Chao Zhou , Yuan-Gen Wang , Zi-Jia Wang , Xiangui Kang
{"title":"Lp-norm distortion-efficient adversarial attack","authors":"Chao Zhou , Yuan-Gen Wang , Zi-Jia Wang , Xiangui Kang","doi":"10.1016/j.image.2024.117241","DOIUrl":null,"url":null,"abstract":"<div><div>Adversarial examples have shown a powerful ability to make a well-trained model misclassified. Current mainstream adversarial attack methods only consider one of the distortions among <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>0</mn></mrow></msub></math></span>-norm, <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math></span>-norm, and <span><math><msub><mrow><mi>L</mi></mrow><mrow><mi>∞</mi></mrow></msub></math></span>-norm. <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>0</mn></mrow></msub></math></span>-norm based methods cause large modification on a single pixel, resulting in naked-eye visible detection, while <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math></span>-norm and <span><math><msub><mrow><mi>L</mi></mrow><mrow><mi>∞</mi></mrow></msub></math></span>-norm based methods suffer from weak robustness against adversarial defense since they always diffuse tiny perturbations to all pixels. A more realistic adversarial perturbation should be sparse and imperceptible. In this paper, we propose a novel <span><math><msub><mrow><mi>L</mi></mrow><mrow><mi>p</mi></mrow></msub></math></span>-norm distortion-efficient adversarial attack, which not only owns the least <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math></span>-norm loss but also significantly reduces the <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>0</mn></mrow></msub></math></span>-norm distortion. To this aim, we design a new optimization scheme, which first optimizes an initial adversarial perturbation under <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math></span>-norm constraint, and then constructs a dimension unimportance matrix for the initial perturbation. Such a dimension unimportance matrix can indicate the adversarial unimportance of each dimension of the initial perturbation. Furthermore, we introduce a new concept of adversarial threshold for the dimension unimportance matrix. The dimensions of the initial perturbation whose unimportance is higher than the threshold will be all set to zero, greatly decreasing the <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>0</mn></mrow></msub></math></span>-norm distortion. Experimental results on three benchmark datasets show that under the same query budget, the adversarial examples generated by our method have lower <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>0</mn></mrow></msub></math></span>-norm and <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math></span>-norm distortion than the state-of-the-art. Especially for the MNIST dataset, our attack reduces 8.1% <span><math><msub><mrow><mi>L</mi></mrow><mrow><mn>2</mn></mrow></msub></math></span>-norm distortion meanwhile remaining 47% pixels unattacked. This demonstrates the superiority of the proposed method over its competitors in terms of adversarial robustness and visual imperceptibility. The code is available at <span><span>https://github.com/GZHU-DVL/ZhouChao</span><svg><path></path></svg></span>.</div></div>","PeriodicalId":49521,"journal":{"name":"Signal Processing-Image Communication","volume":"131 ","pages":"Article 117241"},"PeriodicalIF":3.4000,"publicationDate":"2025-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Signal Processing-Image Communication","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0923596524001425","RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}
引用次数: 0
Abstract
Adversarial examples have shown a powerful ability to make a well-trained model misclassified. Current mainstream adversarial attack methods only consider one of the distortions among -norm, -norm, and -norm. -norm based methods cause large modification on a single pixel, resulting in naked-eye visible detection, while -norm and -norm based methods suffer from weak robustness against adversarial defense since they always diffuse tiny perturbations to all pixels. A more realistic adversarial perturbation should be sparse and imperceptible. In this paper, we propose a novel -norm distortion-efficient adversarial attack, which not only owns the least -norm loss but also significantly reduces the -norm distortion. To this aim, we design a new optimization scheme, which first optimizes an initial adversarial perturbation under -norm constraint, and then constructs a dimension unimportance matrix for the initial perturbation. Such a dimension unimportance matrix can indicate the adversarial unimportance of each dimension of the initial perturbation. Furthermore, we introduce a new concept of adversarial threshold for the dimension unimportance matrix. The dimensions of the initial perturbation whose unimportance is higher than the threshold will be all set to zero, greatly decreasing the -norm distortion. Experimental results on three benchmark datasets show that under the same query budget, the adversarial examples generated by our method have lower -norm and -norm distortion than the state-of-the-art. Especially for the MNIST dataset, our attack reduces 8.1% -norm distortion meanwhile remaining 47% pixels unattacked. This demonstrates the superiority of the proposed method over its competitors in terms of adversarial robustness and visual imperceptibility. The code is available at https://github.com/GZHU-DVL/ZhouChao.
期刊介绍:
Signal Processing: Image Communication is an international journal for the development of the theory and practice of image communication. Its primary objectives are the following:
To present a forum for the advancement of theory and practice of image communication.
To stimulate cross-fertilization between areas similar in nature which have traditionally been separated, for example, various aspects of visual communications and information systems.
To contribute to a rapid information exchange between the industrial and academic environments.
The editorial policy and the technical content of the journal are the responsibility of the Editor-in-Chief, the Area Editors and the Advisory Editors. The Journal is self-supporting from subscription income and contains a minimum amount of advertisements. Advertisements are subject to the prior approval of the Editor-in-Chief. The journal welcomes contributions from every country in the world.
Signal Processing: Image Communication publishes articles relating to aspects of the design, implementation and use of image communication systems. The journal features original research work, tutorial and review articles, and accounts of practical developments.
Subjects of interest include image/video coding, 3D video representations and compression, 3D graphics and animation compression, HDTV and 3DTV systems, video adaptation, video over IP, peer-to-peer video networking, interactive visual communication, multi-user video conferencing, wireless video broadcasting and communication, visual surveillance, 2D and 3D image/video quality measures, pre/post processing, video restoration and super-resolution, multi-camera video analysis, motion analysis, content-based image/video indexing and retrieval, face and gesture processing, video synthesis, 2D and 3D image/video acquisition and display technologies, architectures for image/video processing and communication.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
