An Adversarial Attack Method in Gray-Box Setting Oriented to Defenses Based on Image Preprocessing

  • Yuxin Gong
  • Shen WangEmail author
  • Xunzhi Jiang
  • Dechen Zhan
Conference paper
Part of the Smart Innovation, Systems and Technologies book series (SIST, volume 156)


Recently, many studies have proposed adversarial defenses of image preprocessing based on gradient masking to deal with the threats of adversarial examples in deep learning models. These defenses have been broken through in white-box threat models, where attackers have full knowledge of target models. However, they have not been proved to be invalid in gray-box threat models, where attackers only partially know about target models. In this paper, by integrating stochastic initial perturbations into momentum iterative attack, we propose SMIM which is an efficient adversarial attack method. Based on this, BPDA attack framework is applied to the attack in the gray-box setting. Experiments show that this method can generate adversarial examples with strong attack ability and transferability on seemingly non-differentiable defensive models, thereby evading defenses with only partial knowledge of target models.


Gradient masking Adversarial example Deep learning Gray-box setting 


  1. 1.
    Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. arXiv:1802.00420 (2018)
  2. 2.
    Akhtar, N., Mian, A.: Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access 6, 14410–14430 (2018)CrossRefGoogle Scholar
  3. 3.
    Guo, C., Rana, M., Cisse, M., van der Maaten, L.: Countering adversarial images using input transformations. arXiv:1711.00117 (2017)
  4. 4.
    Shaham, U., Garritano, J., Yamada, Y., Weinberger, E., Cloninger, A., Cheng, X., Stanton, K., Kluger, Y.: Defending against adversarial images using basis functions transformations. arXiv:1803.10840 (2018)
  5. 5.
    Chen, C.-M., Wang, K.-H., Wu, T.-Y., Wang, E.K.: On the security of a three-party authenticated key agreement protocol based on chaotic maps. Data Sci. Pattern Recognit. 1(2), 1–10 (2017)Google Scholar
  6. 6.
    Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., Li, J.: Boosting adversarial attacks with momentum. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 9185–9193 (2018)Google Scholar
  7. 7.
    Chen, C.-M., Linlin, X., Tsu-Yang, W., Li, C.-R.: On the security of a chaotic maps-based three-party authenticated key agreement protocol. J. Netw. Intell. 1(2), 61–65 (2016)Google Scholar
  8. 8.
    Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., Fergus, R.: Intriguing properties of neural networks. arXiv:1312.6199 (2013)
  9. 9.
    Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial examples in the physical world. arXiv:1607.02533 (2016)
  10. 10.
    Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv:1412.6572 (2014)
  11. 11.
    Xu, W., Evans, D., Qi, Y.: Feature squeezing: detecting adversarial examples in deep neural networks. arXiv:1704.01155 (2017)

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Yuxin Gong
    • 1
  • Shen Wang
    • 1
    Email author
  • Xunzhi Jiang
    • 1
  • Dechen Zhan
    • 1
  1. 1.Department of Computer Science and TechnologyHarbin Institute of TechnologyHarbinChina

Personalised recommendations