An Adversarial Attack via Penalty Method

Deep learning systems have achieved significant success across various machine learning tasks. However, they are highly vulnerable to attacks. For example, adversarial examples can fool deep learning systems easily by perturbing inputs with small, imperceptible noises. There has been extensive resea...

Full description

Saved in:
Bibliographic Details
Main Authors: Jiyuan Sun, Haibo Yu, Jianjun Zhao
Format: Article
Language:English
Published: IEEE 2025-01-01
Series:IEEE Access
Subjects:
Online Access:https://ieeexplore.ieee.org/document/10839396/
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1832576760422596608
author Jiyuan Sun
Haibo Yu
Jianjun Zhao
author_facet Jiyuan Sun
Haibo Yu
Jianjun Zhao
author_sort Jiyuan Sun
collection DOAJ
description Deep learning systems have achieved significant success across various machine learning tasks. However, they are highly vulnerable to attacks. For example, adversarial examples can fool deep learning systems easily by perturbing inputs with small, imperceptible noises. There has been extensive research regarding the generation of and defense against adversarial examples in computer vision tasks, and existing attacking methods based on optimization fall into two categories: maximizing the loss and minimizing the perturbation size. To solve the optimization problem for generating adversarial examples, the latter approach incorporates a misclassifying constraint into the objective using a Lagrangian multiplier or penalty parameter, usually determined by binary search. However, this is relatively inefficient because the parameter varies for each input. To address this inefficiency, based on the penalty method, also called the sequential unconstrained minimization technique, we propose PenaltyAttack. Unlike traditional methods, it generates white-box <inline-formula> <tex-math notation="LaTeX">$\ell _{2}$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$\ell _{1}$ </tex-math></inline-formula> adversarial examples by progressively increasing the penalty parameter instead of employing binary search. Extensive experiments on three test benches (MNIST, CIFAR10, and ImageNet) demonstrate that compared with existing methods, our attack can generate adversarial examples with minor perturbations at a higher success rate. The implementation and experimental code are publicly available at <uri>https://github.com/sjysjy1/PenaltyMethodAttack</uri>
format Article
id doaj-art-675c57cfca8040059351f32b0d490d81
institution Kabale University
issn 2169-3536
language English
publishDate 2025-01-01
publisher IEEE
record_format Article
series IEEE Access
spelling doaj-art-675c57cfca8040059351f32b0d490d812025-01-31T00:00:50ZengIEEEIEEE Access2169-35362025-01-0113181231814010.1109/ACCESS.2025.352921710839396An Adversarial Attack via Penalty MethodJiyuan Sun0https://orcid.org/0009-0002-6899-9124Haibo Yu1https://orcid.org/0009-0007-8997-9436Jianjun Zhao2Graduate School of Information Science and Electrical Engineering, Kyushu University, Fukuoka, JapanDepartment of Information Science, Faculty of Science and Engineering, Kyushu Sangyo University, Fukuoka, JapanFaculty of Information Science and Electrical Engineering, Kyushu University, Fukuoka, JapanDeep learning systems have achieved significant success across various machine learning tasks. However, they are highly vulnerable to attacks. For example, adversarial examples can fool deep learning systems easily by perturbing inputs with small, imperceptible noises. There has been extensive research regarding the generation of and defense against adversarial examples in computer vision tasks, and existing attacking methods based on optimization fall into two categories: maximizing the loss and minimizing the perturbation size. To solve the optimization problem for generating adversarial examples, the latter approach incorporates a misclassifying constraint into the objective using a Lagrangian multiplier or penalty parameter, usually determined by binary search. However, this is relatively inefficient because the parameter varies for each input. To address this inefficiency, based on the penalty method, also called the sequential unconstrained minimization technique, we propose PenaltyAttack. Unlike traditional methods, it generates white-box <inline-formula> <tex-math notation="LaTeX">$\ell _{2}$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$\ell _{1}$ </tex-math></inline-formula> adversarial examples by progressively increasing the penalty parameter instead of employing binary search. Extensive experiments on three test benches (MNIST, CIFAR10, and ImageNet) demonstrate that compared with existing methods, our attack can generate adversarial examples with minor perturbations at a higher success rate. The implementation and experimental code are publicly available at <uri>https://github.com/sjysjy1/PenaltyMethodAttack</uri>https://ieeexplore.ieee.org/document/10839396/Adversarial attackadversarial exampledeep neural networkpenalty method
spellingShingle Jiyuan Sun
Haibo Yu
Jianjun Zhao
An Adversarial Attack via Penalty Method
IEEE Access
Adversarial attack
adversarial example
deep neural network
penalty method
title An Adversarial Attack via Penalty Method
title_full An Adversarial Attack via Penalty Method
title_fullStr An Adversarial Attack via Penalty Method
title_full_unstemmed An Adversarial Attack via Penalty Method
title_short An Adversarial Attack via Penalty Method
title_sort adversarial attack via penalty method
topic Adversarial attack
adversarial example
deep neural network
penalty method
url https://ieeexplore.ieee.org/document/10839396/
work_keys_str_mv AT jiyuansun anadversarialattackviapenaltymethod
AT haiboyu anadversarialattackviapenaltymethod
AT jianjunzhao anadversarialattackviapenaltymethod
AT jiyuansun adversarialattackviapenaltymethod
AT haiboyu adversarialattackviapenaltymethod
AT jianjunzhao adversarialattackviapenaltymethod