Jia Wang , Xiangui Kang","doi":"10.1016/j.image.2024.117241","DOIUrl":null,"url":null,"abstract":"<div><div>Adversarial examples have shown a powerful ability to make a well-trained model misclassified. Current mainstream adversarial attack methods only consider one of the distortions among <math><msub><mrow><mi>L</mi></mrow><mrow><mn>0</mn></mrow></msub></math>-norm, <math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math>-norm, and <math><msub><mrow><mi>L</mi></mrow><mrow><mi>∞</mi></mrow></msub></math>-norm. <math><msub><mrow><mi>L</mi></mrow><mrow><mn>0</mn></mrow></msub></math>-norm based methods cause large modification on a single pixel, resulting in naked-eye visible detection, while <math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math>-norm and <math><msub><mrow><mi>L</mi></mrow><mrow><mi>∞</mi></mrow></msub></math>-norm based methods suffer from weak robustness against adversarial defense since they always diffuse tiny perturbations to all pixels. A more realistic adversarial perturbation should be sparse and imperceptible. In this paper, we propose a novel <math><msub><mrow><mi>L</mi></mrow><mrow><mi>p</mi></mrow></msub></math>-norm distortion-efficient adversarial attack, which not only owns the least <math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math>-norm loss but also significantly reduces the <math><msub><mrow><mi>L</mi></mrow><mrow><mn>0</mn></mrow></msub></math>-norm distortion. To this aim, we design a new optimization scheme, which first optimizes an initial adversarial perturbation under <math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math>-norm constraint, and then constructs a dimension unimportance matrix for the initial perturbation. Such a dimension unimportance matrix can indicate the adversarial unimportance of each dimension of the initial perturbation. Furthermore, we introduce a new concept of adversarial threshold for the dimension unimportance matrix. The dimensions of the initial perturbation whose unimportance is higher than the threshold will be all set to zero, greatly decreasing the <math><msub><mrow><mi>L</mi></mrow><mrow><mn>0</mn></mrow></msub></math>-norm distortion. Experimental results on three benchmark datasets show that under the same query budget, the adversarial examples generated by our method have lower <math><msub><mrow><mi>L</mi></mrow><mrow><mn>0</mn></mrow></msub></math>-norm and <math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math>-norm distortion than the state-of-the-art. Especially for the MNIST dataset, our attack reduces 8.1% <math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math>-norm distortion meanwhile remaining 47% pixels unattacked. This demonstrates the superiority of the proposed method over its competitors in terms of adversarial robustness and visual imperceptibility. The code is available at https://github.com/GZHU-DVL/ZhouChao<svg><path></path></svg>.</div></div>","PeriodicalId":49521,"journal":{"name":"Signal Processing-Image Communication","volume":"131 ","pages":"Article 117241"},"PeriodicalIF":3.4000,"publicationDate":"2025-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Signal Processing-Image Communication","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0923596524001425","RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

Abstract

Adversarial examples have shown a powerful ability to make a well-trained model misclassified. Current mainstream adversarial attack methods only consider one of the distortions among

L_{0}

-norm,

L_{2}

-norm, and

L_{\infty}

-norm.

L_{0}

-norm based methods cause large modification on a single pixel, resulting in naked-eye visible detection, while

L_{2}

-norm and

L_{\infty}

-norm based methods suffer from weak robustness against adversarial defense since they always diffuse tiny perturbations to all pixels. A more realistic adversarial perturbation should be sparse and imperceptible. In this paper, we propose a novel

L_{p}

-norm distortion-efficient adversarial attack, which not only owns the least

L_{2}

-norm loss but also significantly reduces the

L_{0}

-norm distortion. To this aim, we design a new optimization scheme, which first optimizes an initial adversarial perturbation under

L_{2}

-norm constraint, and then constructs a dimension unimportance matrix for the initial perturbation. Such a dimension unimportance matrix can indicate the adversarial unimportance of each dimension of the initial perturbation. Furthermore, we introduce a new concept of adversarial threshold for the dimension unimportance matrix. The dimensions of the initial perturbation whose unimportance is higher than the threshold will be all set to zero, greatly decreasing the

L_{0}

-norm distortion. Experimental results on three benchmark datasets show that under the same query budget, the adversarial examples generated by our method have lower

L_{0}

-norm and

L_{2}

-norm distortion than the state-of-the-art. Especially for the MNIST dataset, our attack reduces 8.1%

L_{2}

-norm distortion meanwhile remaining 47% pixels unattacked. This demonstrates the superiority of the proposed method over its competitors in terms of adversarial robustness and visual imperceptibility. The code is available at https://github.com/GZHU-DVL/ZhouChao.

查看原文本刊更多论文

低范数扭曲效率对抗性攻击

对抗性的例子显示了一个强大的能力，使一个训练有素的模型被错误分类。目前主流的对抗性攻击方法只考虑l0 -范数、l2 -范数和L∞-范数之间的一种扭曲。基于l0范数的方法会对单个像素进行较大的修改，导致肉眼可见检测，而基于l2范数和L∞范数的方法对对抗性防御的鲁棒性较弱，因为它们总是将微小的扰动扩散到所有像素。更现实的对抗性扰动应该是稀疏且难以察觉的。在本文中，我们提出了一种新的lp -范数扭曲有效的对抗攻击，它不仅具有最小的l2 -范数损失，而且显著降低了l0 -范数失真。为此，我们设计了一种新的优化方案，首先在l2范数约束下对初始对抗扰动进行优化，然后构造初始扰动的维数不重要矩阵。这样一个维度不重要矩阵可以表示初始扰动的每个维度的对抗不重要。此外，我们还引入了维数不重要矩阵的对抗阈值的新概念。初始扰动的不重要度高于阈值的维度将被全部设置为零，大大降低了l0范数失真。在三个基准数据集上的实验结果表明，在相同的查询预算下，我们的方法生成的对抗样例具有较低的l0范数和l2范数失真。特别是对于MNIST数据集，我们的攻击减少了8.1%的l2范数失真，同时保留了47%的未攻击像素。这证明了所提出的方法在对抗鲁棒性和视觉不可感知性方面优于其竞争对手。代码可在https://github.com/GZHU-DVL/ZhouChao上获得。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Signal Processing-Image Communication 工程技术-工程：电子与电气

CiteScore

8.40

自引率

2.90%

发文量

138

审稿时长

5.2 months

期刊介绍： Signal Processing: Image Communication is an international journal for the development of the theory and practice of image communication. Its primary objectives are the following: To present a forum for the advancement of theory and practice of image communication. To stimulate cross-fertilization between areas similar in nature which have traditionally been separated, for example, various aspects of visual communications and information systems. To contribute to a rapid information exchange between the industrial and academic environments. The editorial policy and the technical content of the journal are the responsibility of the Editor-in-Chief, the Area Editors and the Advisory Editors. The Journal is self-supporting from subscription income and contains a minimum amount of advertisements. Advertisements are subject to the prior approval of the Editor-in-Chief. The journal welcomes contributions from every country in the world. Signal Processing: Image Communication publishes articles relating to aspects of the design, implementation and use of image communication systems. The journal features original research work, tutorial and review articles, and accounts of practical developments. Subjects of interest include image/video coding, 3D video representations and compression, 3D graphics and animation compression, HDTV and 3DTV systems, video adaptation, video over IP, peer-to-peer video networking, interactive visual communication, multi-user video conferencing, wireless video broadcasting and communication, visual surveillance, 2D and 3D image/video quality measures, pre/post processing, video restoration and super-resolution, multi-camera video analysis, motion analysis, content-based image/video indexing and retrieval, face and gesture processing, video synthesis, 2D and 3D image/video acquisition and display technologies, architectures for image/video processing and communication.