Abstract
Neural networks have been widely applied but they are still vulnerable to adversarial examples. More and more defense models have been proposed and they can resist the attacks to the neural networks. In order to generate adversarial examples with good transferability, we propose the restricted region based iterative gradient method (RRI-GM) for non-targeted attack, which aims at generating adversarial examples to make black-box defense models output wrong decision. We first use object detection algorithm to restrict some key regions in the images, since we regard perturbation in the key region affects more than the whole image. To improve the efficiency of attacks, we use gradient-based attack methods and they show good performance. In addition, the process is iterated for multiple rounds to generate adversarial examples with good transferability. Furthermore, we conduct extensive experiments to validate the effectiveness of the proposed method, and the results show that our method can achieve good attack performance against black-box defense models.
Highlights
With the fast development of deep learning, neural networks have achieved great success in a large number of applications [1], [2]
The results show that the proposed restricted region based iterative gradient attack method helps to improve the success rate of black-box attack against the normally trained models and defense models by a large margin
RELATED WORK we introduce the related works in generating adversarial examples against deep neural networks (DNNs) and some defense methods against such attacks
Summary
With the fast development of deep learning, neural networks have achieved great success in a large number of applications [1], [2]. Many works introduce adversarial training as an effective defense method [19], [20], which utilizes the generated adversarial examples to train neural networks These works are shown to achieve good defense results against white-box attacks. Ensemble learning is another strategy which combines multiple neural networks to defend the adversarial example [21]. In order to generate robust adversarial examples that evade both normally trained neural networks (white-box) and defense neural networks (blackbox), we propose the restricted region based iterative gradient method. Neural networks would utilize more training iterations to achieve good performance, adversarial examples should be generated in an iterative way to attack the neural networks with high success rate Combining these aspects, we add perturbation to the restricted region iteratively to generate adversarial examples against black-box neural networks.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
