Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (6): 381-389.doi: 10.11896/jsjkx.240300083

• Information Security • Previous Articles     Next Articles

Balancing Transferability and Imperceptibility for Adversarial Attacks

KANG Kai, WANG Jiabao, XU Kun   

  1. College of Command and Control Engineering,Army Engineering University of PLA,Nanjing 210007,China
  • Received:2024-03-12 Revised:2024-07-08 Online:2025-06-15 Published:2025-06-11
  • About author:KANG Kai,born in 1986,Ph.D candidate.His main research interests include adversarial attack and so on.
    WANG Jiabao,born in 1985,Ph.D,associate professor.His main research interests include computer vision and machine learning.
  • Supported by:
    Natural Science Foundation of Jiangsu Province,China(BK20200581).

PDF (PC)

68

Abstract: Data-driven deep learning models face the problem of well-designed adversarial attacks due to their inability to cover all possible sample data.The existing main Lp-norm perturbation attack methods based on RGB pixel space have achieved great attack success rates and transferability,but the generated adversarial samples have high-frequency noise that is easily perceived by the human eye.The attack methods based on diffusion models balance transferability and imperceptibility,but their optimization strategies mainly focus on the perspective of adversarial models.Those researches lack deep exploration and analysis of transfer-ability and imperceptibility from the perspective of surrogate model.In order to further explore and analyze the control sources of transferability and imperceptibility,a new adversarial sample generation method based on latent diffusion model is proposed within the framework of an attack method based on surrogate model.In this method,under the constraint of basic adversarial loss,transferable attention constraint loss and imperceptible consistency constraint loss are designed to achieve a balance between transferability and imperceptibility.On three publicly available datasets,ImageNet Compatible,CUB-200-2011,and Stanford Cars,compared with existing methods,the proposed method generates adversarial samples with strong cross-model transferable attack ability and the effect of imperceptible disturbance to the human eye.

Key words: Adversarial attacks, Diffusion model, Transferability, Imperceptibility, Attention mechanism

CLC Number: 

  • TP391
[1]LI Y,LI J,JIANG J,et al.P-transformer:Towards better document-to-document neural machine translation[J].IEEE/ACM Transactions on Audio,Speech,and Language Processing,2023,31:3859-3870.
[2]FENG S,SUN H,YAN X,et al.Dense reinforcement learning for safety validation of autonomous vehicles[J].Nature,2023,615:620-627.
[3]ZHANG Y,XIE F,SONG X,et al.Dermoscopic image retrieval based on rotation-invariance deep hashing[J].Medical Image Analysis,2022,77:102301.
[4]CHEN J,CHEN K,CHEN H,et al.Contrastive learning for fine-grained ship classification in remote sensing images[J].IEEE Transactions on Geoscience and Remote Sensing,2022,60:1-16.
[5]ZHANG Q,LI X,CHEN Y,et al.Beyond ImageNet Attack:Towards Crafting Adversarial Examples for Black-box Domains[C]//Proceedings of the International Conference on Learning Representations,2022.
[6]CHEN J,CHEN H,CHEN K,et al.Diffusion Models for Imperceptible and Transferable Adversarial Attack[C]//Proceedings of the International Conference on Learning Representations.2024.
[7]BRENDEL W,RAUBER J,BETHGE M.Decision-Based Ad-versarial Attacks:Reliable Attacks Against Black-Box Machine Learning Models[C]//Proceedings of the International Conference on Learning Representations,2018.
[8]WU Y,LIU J.A Survey on Black-box adversarial attack in image analysis[J].Journal of Computer Science,2024(5):1138-1178.
[9]WANG X,HEX,WANG J,et al.Admix:Enhancing the Transferability of Adversarial Attacks Through Variance Tuning[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2021:16138-16147.
[10]ZHU Y,CHEN Y,LI X,et al.Toward understanding and boosting adversarial transferability from a distribution perspective[J].IEEE Transactions on Image Processing,2022,31:6487-6501.
[11]NASEER M M,KHAN S H,KHAN M H,et al.Cross-domainTransferability of Adversarial Perturbations[C]//Advances in Neural Information Processing Systems.2019:12885-12895.
[12]SOHL-DICKSTEIN J,WEISS E,MAHESWARANATHANN,et al.Deep Unsupervised Learning using Nonequilibrium Thermodynamics[C]//Proceedings of the International Confe-rence on Machine Learning.2015:2256-2265.
[13]HO J,JAIN A,ABBEEL P.Denoising Diffusion Probabilistic Models[C]//Advances in Neural Information Processing Systems.2020:6840-6851.
[14]YUAN Z,ZHANG J,JIA Y,et al.Meta Gradient Adversarial Attack[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision.2021:7728-7737.
[15]XIONG Y,LIN J,ZHANG M,et al.Stochastic Variance Reduced Ensemble Adversarial Attack for Boosting the Adversa-rial Transferability[C]//Proceedings of the IEEE/CVF Confe-rence on Computer Vision and Pattern Recognition.2022:14963-14972.
[16]ZHU J,DAI F,YU L,et al.Attention-guided transformation-invariant attack for black-box adversarial examples[J].International Journal of Intelligent Systems,2022,37(5):3142-3165.
[17]HUANG L,WEI S,GAO C,et al.Cyclical adversarial attack pierces black-box deep neural networks[J].Pattern Recognition,2022,131:108831.
[18]HUAN Z,WANG Y,ZHANG X,et al.Data-free AdversarialPerturbations for Practical Black-box Attack[C]//Advances in Knowledge Discovery and Data Mining.2020:127-138.
[19]DUAN M,LI K,DENG J,et al.A novel multi-sample generation method for adversarial attacks[J].ACM Transactions on Multimedia Computing,Communications,and Applications(TOMM),2022,18(4):1-21.
[20]QIU H,XIAO C,YANG L,et al.Semanticadv:Generating Adversarial Examples via Attribute-Conditioned Image Editing[C]//Proceedings of the European Conference on Computer Vision.2020:19-37.
[21]JIA S,YIN B,YAO T,et al.Adv-attribute:Inconspicuous and Transferable Adversarial Attack on Face Recognition[C]//Proceedings of the 36rh Conference onNeural Information Proces-sing Systems.2022.
[22]YUAN S,ZHANG Q,GAO L,et al.Natural Color Fool:Towards Boosting Black-box Unrestricted Attacks[C]//NeurIPS 2022.2022.
[23]SAHARIA C,HO J,CHAN W,et al.Image super-resolution via iterative refinement[J].IEEE Transactions on Pattern Analysis and Machine Intelligence,2022,45(4):4713-4726.
[24]PARMAR G,SINGH K K,ZHANG R,et al.Zero-shot Image-to-image Translation[C]//Proceedings of the ACM SIGGRAPH Conference.2023:1-11.
[25]NIE W,GUO B,HUANG Y,et al.Diffusion Models for Adversarial Purification[C]//Proceedings of the International Confe-rence on Machine Learning.2022:16805-16827.
[26]LIU D,WANG X,PENG C,et al.Adv-Diffusion:Imperceptible Adversarial Face Identity Attack via Latent Diffusion Model[C]//Proceedings of the Conference on Artificial Intelligence.2024:3585-3593.
[27]ROMBACH R,BLATTMANN A,LORENZ D,et al.High-resolution Image Synthesis with Latent Diffusion Models[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2022:10674-10685.
[28]JOHNSON J,ALAHI A,FEI-FEI L.Perceptual Losses for Real-time Style Transfer and Super-resolution[C]//Proceedings of the European Conference on Computer Vision.2016:694-711.
[29]WAH C,BRANSON S,WELINDER P,et al.The caltech-ucsd birds-200-2011 dataset:Tech.Rep.CNS-TR-2011-001[R].California Institute of Technology,2011.
[30]KRAUSE J,STARK M,DENG J,et al.3d Object Representations for Fine-grained Categorization[C]//Proceedings of the IEEE International Conference on Computer Vision Workshops.2013:554-561.
[31]HE K,ZHANG X,REN S,et al.Deep Residual Learning forImage Recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:770-778.
[32]SIMONYAN K,ZISSERMAN A.Very Deep Convolutional Networks for Large-scale Image Recognition[C]//Proceedings of the International Conference on Learning Representations.2015.
[33]SZEGEDY C,VANHOUCKE V,IOFFE S,et al.Rethinking the Inception Architecture for Computer Vision[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:2818-2826.
[34]SANDLER M,HOWARD A,ZHU M,et al.Mobilenetv2:Inverted Residuals and Linear Bottlenecks[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2018:4510-4520.
[35]LIU Z,MAO H,WU C Y,et al.A Convnet for the 2020s[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2022:11966-11976.
[36]DOSOVITSKIY A,BEYER L,KOLESNIKOV A,et al.AnImage is Worth 16×16 Words:Transformers for Image Recognition at Scale[C]//Proceedings of the International Conference on Learning Representations.2020.
[37]LIU Z,LIN Y,CAO Y,et al.Swin Transformer:Hierarchical Vision Transformer using Shifted Windows[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision.2021:9992-10002.
[38]TOUVRON H,CORD M,DOUZE M,et al.Training Data-efficient Image Transformers & Distillation through Attention[C]//Proceedings of the International Conference on Machine Learning.2021:10347-10357.
[39]KURAKIN A,GOODFELLOW I,BENGIO S,et al.Adversarial Attacks and Defences Competition[C]//Advances in Neural Information Processing Systems.2018:195-231.
[40]TRAMÉR F,KURAKIN A,PAPERNOT N,et al.EnsembleAdversarial Training:Attacks and Defenses[C]//Proceedings of the International Conference on Learning Representations.2018.
[41]SONG J,MENG C,ERMON S.Denoising Diffusion Implicit Models[C]//Proceedings of the International Conference on Learning Representations.2021.
[42]HEUSEL M,RAMSAUER H,UNTERTHINER T,et al.GANsTrained by a Two Time-Scale Update Rule Converge to a Local Nash Equilibrium[C]//Advances in Neural Information Processing Systems.2017:6626-6637.
[43]DONG Y,LIAO F,PANG T,et al.Boosting Adversarial Attacks with Momentum[C]//Proceedings of the IEEE Confe-rence on Computer Vision and Pattern Recognition.2018:9185-9193.
[44]XIE C,ZHANG Z,ZHOU Y,et al.Improving Transferability of Adversarial Examples with Input Diversity[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2019:2730-2739.
[45]DONG Y,PANG T,SU H,et al.Evading Defenses to Transfe-rable Adversarial Examples by Translation-invariant Attacks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2019:4312-4321.
[46]GAO L,ZHANG Q,SONG J,et al.Patch-wise Attack for Fooling Deep Neural Network[C]//Proceedings of the European Conference on Computer Vision.2020:307-322.
[47]LONG Y,ZHANG Q,ZENG B,et al.Frequency Domain Model Augmentation for Adversarial Attack[C]//Proceedings of the European Conference on Computer Vision.2022:549-566.
[48]ZHAO Z,LIU Z,LARSON M.Towards Large Yet Imperceptible Adversarial Image Perturbations with Perceptual Color Distance[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2020:1036-1045.
[1] LI Daicheng, LI Han, LIU Zheyu, GONG Shiheng. MacBERT Based Chinese Named Entity Recognition Fusion with Dependent Syntactic Information and Multi-view Lexical Information [J]. Computer Science, 2025, 52(6A): 240600121-8.
[2] HUANG Bocheng, WANG Xiaolong, AN Guocheng, ZHANG Tao. Transmission Line Fault Identification Method Based on Transfer Learning and Improved YOLOv8s [J]. Computer Science, 2025, 52(6A): 240800044-8.
[3] WU Zhihua, CHENG Jianghua, LIU Tong, CAI Yahui, CHENG Bang, PAN Lehao. Human Target Detection Algorithm for Low-quality Laser Through-window Imaging [J]. Computer Science, 2025, 52(6A): 240600069-6.
[4] ZENG Fanyun, LIAN Hechun, FENG Shanshan, WANG Qingmei. Material SEM Image Retrieval Method Based on Multi-scale Features and Enhanced HybridAttention Mechanism [J]. Computer Science, 2025, 52(6A): 240800014-7.
[5] HOU Zhexiao, LI Bicheng, CAI Bingyan, XU Yifei. High Quality Image Generation Method Based on Improved Diffusion Model [J]. Computer Science, 2025, 52(6A): 240500094-9.
[6] DING Xuxing, ZHOU Xueding, QIAN Qiang, REN Yueyue, FENG Youhong. High-precision and Real-time Detection Algorithm for Photovoltaic Glass Edge Defects Based onFeature Reuse and Cheap Operation [J]. Computer Science, 2025, 52(6A): 240400146-10.
[7] WANG Rong , ZOU Shuping, HAO Pengfei, GUO Jiawei, SHU Peng. Sand Dust Image Enhancement Method Based on Multi-cascaded Attention Interaction [J]. Computer Science, 2025, 52(6A): 240800048-7.
[8] WANG Baohui, GAO Zhan, XU Lin, TAN Yingjie. Research and Implementation of Mine Gas Concentration Prediction Algorithm Based on Deep Learning [J]. Computer Science, 2025, 52(6A): 240400188-7.
[9] ZHENG Chuangrui, DENG Xiuqin, CHEN Lei. Traffic Prediction Model Based on Decoupled Adaptive Dynamic Graph Convolution [J]. Computer Science, 2025, 52(6A): 240400149-8.
[10] HONG Yi, SHEN Shikai, SHE Yumei, YANG Bin, DAI Fei, WANG Jianxiao, ZHANG Liyi. Multivariate Time Series Prediction Based on Dynamic Graph Learning and Attention Mechanism [J]. Computer Science, 2025, 52(6A): 240700047-8.
[11] TENG Minjun, SUN Tengzhong, LI Yanchen, CHEN Yuan, SONG Mofei. Internet Application User Profiling Analysis Based on Selection State Space Graph Neural Network [J]. Computer Science, 2025, 52(6A): 240900060-8.
[12] ZHAO Chanchan, YANG Xingchen, SHI Bao, LYU Fei, LIU Libin. Optimization Strategy of Task Offloading Based on Meta Reinforcement Learning [J]. Computer Science, 2025, 52(6A): 240800050-8.
[13] ZOU Rui, YANG Jian, ZHANG Kai. Low-resource Vietnamese Speech Synthesis Based on Phoneme Large Language Model andDiffusion Model [J]. Computer Science, 2025, 52(6A): 240700138-6.
[14] GUAN Xin, YANG Xueyong, YANG Xiaolin, MENG Xiangfu. Tumor Mutation Prediction Model of Lung Adenocarcinoma Based on Pathological [J]. Computer Science, 2025, 52(6A): 240700010-8.
[15] TAN Jiahui, WEN Chenyan, HUANG Wei, HU Kai. CT Image Segmentation of Intracranial Hemorrhage Based on ESC-TransUNet Network [J]. Computer Science, 2025, 52(6A): 240700030-9.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.