Sensitive region-aware black-box adversarial attacks

Sensitive region-aware black-box adversarial attacks

Recent research on adversarial attacks has highlighted the vulnerability of deep neural networks (DNNs) to perturbations. While existing studies generate adversarial perturbations spread across the entire image, these global perturbations may be visible to human eyes, reducing their effectiveness in...

Full description

Saved in:
Bibliographic Details
Published in:Information sciences Vol. 637; p. 118929
Main Authors: Lin, Chenhao, Han, Sicong, Zhu, Jiongli, Li, Qian, Shen, Chao, Zhang, Youwei, Guan, Xiaohong
Format: Journal Article
Language:English
Published: Elsevier Inc 01-08-2023
Subjects:
Adversarial example
Deep learning
Imperception attack
Sensitive region
Deep learning
Adversarial example
Sensitive region
Imperception attack
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Recent research on adversarial attacks has highlighted the vulnerability of deep neural networks (DNNs) to perturbations. While existing studies generate adversarial perturbations spread across the entire image, these global perturbations may be visible to human eyes, reducing their effectiveness in real-world scenarios. To alleviate this issue, recent works propose to modify a limited number of input pixels to implement adversarial attacks. However, these approaches still have limitations in terms of both imperceptibility and efficiency. This paper proposes a novel plug-in framework called Sensitive Region-Aware Attack (SRA) to generate soft-label black-box adversarial examples using the sensitivity map and evolution strategies. First, a transferable black-box sensitivity map generation approach is proposed for identifying the sensitive regions of input images. To perform SRA with a limited amount of perturbed pixels, a dynamic l0 and l∞ adjustment strategy is introduced. Furthermore, an adaptive evolution strategy is employed to optimize the selection of generated sensitive regions, allowing for the execution of effective and imperceptible attacks. Experimental results demonstrate that our SRA achieves an imperceptible soft-label black-box attack with a 96.43% success rate using less than 20% of the image pixels on ImageNet and a 100% success rate using 30% of the image pixels on CIFAR-10. •Black-box sensitivity maps are transferable between different models.•Dynamic lp norm adjustment and adaptive evolution strategy promotes attack.•Proposed SRA can generate imperceptible and interpretable adversarial examples.
ISSN:0020-0255
1872-6291
DOI:10.1016/j.ins.2023.04.008