APDL: an adaptive step size method for white-box adversarial attacks

APDL: an adaptive step size method for white-box adversarial attacks

Abstract Recent research has shown that deep learning models are vulnerable to adversarial attacks, including gradient attacks, which can lead to incorrect outputs. The existing gradient attack methods typically rely on repetitive multistep strategies to improve their attack success rates, resulting...

Full description

Saved in:
Bibliographic Details
Main Authors: Jiale Hu, Xiang Li, Changzheng Liu, Ronghua Zhang, Junwei Tang, Yi Sun, Yuedong Wang
Format: Article
Language:English
Published: Springer 2025-01-01
Series:Complex & Intelligent Systems
Subjects:
Adversarial attacks
Deep learning
Image classification
White-box attacks
Online Access:https://doi.org/10.1007/s40747-024-01748-x
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Abstract Recent research has shown that deep learning models are vulnerable to adversarial attacks, including gradient attacks, which can lead to incorrect outputs. The existing gradient attack methods typically rely on repetitive multistep strategies to improve their attack success rates, resulting in longer training times and severe overfitting. To address these issues, we propose an adaptive perturbation-based gradient attack method with dual-loss optimization (APDL). This method adaptively adjusts the single-step perturbation magnitude based on an exponential distance function, thereby accelerating the convergence process. APDL achieves convergence in fewer than 10 iterations, outperforming the traditional nonadaptive methods and achieving a high attack success rate with fewer iterations. Furthermore, to increase the transferability of gradient attacks such as APDL across different models and reduce the effects of overfitting on the training model, we introduce a triple-differential logit fusion (TDLF) method grounded in knowledge distillation principles. This approach mitigates the edge effects associated with gradient attacks by adjusting the hardness and softness of labels. Experiments conducted on ImageNet-compatible datasets demonstrate that APDL is significantly faster than the commonly used nonadaptive methods, whereas the TDLF method exhibits strong transferability.
ISSN:2199-4536
2198-6053

Similar Items