论文信息 - Imperceptible and Sparse Adversarial Attacks via a Dual-Population-Based Constrained Evolutionary Algorithm

Imperceptible and Sparse Adversarial Attacks via a Dual-Population-Based Constrained Evolutionary Algorithm

The sparse adversarial attack has attracted increasing attention due to the merit of a low attack cost via changing a small number of pixels. However, the generated adversarial examples are easily detected in vision since the perturbation to each pixel is relatively large. To achieve imperceptible and sparse adversarial attacks, this article formulates a bi-objective constrained optimization problem, simultaneously minimizing the <inline-formula><tex-math notation="LaTeX">$\ell _{0}$</tex-math></inline-formula> and <inline-formula><tex-math notation="LaTeX">$\ell _{2}$</tex-math></inline-formula> distances to the original image, and proposes a dual-population-based constrained evolutionary algorithm to solve it. The proposed method solves the optimization problem by evolving two populations, where one population is responsible for finding feasible solutions (i.e., successful attacks) and the other one is to minimize both the <inline-formula><tex-math notation="LaTeX">$\ell _{0}$</tex-math></inline-formula> and <inline-formula><tex-math notation="LaTeX">$\ell _{2}$</tex-math></inline-formula> distances. Moreover, a population initialization strategy and two genetic operators are customized to accelerate the convergence speed. Experimental results indicate that the proposed method can achieve high success rates with low attack costs, and strikes a better balance between the <inline-formula><tex-math notation="LaTeX">$\ell _{0}$</tex-math></inline-formula> and <inline-formula><tex-math notation="LaTeX">$\ell _{2}$</tex-math></inline-formula> distances than state-of-the-art methods.

[1] Ye Tian,et al. Evolutionary Large-Scale Multi-Objective Optimization: A Survey , 2021, ACM Comput. Surv..

[2] Yong Man Ro,et al. Robust Decision-Based Black-Box Adversarial Attack via Coarse-To-Fine Random Search , 2021, 2021 IEEE International Conference on Image Processing (ICIP).

[3] Wenjian Luo,et al. Hiding All Labels for Multi-label Images: An Empirical Study of Adversarial Examples , 2021, 2021 International Joint Conference on Neural Networks (IJCNN).

[4] Martin Pilát,et al. Beating White-Box Defenses with Black-Box Attacks , 2021, 2021 International Joint Conference on Neural Networks (IJCNN).

[5] Marius Popescu,et al. EvoBA: An Evolution Strategy as a Strong Baseline forBlack-Box Adversarial Attacks , 2021, ICONIP.

[6] Chenwang Wu,et al. Genetic Algorithm with Multiple Fitness Functions for Generating Adversarial Examples , 2021, 2021 IEEE Congress on Evolutionary Computation (CEC).

[7] Yaochu Jin,et al. A Gradient-Guided Evolutionary Approach to Training Deep Neural Networks , 2021, IEEE Transactions on Neural Networks and Learning Systems.

[8] Fabio Roli,et al. Fast Minimum-norm Adversarial Attacks through Adaptive Norm Constraints , 2021, NeurIPS.

[9] Tao Zhang,et al. A Coevolutionary Framework for Constrained Multiobjective Optimization Problems , 2021, IEEE Transactions on Evolutionary Computation.

[10] Jia Liu,et al. Multi-objective Search of Robust Neural Architectures against Multiple Types of Adversarial Attacks , 2021, Neurocomputing.

[11] Issa M. Khalil,et al. ManiGen: A Manifold Aided Black-Box Generator of Adversarial Examples , 2020, IEEE Access.

[12] Sankha Subhra Mullick,et al. A black-box adversarial attack strategy with adjustable sparsity and generalizability for deep image classifiers , 2020, Pattern Recognit..

[13] Nathaniel D. Bastian,et al. Adversarial Machine Learning in Network Intrusion Detection Systems , 2020, Expert Syst. Appl..

[14] Ye Tian,et al. An Evolutionary Algorithm for Large-Scale Sparse Multiobjective Optimization Problems , 2020, IEEE Transactions on Evolutionary Computation.

[15] Matthias Hein,et al. Sparse and Imperceivable Adversarial Attacks , 2019, 2019 IEEE/CVF International Conference on Computer Vision (ICCV).

[16] Xuan Wang,et al. A Multi-objective Examples Generation Approach to Fool the Deep Neural Networks in the Black-Box Scenario , 2019, 2019 IEEE Fourth International Conference on Data Science in Cyberspace (DSC).

[17] Fu Song,et al. Taking Care of the Discretization Problem: A Comprehensive Study of the Discretization Problem and a Black-Box Adversarial Attack in Discrete Integer Domain , 2019, IEEE Transactions on Dependable and Secure Computing.

[18] Wei Liu,et al. Efficient Decision-Based Black-Box Adversarial Attacks on Face Recognition , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[19] Danilo Vasconcellos Vargas,et al. Understanding the One Pixel Attack: Propagation Maps and Locality Analysis , 2019, AISafety@IJCAI.

[20] Seyed-Mohsen Moosavi-Dezfooli,et al. SparseFool: A Few Pixels Make a Big Difference , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[21] Anqi Xu,et al. Maximal Jacobian-based Saliency Map Attack , 2018, ArXiv.

[22] Deniz Erdogmus,et al. Structured Adversarial Attack: Towards General Implementation and Better Interpretability , 2018, ICLR.

[23] Aleksander Madry,et al. Prior Convictions: Black-Box Adversarial Attacks with Bandits and Priors , 2018, ICLR.

[24] Yiming Yang,et al. DARTS: Differentiable Architecture Search , 2018, ICLR.

[25] Atul Prakash,et al. Robust Physical-World Attacks on Deep Learning Visual Classification , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[26] Logan Engstrom,et al. Black-box Adversarial Attacks with Limited Queries and Information , 2018, ICML.

[27] Jian Shen,et al. Finger vein secure biometric template generation based on deep learning , 2018, Soft Comput..

[28] Martín Abadi,et al. Adversarial Patch , 2017, ArXiv.

[29] Matthias Bethge,et al. Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models , 2017, ICLR.

[30] Kouichi Sakurai,et al. One Pixel Attack for Fooling Deep Neural Networks , 2017, IEEE Transactions on Evolutionary Computation.

[31] Jun Zhu,et al. Boosting Adversarial Attacks with Momentum , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[32] Jinfeng Yi,et al. ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models , 2017, AISec@CCS.

[33] Aleksander Madry,et al. Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[34] Jan Hendrik Witte,et al. Deep Learning for Finance: Deep Portfolios , 2016 .

[35] David A. Wagner,et al. Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[36] Samy Bengio,et al. Adversarial examples in the physical world , 2016, ICLR.

[37] Xin Zhang,et al. End to End Learning for Self-Driving Cars , 2016, ArXiv.

[38] Jian Sun,et al. Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[39] Ananthram Swami,et al. The Limitations of Deep Learning in Adversarial Settings , 2015, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[40] Seyed-Mohsen Moosavi-Dezfooli,et al. DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[41] Ye Tian,et al. An Efficient Approach to Nondominated Sorting for Evolutionary Multiobjective Optimization , 2015, IEEE Transactions on Evolutionary Computation.

[42] Jonathon Shlens,et al. Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[43] Andrew Zisserman,et al. Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[44] Michael S. Bernstein,et al. ImageNet Large Scale Visual Recognition Challenge , 2014, International Journal of Computer Vision.

[45] Joan Bruna,et al. Intriguing properties of neural networks , 2013, ICLR.

[46] Geoffrey E. Hinton,et al. ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[47] Tara N. Sainath,et al. FUNDAMENTAL TECHNOLOGIES IN MODERN SPEECH RECOGNITION Digital Object Identifier 10.1109/MSP.2012.2205597 , 2012 .

[48] Francisco Herrera,et al. A practical tutorial on the use of nonparametric statistical tests as a methodology for comparing evolutionary and swarm intelligence algorithms , 2011, Swarm Evol. Comput..

[49] Qingfu Zhang,et al. Multiobjective evolutionary algorithms: A survey of the state of the art , 2011, Swarm Evol. Comput..

[50] P. N. Suganthan,et al. Differential Evolution: A Survey of the State-of-the-Art , 2011, IEEE Transactions on Evolutionary Computation.

[51] R. Lyndon While,et al. A faster algorithm for calculating hypervolume , 2006, IEEE Transactions on Evolutionary Computation.

[52] Kalyanmoy Deb,et al. A fast and elitist multiobjective genetic algorithm: NSGA-II , 2002, IEEE Trans. Evol. Comput..

[53] Danilo Vasconcellos Vargas,et al. Adversarial Robustness Assessment : Why both L 0 and L ∞ Attacks Are Necessary , 2021 .

[54] Baoyuan Wu,et al. Sparse Adversarial Attack via Perturbation Factorization , 2020, ECCV.

[55] Li. Two-Archive Evolutionary Algorithm for Constrained Multi-Objective Optimization , 2018 .

[56] Alex Krizhevsky,et al. Learning Multiple Layers of Features from Tiny Images , 2009 .

[57] Yoshua Bengio,et al. Gradient-based learning applied to document recognition , 1998, Proc. IEEE.

[58] Kalyanmoy Deb,et al. A combined genetic adaptive search (GeneAS) for engineering design , 1996 .

[59] Kalyanmoy Deb,et al. Simulated Binary Crossover for Continuous Search Space , 1995, Complex Syst..