Abstract
The adversarial attack is a popular technology to evaluate the robustness of deep learning models. However, adversarial examples crafted by current methods often have poor imperceptibility and low transferability, hindering the utility of attacks in practice. In this paper, we creatively leverage the frequency information to promote the imperceptibility and adversarial transferability in the white-box scenario and black-box scenario, respectively. Specifically, in the white-box scenario, we adopt the low-frequency constraint and normal projection to improve the imperceptibility of the adversarial example without reducing the attack performance. In the black-box scenario, we propose an effective Frequency Spectrum Diversity Transformation (FSDT) to address the issue of overfitting to the substitute model. FSDT enriches the input with a diverse set of unfamiliar information, significantly improving the transferability of adversarial attacks. Towards those defended target models in the black-box scenario, we also design a gradient refinement technology named Frequency Dropout (FD) to discard some useless components of gradients in the frequency domain, which can further mitigate the protective effect of defense mechanisms. Plentiful experiments forcefully validate the superiority of our proposed methods. Furthermore, we apply the proposed method to evaluate the robustness of real-world online models and discover their vulnerability. Finally, we analyze why imperceptibility and adversarial transferability are hard to improve concurrently from the view of frequency. Our codes are available at https://github.com/RYC-98/FSD-MIM-and-NPGA.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.