4.7 Article

Frequency domain regularization for iterative adversarial attacks

PATTERN RECOGNITION (2023)

Get Full Text
Add to Collection

Journal

PATTERN RECOGNITION
Volume 134, Issue -, Pages -

Publisher

ELSEVIER SCI LTD
DOI: 10.1016/j.patcog.2022.109075

Keywords

Adversarial examples; Transfer-based attack; Black-box attack; Frequency-domain characteristics

Categories

Computer Science, Artificial Intelligence Engineering, Electrical & Electronic

Ask authors/readers for more resources

Protocol

Community support

Reagent

Community support

Adversarial examples have gained increasing attention and the transferability of such examples is crucial for black-box attacks. To enhance transferability and prevent overfitting, this study proposes a regularization constraint for inputs in adversarial attacks. By exploiting the consistency between the outputs of convolutional neural networks and low frequencies of inputs, a frequency domain regularization is constructed. Experimental results on ImageNet demonstrate the superiority of the proposed method, achieving significant improvements in attack success rate compared to other attacks and defense methods.
Adversarial examples have attracted more and more attentions with the prosperity of convolutional neural networks. The transferability of adversarial examples is an important property that makes black-box attacks possible in real-world applications. On the other side, many adversarial defense methods have been proposed to improve the robustness, leading to the requirement for more transferable adversarial examples. Inspired by the regularization term for network parameters at training process, we treat adversarial attacks as training process of inputs and propose regularization constraint for inputs to prevent adversarial examples from overfitting the white-box networks and enhance the transferability. Specifically, we find a universal attribute that the outputs of convolutional neural networks have consistency to the low frequencies of inputs, and based on this, we construct a frequency domain regularization to inputs for iterative attacks. In this way, our method is compatible with existing iterative attack methods and can learn more transferable adversarial examples. Extensive experiments on ImageNet validate the superiority of our method, and compared with several attacks, we achieve attack success rate improvements of 8.0% and 11.5% on average to normal models and defense methods respectively. (c) 2022 Published by Elsevier Ltd.

Authors

I am an author on this paper
Click your name to claim this paper and add it to your profile.

Reviews

Primary Rating

4.7
Not enough ratings

Secondary Ratings

Novelty
-
Significance
-
Scientific rigor
-
Rate this paper

Recommended

No Data Available
No Data Available
Webinars Posters Questions Hubs Funding Journals Papers Connect Collections Reviewers About Us FAQs Mobile App Privacy Policy Terms of Use
© Peeref 2019-2024. All rights reserved.