BHI: Embedded invisible watermark as adversarial example based on Basin-Hopping improvement

Abstract

Traditional research on generating adversarial examples has mainly focused on artificially adding imperceptible perturbations to input examples. Typically, the perturbation information in adversarial examples has no practical meaning. This study proposes a novel scheme for generating adversarial examples by embedding invisible watermarks based on basin-hopping improvement (BHI). To produce adversarial examples, the proposed BHI scheme is implemented by embedding invisible watermarks into original images based on a data-hiding technique. Specifically, the BHI scheme determines the corresponding coordinates of host images and watermark sizes. By considering the specific coordinates and size, the BHI scheme invisibly embeds the watermarks into the host images to generate adversarial examples. Experimental results show that the attack success rate of the BHI scheme reaches 93.5%. The proposed BHI scheme not only completes the function of an adversarial attack but also protects the copyright of adversarial examples. Moreover, the adversarial examples exhibit outstanding visual and robust performance, providing additional visual protection to avoid the risk of attack.