Generating adversarial examples with elastic-net regularized boundary equilibrium generative adversarial network

Abstract

To improve the attack success rate and image perceptual quality of adversarial examples against deep neural networks(DNNs), we propose a new Generative Adversarial Network (GAN) based attacker, named Elastic-net Regularized Boundary Equilibrium Generative Adversarial Network(ERBEGAN). Recent studies have shown that DNNs are easy to attack by adversarial examples(AEs) where benign images with small-magnitude perturbations mislead DNNs to incorrect results. A number of methods are proposed to generate AEs, but how to generate them with high attack success rate and perceptual quality needs more effort. Most attackers generate AEs by restricting L2-norm and L∞-norm of adversarial perturbations. However, very few works have been developed on L1 distortion matrix which encourages sparsity in the perturbation. In this paper, we penalize both L2-norm and L1-norm of perturbation as Elastic-Net regularization to improve the diversity and robustness of AEs. We further improve GAN by minimizing the additional pixel-wise loss derived from the Wasserstein distance between benign and adversarial auto-encoder loss distributions. Extensive experiments and visualizations on several datasets show that the proposed ERBEGAN can yield higher attack success rates than the state-of-the-art GAN-based attacker AdvGAN under the semi-whitebox and black-box attack settings. Besides, our method efficiently generates diverse adversarial examples that are more perceptually realistic.