TY - JOUR
T1 - MixCam-attack
T2 - Boosting the transferability of adversarial examples with targeted data augmentation
AU - Guo, Sensen
AU - Li, Xiaoyu
AU - Zhu, Peican
AU - Wang, Baocang
AU - Mu, Zhiying
AU - Zhao, Jinxiong
N1 - Publisher Copyright:
© 2023 Elsevier Inc.
PY - 2024/2
Y1 - 2024/2
N2 - Many black-box adversarial attack algorithms perform attacks on machine learning models based on the transferability of adversarial examples, and the input transformation-based attack is one of the most effective methods. However, existing input transformation methods ignore that each pixel contributes differently to the output of the model, and the focus regions of different models on the same images are similar. Therefore, this paper proposes a targeted data augmentation-based adversarial attack algorithm named MixCam, which augments the input data based on the contribution of each pixel to the prediction result. This is done to enhance the transferability of the crafted adversarial example from the perspective of shifting the regions to which the model pays most of its attention. In addition, this paper proposes further boosting the transferability of the crafted adversarial examples by fusing the class activation maps of multiple models for the input image. Furthermore, the MixCam can integrate other input transformation methods to further boost the transferability of crafted adversarial examples. Extensive experiments on ImageNet demonstrate that MixCam outperforms other state-of-the-art methods in black-box attacks against considered adversarially trained models, with an average increase of 11.7% and 10.7% in attack success rates for single and ensemble attack settings, respectively.
AB - Many black-box adversarial attack algorithms perform attacks on machine learning models based on the transferability of adversarial examples, and the input transformation-based attack is one of the most effective methods. However, existing input transformation methods ignore that each pixel contributes differently to the output of the model, and the focus regions of different models on the same images are similar. Therefore, this paper proposes a targeted data augmentation-based adversarial attack algorithm named MixCam, which augments the input data based on the contribution of each pixel to the prediction result. This is done to enhance the transferability of the crafted adversarial example from the perspective of shifting the regions to which the model pays most of its attention. In addition, this paper proposes further boosting the transferability of the crafted adversarial examples by fusing the class activation maps of multiple models for the input image. Furthermore, the MixCam can integrate other input transformation methods to further boost the transferability of crafted adversarial examples. Extensive experiments on ImageNet demonstrate that MixCam outperforms other state-of-the-art methods in black-box attacks against considered adversarially trained models, with an average increase of 11.7% and 10.7% in attack success rates for single and ensemble attack settings, respectively.
KW - Adversarial examples
KW - Class activation maps
KW - Input transformation
KW - Targeted data augmentation
UR - http://www.scopus.com/inward/record.url?scp=85178376858&partnerID=8YFLogxK
U2 - 10.1016/j.ins.2023.119918
DO - 10.1016/j.ins.2023.119918
M3 - 文章
AN - SCOPUS:85178376858
SN - 0020-0255
VL - 657
JO - Information Sciences
JF - Information Sciences
M1 - 119918
ER -