IWA: Integrated gradient‐based white‐box attacks for fooling deep neural networks

Abstract

The widespread application of deep neural network (DNN) techniques is being challenged by adversarial examples—the legitimate input added with imperceptible and well-designed perturbation that can fool DNNs easily in the DNN testing/deploying stage. Previous white-box adversarial example generation algorithms used the Jacobian gradient information to add the perturbation. This imprecise and inexplicit information can cause unnecessary perturbation when generating adversarial examples. This paper aims to address this issue. We first propose to apply the more informative and distilled gradient information, namely, integrated gradient, to generate adversarial examples. To further make the perturbation more imperceptible, we propose to employ the restriction combination of L 0 and L 1 / L 2 second, which can restrict the total perturbation and the perturbation points simultaneously. Meanwhile, to address the nondifferentiable problem of L 1 , we explore a proximal operation of L 1 third. On the basis of these three works, we propose two Integrated gradient-based White-box Adversarial example generation algorithms (IWA): Integrated gradient-based Finite Point Attack (IFPA) and Integrated gradient-based Universe Attack (IUA). IFPA is suitable for situations where there are a determined number of points to be perturbed. IUA is suitable for situations where no perturbation point number is preset to obtain more adversarial examples. We verify the effectiveness of the proposed algorithms on both structured and unstructured data sets, and compare them with five baseline generation algorithms. The results show that our proposed algorithms craft adversarial examples with more imperceptible perturbation and satisfactory crafting rate. L 2 restriction is suitable for unstructured data sets and L 1 restriction performs better in the structured data set.