Improving adversarial transferability and imperceptibility with loss landscape and diffusion model

IF 7.5 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Pattern Recognition Pub Date : 2025-07-03 DOI:10.1016/j.patcog.2025.112076

Jiayang Liu , Weiming Zhang , Han Fang , Wenbo Zhou , Ee-Chien Chang , Siew-Kei Lam

{"title":"Improving adversarial transferability and imperceptibility with loss landscape and diffusion model","authors":"Jiayang Liu , Weiming Zhang , Han Fang , Wenbo Zhou , Ee-Chien Chang , Siew-Kei Lam","doi":"10.1016/j.patcog.2025.112076","DOIUrl":null,"url":null,"abstract":"<div><div>Deep neural networks (DNNs) are vulnerable to adversarial examples, which introduce imperceptible perturbations on benign samples to mislead the prediction of DNNs. Transferability is a key property of adversarial examples, which enables adversarial examples crafted for one network to deceive other networks with high probability. However, the adversarial perturbations introduced by transferable attacks are perceptible to human observers. Although there are unrestricted attacks which can achieve good visual imperceptibility, the adversarial transferability of these attacks remains relatively low. In this paper, we propose to improve adversarial transferability and imperceptibility of adversarial examples via flat loss landscape and diffusion models. Specifically, we utilize denoising diffusion implicit model (DDIM) inversion operation to map the input image back to the diffusion latent space. Then we add perturbations on the diffusion latent space to achieve successful attacks on the surrogate model and flat input loss landscape, resulting in high adversarial transferability and imperceptible perturbations to human observers. Extensive experiments demonstrate that our proposed method enhances adversarial transferability while preserving the imperceptibility of the generated adversarial examples.</div></div>","PeriodicalId":49713,"journal":{"name":"Pattern Recognition","volume":"170 ","pages":"Article 112076"},"PeriodicalIF":7.5000,"publicationDate":"2025-07-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Pattern Recognition","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0031320325007368","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Deep neural networks (DNNs) are vulnerable to adversarial examples, which introduce imperceptible perturbations on benign samples to mislead the prediction of DNNs. Transferability is a key property of adversarial examples, which enables adversarial examples crafted for one network to deceive other networks with high probability. However, the adversarial perturbations introduced by transferable attacks are perceptible to human observers. Although there are unrestricted attacks which can achieve good visual imperceptibility, the adversarial transferability of these attacks remains relatively low. In this paper, we propose to improve adversarial transferability and imperceptibility of adversarial examples via flat loss landscape and diffusion models. Specifically, we utilize denoising diffusion implicit model (DDIM) inversion operation to map the input image back to the diffusion latent space. Then we add perturbations on the diffusion latent space to achieve successful attacks on the surrogate model and flat input loss landscape, resulting in high adversarial transferability and imperceptible perturbations to human observers. Extensive experiments demonstrate that our proposed method enhances adversarial transferability while preserving the imperceptibility of the generated adversarial examples.

查看原文本刊更多论文

利用损失景观和扩散模型提高对抗转移性和不可感知性

深度神经网络（dnn）容易受到对抗性样本的影响，对抗性样本在良性样本上引入难以察觉的扰动，从而误导dnn的预测。可转移性是对抗示例的一个关键属性，它使得为一个网络制作的对抗示例能够高概率地欺骗其他网络。然而，由可转移攻击引起的对抗性扰动对人类观察者来说是可察觉的。虽然有无限制的攻击可以达到良好的视觉隐蔽性，但这些攻击的对抗性转移性仍然相对较低。在本文中，我们提出通过平坦损失景观和扩散模型来提高对抗性示例的可转移性和不可感知性。具体来说，我们利用去噪扩散隐式模型（DDIM）反演运算将输入图像映射回扩散潜空间。然后，我们在扩散潜空间上添加扰动，以实现对代理模型和平坦输入损失景观的成功攻击，从而产生高对抗可转移性和对人类观察者难以察觉的扰动。大量的实验表明，我们提出的方法在保留生成的对抗示例的不可感知性的同时提高了对抗可转移性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Pattern Recognition 工程技术-工程：电子与电气

CiteScore

14.40

自引率

16.20%

发文量

683

审稿时长

5.6 months

期刊介绍： The field of Pattern Recognition is both mature and rapidly evolving, playing a crucial role in various related fields such as computer vision, image processing, text analysis, and neural networks. It closely intersects with machine learning and is being applied in emerging areas like biometrics, bioinformatics, multimedia data analysis, and data science. The journal Pattern Recognition, established half a century ago during the early days of computer science, has since grown significantly in scope and influence.