Open Access
Issue
Wuhan Univ. J. Nat. Sci.
Volume 28, Number 1, February 2023
Page(s) 35 - 44
DOI https://doi.org/10.1051/wujns/2023281035
Published online 17 March 2023

© Wuhan University 2023

Licence Creative CommonsThis is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

0 Introduction

Neural networks are now widely used in a variety of fields, including automatic driving[1,2], medical treatment[3,4], biology[5,6], and finance[7], where they have produced remarkable results. However, we must consider the security issue posed by deep neural networks. Similar to the problem in the traditional field of security, we must carefully examine user input. In the SQL(Structured Query Language) injection attack and XSS(Cross Site Scripting) attack, users can inject malicious code into the entry field to dump database and server content. The situation is identical with regard to deep neural networks. Confronted with abnormal inputs, we must pay close attention to the functionality of deep neural networks. There have been early occurrences of attacks of this type. Some attackers were able to evade system detection, for instance, in malicious email detection and intrusion detection systems employing deep learning models, due to the characteristics of the models. The attack on contemporary deep neural networks will inevitably result in a breach of privacy, identity theft, and numerous other grave issues.

The development of attack enhances the defense. If we can discover more efficient attack methods, it will undoubtedly benefit defensive abilities. Adversarial examples apply a minute perturbation to the original image, which is inconceivable to the human eye but induces massive errors in the deep learning models. There are two types of adversarial example methods: black-box attacks and white-box attacks. White-box attacks such as FGSM (fast gradient sign method)[8], BIM(basic iterative method)[9] and C&W(Carlini &Wagner)[10] can be very effective when the model is known. In black-box attack, there are two prevalent methods: query and migration. The former must repeatedly access the deep neural networks. In the real world, many APIs(Application Programming Interface) of online models are not free, making them costly and easily detected. Transferability is the superior option. Szegedy et al[8] have discovered that adversarial examples are transferable. Additionally, adversarial examples produced by one model pose a threat to other models. By showcasing transferability, we are able to conduct black-box attacks without visiting the model, making our attacks more covert. In transfer-based attack, data transformation is a common method in migratory attacks, just like DI2-FGSM(Diversity Input)[11].

In this work, our approach seeks to explore whether better transferability can be achieved by focusing on destroying sensitive features of the image, starting from the image itself. In the real world, it is less likely that we are aware of the models our target employs. Therefore, black box attacks are more significant in reality. Our method focuses on enhancing transferability in order to achieve superior results on unexplored deep neural networks. We were motivated by the human attention mechanism. Attention mechanism is that humans will selectively focus on a portion of all information while ignoring the rest of the visible information. For example, people will pay more attention on cat's face when they try to distinguish between cats and dogs. As shown in Fig. 1, the same mechanism applies to deep neural networks for classified tasks. All models focus on the face of the cat, when all they try to classify this image. If the most sensitive features are attacked, it is more likely that all models will provide an incorrect answer.

thumbnail Fig. 1 Grad-Cam feature maps generated under various networks

(a) is an original image belonging to the 281st ImageNet class; (b) is generated through ResNet-50; (c) is generated through Shufflennet v2; (d) is generated through VGG19

The most closely related work is the ATA(Attention-guided Transfer Attack) method[12]. It features attention transferability. However, it is inadequate for the conditions with limited local algorithmic power since the immediacy is highly important. Meanwhile, it fails to recognize that the sensitivity characteristics generated by various models are also distinctive. The differences may hinder transferability. As shown in Fig. 1, although all the models focus on the face of the cat, there are distinctions. ResNet-50 is more focused on the body of the cat. Shufflennet v2 is more attentive to other details of the cat.

Due to the variability of attention areas, firstly, we propose a single-step attack based on vulnerable characteristics from single network. In existing work, few people consider the effects of single-step attacks. However, single-step attacks are fast and have a low number of accesses to the model. As for the method of extracting sensitive features, we refer to the ATA method using Grad-CAM(Class Activation Maps)[13], which extracts the areas of interest of the network for a given image. Then, we propose a one-step attack based on multiple sensitive characteristics from different networks. Finally, the idea of multi-feature fusion is applied to multi-step attacks, where the current ATA approach only considers sensitive features from one model. In conclusion, we enhance the ATA method by incorporating sensitive characteristics from other classification models. We can outperform the original ATA method by 1%-3% on the CIFAR-10 and MINST dataset.

1 Related Work

The adversarial example attacks can be divided into black-box and white-box attacks based on whether the attacker knows the model structure or not. For black-box attacks, transfer-based attacks are more commonly used because they do not require access to the target model. Next, we introduce representative methods for each of these types of attacks and the most advanced methods that related to our work.

1.1 White-Box Attack

Since we understand the architecture of deep neural networks, it is obvious that white box attacks are more efficient and dangerous. FGSM is a well-established white-box attack method[8]. In FGSM, the loss function is maximized by taking steps in the opposite direction of the gradient of the loss function. BIM is the iterative version of FGSM[9], whereas super parameters must be manually set in FGSM. In addition, when loss function comes to nonlinear functions, we do not know if the loss function will increase or decrease. BIM solves the aforementioned issues. It divides the FGSM attack into multiple turns in order to achieve better outcomes.

1.2 Black-Box Attack

Query-based attacks use input to learn the gradient information of the model[14], while in reality, the effect of Query-based attacks is satisfying[15].

1.3 Transfer-Based Attack

DI2-FGSM[11] is transfer-based attack using data transformation. It applies a combinatorial transformation to the data with probability p before generating an adversarial sample. Wu et al[16] further used adversarial transformations as new transformations to enhance transferability. Like mentioned before, ATA method[12] features attention transferability. Our work also enhances ATA with sensitive features from different models.

2 Background

In this section, we destruct sensitive features to improve transferability. First, we discuss how we acquire sensitivity features. In addition, we present our baseline FGSM and BIM. Finally, we discuss the ATA method and several aspects that ATA fails to notice.

2.1 Grad-CAM

Grad-CAM[13] can be described as formula (1) and (2). As revealed in formula (1), for specified class c, we find the partial derivative of class c for each feature map k. Then we apply global average pooling to get αkc which represents the importance of feature map k in judging class c. In order to visualize the result, we need to apply ReLU activation function to liner combination. ReLU can filter the pixel that has negative impact on judging class c.

α k c = 1 Z i j g l o b a l   a v e r a g e   p o o l i n g y c A i j k g r a d i e n t s   v i a   b a c k p r o p   (1)

L G r a d - C A M   c = R e L U ( k α k c A k ) l i n e a r   c o m b i n a t i o n     (2)

2.2 FGSM

FGSM[8] is a classic white-box attack method. It is based on the gradient. Conventionally, we move toward the gradient in order to decrease the loss function. In FGSM method, we move toward the gradient in step ε so that the loss function will increase. The greater the ε is, the easier our adversarial examples are to be detected. The method can be formulated as follows:

x a d v = x + ε   s i g n ( x J ( θ , x , y ) ) (3)

where xadv represents adversarial examples, xis original data. ε is perturbation budget, θ stands for network parameter and y is label of the original data. sign() is symbolic functions to get the sign of gradient.

2.3 BIM

In FGSM, we need to set ε mutually which may cause undesirable effect in non-linear condition. Then BIM[9] is proposed to solve this problem. In BIM, we divide an FGSM step into multiple steps. In each step, we perform similar tasks just like we did in FGSM. We attempt to increase the loss function based on previous iteration. The method can be formulated as follows:

X 0 a d v = X , X N + 1 a d v = C l i p X , ϵ { X N a d v + α s i g n ( x J ( X N a d v , y t r u e ) ) } (4)

where ytrue is the true label of origin data, X is original data, α is perturbation budget which satisfies 0<α< ϵ,ϵ is also a perturbation budget.

2.4 ATA

ATA[12] is a black-box method with good transferability[19]. It is superior to C&W[10], JSMA(Jacobian-based Saliency Map Attack)[17], BIM[9], and TAP(Transferable Adversarial Perturbations)[18] in terms of transferability. It modifies the loss function in consideration of the sensitive features. We use L2 distance to denote the distance between two images. The greater the L2 distance is, the more differences there are between the two images. The following is the new loss function:

J G r a d - C A M ( x n , x o r i ) = l ( f ( x n ) , t ) +   λ ( L G r a d   - C A M y o r i ( x n ) - L G r a d   - C A M y o r i ( x o r i   ) ) 2 2 (5)

Then we can solve the following optimization issues:

m a x i m i z e   J G r a d - C A M ( x n , x o r i )   s u b j e c t   t o   ( x p - x ) 2 ε (6)

As a black-box attack, it means the adversarial examples generated by ATA has outstanding transferability. ATA generates adversarial examples on ResNet V2, Inception V3 ,Inception V4 and Network with both Res and Inception blocks, respectively. Then adversarial examples generated by the local model are used to attack other models, for example, using adversarial examples generated on ResNet V2 to attack Inception V3 and Inception V4, which can also gain fine results. ATA outperforms other excellent methods like C&W[10] and TAP[18].

However, the ATA method does not account for sensitive features produced by other methods. In addition, ATA requires a massive number of calculations. We can apply this method to more realistic scenarios if we can devise a single step method to generate adversarial examples quickly with limited local computing power.

3 Generating Adversarial Examples Using Sensitive Features

We will introduce three new methods: one-step attack based on sensitive features from single model, one-step attack based on sensitive features fusion and multi-step attack based on sensitive features fusion, step by step. One-step attacks are more suitable under conditions where speed is crucial. Due to the fact that there are times when we require adversarial examples as quickly as possible, such as during military operations, one-step attack is also needed in real-world situation. Under the condition that we have sufficient time to plan our attacks, a multi-step attack is preferable. In general, classifier f takes input picture x, then a probability vector will be produced showcasing the most likely class of x. In adversarial example, we try to add perturbation on original picture x in order to deceive the classifier. When the new image xp is the input of classifier f, the classifier will make wrong decision. Meanwhile, the distance between x and xp should not be too far or our xp is easy to be detected. Formula (7) needs to be satisfied:

m i n   x - x p   (7)

a n d   f ( x + p ) = c n e w c o r i

where cnew is the new prediction of the adversarial example, cori is the prediction of the origin clean image.

So the key is to solve the following optimization problem:

f ( x + p ) = c n e w c o r i   s u b j e c t   t o   m i n   x - x p < ϵ (8)

3.1 One-Step Attack

Firstly, we introduce one-step attack based on sensitive features of single model. In one-step attack, we send original images into the network to acquire the sensitive features. Then we only reserve sensitive section and send x' into network again. We produce adversarial examples according to new parameters of the network. Algorithm 1 describes the process of generating x'. The mask in one-step attack is as the same size of the input data. In sensitive region, mask contains 1, otherwise, contains 0. Then we calculate the Hadamard product of the input images and the mask. We can reserve the sensitive features.

Algorithm 1 Generate x' sensitive features of single model
I n p u t :   x : original image, θ: parameters of the network.
Output: x'
mask= grad_CAM(θ) 
# Reserving sensitive section
x' = x *mask
return x'

The aforementioned method only takes into account sensitive features generated by one model. Then, we propose a one-step attack method that combines multiple sensitive features generated by various models. Algorithm 2 describes the process of generating x' using multiple sensitive features.

The α,β,γ are the probability that selects the pixels of three different section. The probability equal to 1 denotes that we choose every pixel in the area. The probability equal to 0 denotes that no pixels should be selected in the section. Clearly, if α,β,γ are too large, the x' will be too similar to the original image x, which can be formulated as follows:

Algorithm 2 Generate x' using multiple sensitive features generated by various models
I n p u t :   x :original image, θ1: parameters of the network1, θ2: parameters of the network2, θ3: parameters of the network3
Output: x'
mask1= grad_CAM( θ1) 
mask2= grad_CAM( θ2) 
mask3= grad_CAM( θ3) 
# Reserving sensitive section
x'= x *(α*(mask1 mask2mask3)β*(mask2,3mask1,3mask1,2) γ*(mask1only mask2onlymask3only)
return x'

l i m α , β , γ 1   x ' = x   (9)

After generating the x', we feed it into the neural network again. The attack is based on new neural network parameters. The concept of attack is comparable to that of FGSM, which moves in the opposite direction of the gradient. Formula (10) is the method of attack.

x p = x + ε s i g n   ( x J ( x , y ) ) (10)

3.2 Multi-Step Attack

In the multi-step attack, we modify the loss function by factoring in the sensitive features generated by different models. The objective of the new loss function is to destroy sensitive features based on the focus of the three models.

J G r a d - C A M ( x n , x o r i ) = l ( f ( x n ) , t ) +   α L θ 1 y o r i ( x n ) - L θ 1 y o r i ( x o r i   ) 2 2 + β L θ 2 y o r i ( x n ) - L θ 2 y o r i ( x o r i   ) 2 2 + γ L θ 3 y o r i ( x n ) - L θ 3 y o r i ( x o r i   ) 2 2 (11)

The α,β,γ enable us to assign weight so that we can decide which sensitive feature should be pay more attention to.

BIM can be utilized to address the optimization issue. We increase the loss function with each iteration in order to destroy the sensitive features and deceive the classifier. BIM can be regarded as a multi-step version of FGSM. Algorithm 3 is our multi-step method. Figure 2 shows the flowchart of this method.

thumbnail Fig. 2 The process of the multi-attack based on feature fusion

Algorithm 3 Multi-step attack
I n p u t :    x : original image, θ1: parameters of the network1, θ2: parameters of the network2, θ3: parameters of the network3, ϵ: budget
Output: xp
ϵ'= ϵiter
x0=x
for k=0 to iter-1 do
xk+1=clipx,ϵ {xk+ϵ'sign (JGrad-CAM(xk, x,θ1,θ2,θ3)x)}
end for
return xp=xiter

4 Experiment

Experimentally, we demonstrate that adversarial examples generated by our method are more transferable. Meanwhile, the differences between adversarial examples and original image of our method remain constant with other methods.

4.1 Setup

Dataset: We use CIFAR-10[19] and MINST[20] as our Dataset. CIFAR-10 includes 60 000 images with a resolution of 32×32×3. There are ten categories. These were used as the training set, which consisted of 50 000 items, and the test set consisted of 10 000 items. MINST also included 60 000 images but with a resolution of 28×28×1. These were used as the training set, which consisted of 50 000 items, and the test set consisted of 10 000 items.

Models: As local and attack models, we selected VGG19[21], ResNet-50[22], Inception[23], SENet[24] FcaNet[25] and a transformer-based model SimpleViT[26] .These models include both the most traditional models and the most advanced models, such as SENet and FcaNet. The use of these models as attack and local models is highly relevant; if our adversarial examples exhibit good transferability in these models, it is likely that good transferability will also be exhibited in a realistic black box. All of these models are trained with Adam optimizer with learning rate 0.001.

Baseline: In one-step attacks, FGSM is used as the baseline. In a multi-step attack, BIM and ATA serve as baselines. Our main goal is to design a more transferable method in order to achieve better results in black-box settings. Szegedy et al[8] have discovered that adversarial examples are transferable. Although white-box attacks like FGSM is not designed for black-box settings, the adversarial examples it produced can work in black-box settings with limited effect. Therefore, we also choose FGSM as baseline to show how effective our design is.

Metrics: We use the accuracy of model to evaluate the effectiveness of our attack. The lower this metric is, the more successful our attack proves to be. We will skip the data originally misclassified by the model in order to make sure that there are no other factors that lead to wrong outputs. To evaluate the size of the perturbation, we use the L2 distance between original images and adversarial examples. L2 distance can be described as Formula (11). x is the clean image and y is the adversarial example. Larger distance represents a larger generated adversarial perturbation.

x , y 2 = i n ( x i - y i ) 2 (12)

4.2 The Effectiveness of One-Step Attack

Tables 1 and 2 show the transferability of a one-step attack with sensitive local model features. Clearly, our method outperforms FGSM by 3%-8%. We tested it with hyperparameters of 0.1, 0.05, and 0.01, respectively. The local model is represented in the first column. Ours represents the method we propose, while the plain in the table represents the accuracy of attacked models when they are not attacked.

Next, we discuss transferability performance under various feature maps. We apply the feature maps generated by various models to the same local network and discover that transferability performs differently. As shown in Table 3, we have highlighted the items with the highest mobility performance with bold font. We initially hypothesized that the attack performance may vary due to the structure and performance of the local network, so we introduced the new FcaNet, whose performance on ImageNet and CIFAR-10 datasets was the best in this experiment. The FcaNet-generated feature maps did not aid in improving our performance. To be more specific, none of the network's feature maps achieved the best mobility. Consequently, the experiment demonstrates the necessity of feature fusion. In Table 3, the hyperparameter (perturbation budget) ε is set to 0.1.

The experiments for one-step feature fusion based attack mentioned in Section 3.2 are displayed in Tables 4 and 5. Whereas we obtain data for experiments involving multiple feature fusion by averaging the experiments five times. This is due to the fact that the parameter settings may lead to fluctuations in the experimental results. In terms of transferability, Tables 4 and 5 demonstrate that our new feature fusion method is significantly superior to the FGSM method and has a degree of improvement over single features. Few cases will exhibit transferability similar to the single-feature case.

Table 1

Transferability of one-step attack with ResNet-50's sensitive features (unit:%)

Table 2

Transferability of one-step attack with Inception's sensitive features (unit:%)

Table 3

The effect of different network sensitive feature maps on transferability (unit:%)

Table 4

The effect of feature fusion on transferability with ε = 0.1 (unit:%)

Table 5

The effect of different network sensitive feature maps on transferability with ε = 0.05 (unit:%)

4.3 The Effectiveness of Multi-Step Attack

The experimental results of multi-step attacks based on feature fusion are presented in Tables 6 and 7. We can see that the ATA method performs better than BIM method, whereas our method performs even better than ATA method. It demonstrates an increase in the transferability of the adversarial examples we generate. The perturbation budget size adopted here is 0.01. When the perturbation is too great, the distance between the adversarial example and the original image becomes too great. Table 6 is the result on CIFAR-10 dataset. The transferability of our method is steadily better than that of ATA. Table 7 is the result on MINST dataset. All the models perform greatly in MINST dataset so we increase the perturbation budget to 0.2 to increase the effect of attack.

Attacked models also include a transformer-based model, ViT(Vision Transformer). Table 8 shows a discussion of adversarial examples' invisibility. Invisibility means adversarial examples should not be discovered by the human eye. If human can notice the difference between original picture and adversarial examples, the attack will be detected. L2 distance can be used to measure the distance between the original image and the adversarial example. A greater distance indicates a larger perturbation. A larger perturbation means the adversarial example can be easily detected. Our method is approximately equivalent to the distance between the FGSM and the original graph. This proves that our method performs similarly to other methods in terms of concealment. In fact, if the perturbation budget ε is set to 0.01, the distance between the final adversarial example and the original image is not too far from the FGSM.

Table 6

The effect of multi-step attack on transferability of CIFAR-10 (unit:%)

Table 7

The effect of multi-step attack on transferability of MINST (unit:%)

Table 8

The distance of different methods with ε = 0.01

5 Conclusion

Based on the fact that Grad-Cam is effective at extracting sensitive features from a network and that the sensitive features extracted by different models are primarily similar, this paper first proposes a one-step attack method against sensitive features .On the basis of the limitation that the one-step attack against sensitive features only considers the feature maps generated by the local model, a more transferability one-step attack is proposed by fusing the feature maps generated by various deep learning models. It is also demonstrated to be more transferable than FGSM and is guaranteed to be just effective. This paper also finds that the ATA multi-step attack highly resembles the ideas presented in this paper, and ATA also does not fuse multiple features. Therefore, we propose a multi-step attack method that combines multiple features. It is experimentally more transferable than the adversarial examples generated by ATA by 1%-3%.

References

  1. He Y, Zhao N, Yin H X. Integrated networking, caching, and computing for connected vehicles: A deep reinforcement learning approach[J]. IEEE Transactions on Vehicular Technology, 2018, 67(1): 44-55. [CrossRef] [Google Scholar]
  2. Zhao D B, Chen Y R, Lv L. Deep reinforcement learning with visual attention for vehicle classification[J]. IEEE Transactions on Cognitive and Developmental Systems, 2017, 9(4): 356-367. [CrossRef] [Google Scholar]
  3. Wang X, Yang W, Weinreb J, et al. Searching for prostate cancer by fully automated magnetic resonance imaging classification: deep learning versus non-deep learning[J]. Scientific Reports, 2017, 7(1): 15415. [Google Scholar]
  4. Xiong H Y, Alipanahi B, Lee L J, et al. The human splicing code reveals new insights into the genetic determinants of disease[J]. Science, 2015, 347(6218): 1254806. [CrossRef] [PubMed] [Google Scholar]
  5. Ching T, Himmelstein D S, Beaulieu-Jones B K, et al. Opportunities and obstacles for deep learning in biology and medicine[J]. Journal of the Royal Society Interface, 2018, 15(141): 20170387. [Google Scholar]
  6. Branson K. A deep (learning) dive into a cell[J]. Nature Methods, 2018, 15(4): 253-254. [CrossRef] [PubMed] [Google Scholar]
  7. Deng Y, Bao F, Kong Y Y, et al. Deep direct reinforcement learning for financial signal representation and trading[J]. IEEE Transactions on Neural Networks and Learning Systems, 2017, 28(3): 653-664. [CrossRef] [PubMed] [Google Scholar]
  8. Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks[EB/OL]. [2021-12-06].http://www.arXiv:1312.6199. [Google Scholar]
  9. Kurakin A, Goodfellow I J, Bengio S. Adversarial examples in the physical world[EB/OL]. [2022-02-15]. http://www.arXiv:1607.02533. [Google Scholar]
  10. Carlini N, Wagner D. Towards evaluating the robustness of neural networks[C]//2017 IEEE Symposium on Security and Privacy (SP). Washingtong D C: IEEE, 2017: 39-57. [Google Scholar]
  11. Xie C H, Zhang Z S, Zhou Y Y, et al. Improving transferability of adversarial examples with input diversity[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washingtong D C: IEEE, 2019: 2725-2734. [Google Scholar]
  12. Wu W B, Su Y X, Chen X X, et al. Boosting the transferability of adversarial samples via attention[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washingtong D C: IEEE, 2020: 1158-1167. [Google Scholar]
  13. Selvaraju R R, Cogswell M, Das A, et al. Grad-CAM: Visual explanations from deep networks via gradient-based localization[C]//Proceedings of the IEEE International Conference on Computer Vision. Washingtong D C: IEEE, 2017: 618-626. [Google Scholar]
  14. Guo C, Gardner J R, You Y R, et al. Simple black-box adversarial attacks[EB/OL]. [2019-05-17]. https://doi.org/10.48550/arXiv.1905.07121. [Google Scholar]
  15. Dong Y P, Pang T Y, Su H, et al. Evading defenses to transferable adversarial examples by translation-invariant attacks[C]// The IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Washingtong D C: IEEE, 2019:4307-4316. [Google Scholar]
  16. Wu W B, Su Y X, Lyu M R, et al. Improving the transferability of adversarial samples with adversarial transformations[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washingtong D C: IEEE, 2021: 9020-9029. [Google Scholar]
  17. Papernot N, McDaniel P, Jha S, et al. The limitations of deep learning in adversarial settings[C]//2016 IEEE European Symposium on Security and Privacy (EuroS&P). Washington D C: IEEE, 2016: 372-387. [Google Scholar]
  18. Zhou W, Hou X, Chen Y, et al. Transferable adversarial perturbations[C]//Proceedings of the European Conference on Computer Vision (ECCV). Washingtong D C: IEEE, 2018: 452-467. [Google Scholar]
  19. Krizhevsky A. Learning Multiple Layers of Features from Tiny Images[D]. Tront: University of Tront, 2009. [Google Scholar]
  20. LeCun Y, Bottou L, Bengio Y, et al. Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998, 86(11): 2278-2324. [CrossRef] [Google Scholar]
  21. Simonyan K, Zisserman A. Very deep convolutional networks for large-scale image recognition[EB/OL]. [2022-09-15]. http://www.arXiv:1409.1556. [Google Scholar]
  22. He K M, Zhang X Y, Ren S Q, et al. Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Washingtong D C: IEEE, 2016: 770-778. [Google Scholar]
  23. Szegedy C, Vanhoucke V, Ioffe S, et al. Rethinking the inception architecture for computer vision[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Washington D C: IEEE, 2016: 2818-2826. [Google Scholar]
  24. Hu J, Shen L, Sun G. Squeeze-and-excitation networks[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Washingtong D C: IEEE, 2018: 7132-7141. [Google Scholar]
  25. Qin Z Q, Zhang P Y, Wu F, et al. FCAnet: Frequency channel attention networks[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. Washingtong D C: IEEE, 2021: 763-772. [Google Scholar]
  26. Beyer L, Zhai X, Kolesnikov A. Better plain ViT baselines for ImageNet-1k[EB/OL]. [2021-12-05]. http://www.arXiv:2205.01580, 2022. [Google Scholar]

All Tables

Table 1

Transferability of one-step attack with ResNet-50's sensitive features (unit:%)

Table 2

Transferability of one-step attack with Inception's sensitive features (unit:%)

Table 3

The effect of different network sensitive feature maps on transferability (unit:%)

Table 4

The effect of feature fusion on transferability with ε = 0.1 (unit:%)

Table 5

The effect of different network sensitive feature maps on transferability with ε = 0.05 (unit:%)

Table 6

The effect of multi-step attack on transferability of CIFAR-10 (unit:%)

Table 7

The effect of multi-step attack on transferability of MINST (unit:%)

Table 8

The distance of different methods with ε = 0.01

All Figures

thumbnail Fig. 1 Grad-Cam feature maps generated under various networks

(a) is an original image belonging to the 281st ImageNet class; (b) is generated through ResNet-50; (c) is generated through Shufflennet v2; (d) is generated through VGG19

In the text
thumbnail Fig. 2 The process of the multi-attack based on feature fusion
In the text

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.