An Adversarial Attack via Penalty Method
Deep learning systems have achieved significant success across various machine learning tasks. However, they are highly vulnerable to attacks. For example, adversarial examples can fool deep learning systems easily by perturbing inputs with small, imperceptible noises. There has been extensive resea...
Saved in:
Main Authors: | , , |
---|---|
Format: | Article |
Language: | English |
Published: |
IEEE
2025-01-01
|
Series: | IEEE Access |
Subjects: | |
Online Access: | https://ieeexplore.ieee.org/document/10839396/ |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
_version_ | 1832576760422596608 |
---|---|
author | Jiyuan Sun Haibo Yu Jianjun Zhao |
author_facet | Jiyuan Sun Haibo Yu Jianjun Zhao |
author_sort | Jiyuan Sun |
collection | DOAJ |
description | Deep learning systems have achieved significant success across various machine learning tasks. However, they are highly vulnerable to attacks. For example, adversarial examples can fool deep learning systems easily by perturbing inputs with small, imperceptible noises. There has been extensive research regarding the generation of and defense against adversarial examples in computer vision tasks, and existing attacking methods based on optimization fall into two categories: maximizing the loss and minimizing the perturbation size. To solve the optimization problem for generating adversarial examples, the latter approach incorporates a misclassifying constraint into the objective using a Lagrangian multiplier or penalty parameter, usually determined by binary search. However, this is relatively inefficient because the parameter varies for each input. To address this inefficiency, based on the penalty method, also called the sequential unconstrained minimization technique, we propose PenaltyAttack. Unlike traditional methods, it generates white-box <inline-formula> <tex-math notation="LaTeX">$\ell _{2}$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$\ell _{1}$ </tex-math></inline-formula> adversarial examples by progressively increasing the penalty parameter instead of employing binary search. Extensive experiments on three test benches (MNIST, CIFAR10, and ImageNet) demonstrate that compared with existing methods, our attack can generate adversarial examples with minor perturbations at a higher success rate. The implementation and experimental code are publicly available at <uri>https://github.com/sjysjy1/PenaltyMethodAttack</uri> |
format | Article |
id | doaj-art-675c57cfca8040059351f32b0d490d81 |
institution | Kabale University |
issn | 2169-3536 |
language | English |
publishDate | 2025-01-01 |
publisher | IEEE |
record_format | Article |
series | IEEE Access |
spelling | doaj-art-675c57cfca8040059351f32b0d490d812025-01-31T00:00:50ZengIEEEIEEE Access2169-35362025-01-0113181231814010.1109/ACCESS.2025.352921710839396An Adversarial Attack via Penalty MethodJiyuan Sun0https://orcid.org/0009-0002-6899-9124Haibo Yu1https://orcid.org/0009-0007-8997-9436Jianjun Zhao2Graduate School of Information Science and Electrical Engineering, Kyushu University, Fukuoka, JapanDepartment of Information Science, Faculty of Science and Engineering, Kyushu Sangyo University, Fukuoka, JapanFaculty of Information Science and Electrical Engineering, Kyushu University, Fukuoka, JapanDeep learning systems have achieved significant success across various machine learning tasks. However, they are highly vulnerable to attacks. For example, adversarial examples can fool deep learning systems easily by perturbing inputs with small, imperceptible noises. There has been extensive research regarding the generation of and defense against adversarial examples in computer vision tasks, and existing attacking methods based on optimization fall into two categories: maximizing the loss and minimizing the perturbation size. To solve the optimization problem for generating adversarial examples, the latter approach incorporates a misclassifying constraint into the objective using a Lagrangian multiplier or penalty parameter, usually determined by binary search. However, this is relatively inefficient because the parameter varies for each input. To address this inefficiency, based on the penalty method, also called the sequential unconstrained minimization technique, we propose PenaltyAttack. Unlike traditional methods, it generates white-box <inline-formula> <tex-math notation="LaTeX">$\ell _{2}$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$\ell _{1}$ </tex-math></inline-formula> adversarial examples by progressively increasing the penalty parameter instead of employing binary search. Extensive experiments on three test benches (MNIST, CIFAR10, and ImageNet) demonstrate that compared with existing methods, our attack can generate adversarial examples with minor perturbations at a higher success rate. The implementation and experimental code are publicly available at <uri>https://github.com/sjysjy1/PenaltyMethodAttack</uri>https://ieeexplore.ieee.org/document/10839396/Adversarial attackadversarial exampledeep neural networkpenalty method |
spellingShingle | Jiyuan Sun Haibo Yu Jianjun Zhao An Adversarial Attack via Penalty Method IEEE Access Adversarial attack adversarial example deep neural network penalty method |
title | An Adversarial Attack via Penalty Method |
title_full | An Adversarial Attack via Penalty Method |
title_fullStr | An Adversarial Attack via Penalty Method |
title_full_unstemmed | An Adversarial Attack via Penalty Method |
title_short | An Adversarial Attack via Penalty Method |
title_sort | adversarial attack via penalty method |
topic | Adversarial attack adversarial example deep neural network penalty method |
url | https://ieeexplore.ieee.org/document/10839396/ |
work_keys_str_mv | AT jiyuansun anadversarialattackviapenaltymethod AT haiboyu anadversarialattackviapenaltymethod AT jianjunzhao anadversarialattackviapenaltymethod AT jiyuansun adversarialattackviapenaltymethod AT haiboyu adversarialattackviapenaltymethod AT jianjunzhao adversarialattackviapenaltymethod |