Abstract
Deep neural networks (DNNs) are vulnerable to adversarial examples that are similar to original samples but contain the perturbations intentionally crafted by adversaries. Many efficient and typical attacks are based on the fast gradient sign method and usually against models by adding invariant perturbation magnitude to the input of DNN in each iteration. Some studies report that the loss surface demonstrates significant non-smooth variation in the input space. The invariant perturbation size may not be conducive to finding adversarial examples fast in iterations. In this work, we propose the adaptive moment iterative fast gradient sign method (Adam-FGSM), a new iterative white-box attack. According to the moment estimations of the gradients, Adam-FGSM can follow stable perturbation directions by the first-order moment estimation of gradients and adaptively compute the perturbation size with the second-order moment estimations. The experimental results show that Adam-FGSM could adopt rugged input loss space to generate adversarial examples with a higher attack success rate and acceptable transferability in fewer iterations. We analyze the attack process of Adam-FGSM to explain why it can achieve outstanding performance by visualizing the L1, \(L_{\infty }\) norms, and the cosine similarity of perturbations. Furthermore, we plot trajectories of iterative attack methods to observe the geometric characteristics intuitively.
Similar content being viewed by others
References
Yu F, Qin Z, Liu C, Zhao L, Wang Y, Chen X (2019) Interpreting and evaluating neural network robustness. In: Kraus S (ed) International Joint Conference on Artificial Intelligence, pp 4199–4205, DOI https://doi.org/10.24963/ijcai.2019/583, (to appear in print)
Rawat W, Wang Z (2017) Deep Convolutional Neural Networks for Image Classification: A Comprehensive Review. Neural Comput 29(9):2352–2449. https://doi.org/10.1162/neco_a_00990
Zhao Z-Q, Zheng P, Xu S-T, Wu X (2019) Object detection with deep learning: A review. IEEE Trans Neural Netw Learn Syst 30(11):3212–3232. https://doi.org/10.1109/TNNLS.2018.2876865
Jing Y, Yang Y, Feng Z, Ye J, Yu Y, Song M (2020) Neural style transfer: A review. IEEE Trans Vis Comput Graph 26(11):3365–3385. https://doi.org/10.1109/TVCG.2019.2921336
Young T, Hazarika D, Poria S, Cambria E (2018) Recent trends in deep learning based natural language processing. IEEE Comput Intell Mag 13(3):55–75. https://doi.org/10.1109/MCI.2018.2840738
Hossain MD Z, Sohel F, Shiratuddin M F, Laga H (2019) A comprehensive survey of deep learning for image captioning. Acm Comput Surv 51(6):1–36. https://doi.org/10.1145/3295748
Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I J, Fergus R (2014) Intriguing properties of neural networks. In: Bengio Y, LeCun Y (eds) International Conference on Learning Representations. arXiv:1312.6199
Eykholt K, Evtimov I, Fernandes E, Li B, Rahmati A, Xiao C, Prakash A, Kohno T, Song D (2018) Robust physical-world attacks on deep learning visual classification. In: IEEE proceedings of international conference on computer vision and pattern recognition, pp 1625–1634, DOI https://doi.org/10.1109/CVPR.2018.00175, (to appear in print)
Sharif M, Bhagavatula S, Bauer L, Reiter M K (2016) Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In: Weippl E R, Katzenbeisser S, Kruegel C, Myers A C, Halevi S (eds) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp 1528–1540, DOI https://doi.org/10.1145/2976749.2978392, (to appear in print)
Nocedal J (1980) Updating quasi-Newton matrices with limited storage. Math Comput 35 (151):773–782. https://doi.org/10.1090/S0025-5718-1980-0572855-7
Goodfellow I J, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. In: Bengio Y, LeCun Y (eds) International Conference on Learning Representations. arXiv:1412.6572
Kurakin A, Goodfellow I J, Bengio S (2016) Adversarial examples in the physical world. CoRR arXiv:1607.02533
Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A (2018) Towards deep learning models resistant to adversarial attacks. In: International Conference on Learning Representations. arXiv:1706.06083
Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J (2018) Boosting adversarial attacks with momentum. In: IEEE proceedings of international conference on computer vision and pattern recognition, pp 9185–9193, DOI https://doi.org/10.1109/CVPR.2018.00957, (to appear in print)
Kingma D P, Ba J (2015) Adam: A method for stochastic optimization. In: Bengio Y, LeCun Y (eds) International Conference on Learning Representations. arXiv:1412.6980
Ren K, Zheng T, Qin Z, Liu X (2020) Adversarial attacks and defenses in deep learning. Engineering 6(3):346–360. https://doi.org/10.1016/j.eng.2019.12.012
Papernot N, McDaniel P D, Goodfellow I J (2016) Transferability in machine learning: From phenomena to black-box attacks using adversarial samples. CoRR arXiv:1605.07277
Tieleman T, Hinton G (2012) Lecture 6.5-Rmsprop: Divide the gradient by a running average of its recent magnitude COURSERA. Neural Netw Mach Learn 4(2):26–30
Sutskever I, Martens J, Dahl G, Hinton G (2013) On the importance of initialization and momentum in deep learning. In: Dasgupta S, McAllester D (eds) International Conference on Machine Learning. https://proceedings.mlr.press/v28/sutskever13.html, vol 28, pp 1139–1147
Goodfellow I, Bengio Y, Courville A (2016) Deep learning. MIT Press. http://www.deeplearningbook.org
Duch W, Korczak J (1998) Optimization and global minimization methods suitable for neural networks. Neural Comput Surv 2:163–212. https://core.ac.uk/display/24376840
Lecun Y, Bottou L, Bengio Y, Haffner P (1998) Gradient-based learning applied to document recognition. Proc IEEE 86(11):2278–2323. https://doi.org/10.1109/5.726791
Krizhevsky A, Hinton G (2009) Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep. 1(4). http://www.cs.toronto.edu/~kriz/learning-features-2009-TR.pdf
Russakovsky O, Deng J, Su H, Krause J, Satheesh S, Ma S, Huang Z, Karpathy A, Khosla A, Bernstein M, Berg A C, Fei-Fei L (2015) ImageNet large scale visual recognition challenge. Int J Comput Vis 115(3):211–252. https://doi.org/10.1007/s11263-015-0816-y
Simonyan K, Zisserman A (2015) Very deep convolutional networks for large-scale image recognition. In: Bengio Y, LeCun Y (eds) International Conference on Learning Representations. arXiv:1409.1556
He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: IEEE proceedings of international conference on computer vision and pattern recognition, pp 770–778, DOI https://doi.org/10.1109/CVPR.2016.90, (to appear in print)
Huang G, Liu Z, Maaten L, Weinberger K Q (2017) Densely connected convolutional networks. In: IEEE proceedings of international conference on computer vision and pattern recognition, pp 2261–2269, DOI https://doi.org/10.1109/CVPR.2017.243, (to appear in print)
Kim H (2020) Torchattacks : A pytorch repository for adversarial attacks. CoRR arXiv:2010.01950
Tramèr F, Kurakin A, Papernot N, Goodfellow I J, Boneh D, McDaniel P D (2018) Ensemble adversarial training: Attacks and defenses. In: International Conference on Learning Representations. CoRR arXiv:1705.07204
Liu Y, Chen X, Liu C, Song D (2017) Delving into transferable adversarial examples and black-box attacks. In: International Conference on Learning Representations. https://openreview.net/forum?id=Sys6GJqxl
Acknowledgements
This work was supported by the Research Foundation of Yunnan Province No.202002AD08001, 202001BB050043, 2019FA044, National Natural Science Foundation of China under Grants No.62162065, Provincial Foundation for Leaders of Disciplines in Science and Technology No.2019HB121, in part by the Postgraduate Research and Innovation Foundation of Yunnan University (No.2021Y281, No.2021Z078), and in part by the Postgraduate Practice and Innovation Foundation of Yunnan University (No.2021Y179, No.2021Y171). We wish to thank Hoki Kim, the author of the adversarial attacks toolkit torchattacks, for answers to my questions about the code implementation of adversarial attacks.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Zhang, J., Qian, W., Nie, R. et al. Generate adversarial examples by adaptive moment iterative fast gradient sign method. Appl Intell 53, 1101–1114 (2023). https://doi.org/10.1007/s10489-022-03437-z
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10489-022-03437-z