Abstract:Deep neural networks(DNNs) are easily affected by adversarial examples and consequently generate wrong outputs. Adversarial examples are generated by the traditional methods from an optimization perspective. In this paper, a method for generating adversarial examples is proposed with generative adversarial network(GAN) and GAN is exploited for target attack in the white-box setting. Adversarial perturbations are generated by a trained generator to form adversarial examples. Four kinds of loss functions are utilized to constrain the quality of adversarial examples and improve attack success rates. The effectiveness of the proposed method is testified through extensive experiments on MNIST, CIFAR-10 and ImageNet datasets and the proposed method produces higher attack success rates.
[1] CHEN P Y, SHARMA Y, ZHANG H, et al. EAD: Elastic-Net: Attacks to Deep Neural Networks via Adversarial Examples[C/OL]. [2020-03-14].https://arxiv.org/pdf/1709.04114.pdf. [2] MOPURI K R, GANESHAN A, BABU R V. Generalizable Data-Free Objective for Crafting Universal Adversarial Perturbations. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019, 41(10): 2452-2465. [3] MOPURI K R, OJHA U, GARG U, et al. NAG: Network for Adversary Generation // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2018: 742-751. [4] MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2016: 2574-2582. [5] HAYES J, DANEZIS G. Learning Universal Adversarial Perturbations with Generative Models // Proc of the IEEE Security and Privacy Workshops. Washington, USA: IEEE, 2018: 43-49. [6] SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks [C/OL]. [2020-03-14]. https://arxiv.org/pdf/1312.6199.pdf. [7] GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and Harnessing Adversarial Examples[C/OL]. [2020-03-14]. https://arxiv.org/pdf/1412.6572.pdf. [8] MA X J, NIU Y H, GU L, et al. Understanding Adversarial Attacks on Deep Learning Based Medical Image Analysis Systems [C/OL]. [2020-03-14]. https://doi.org/10.1016/j.patcog.2020.107332. [9] EYKHOLT K, EVTIMOV I, FERNANDES E, et al. Robust Physical-World Attacks on Deep Learning Visual Classification // Proc of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2018: 1625-1634. [10] HORNIK K, STINCHCOMBE M B, WHITE H, et al. Multilayer Feedforward Networks Are Universal Approximators. Neural Networks, 1989, 2(5): 359-366. [11] YU P, SONG K T, LU J F, et al. Generating Adversarial Examples with Conditional Generative Adversarial Net // Proc of the 24th International Conference on Pattern Recognition. Washington, USA: IEEE, 2018: 676-681. [12] KURAKIN A, GOODFELLOW I J, BENGIO S, et al. Adversarial Examples in the Physical World[C/OL]. [2020-03-14]. https://arxiv.org/pdf/1607.02533.pdf. [13] CARLINI N, WAGNER D. Towards Evaluating the Robustness of Neural Networks // Proc of the IEEE Symposium on Security and Privacy. Washington, USA: IEEE, 2017: 39-57. [14] GOODFELLOW I J, POUGET-ABADIE J, MIRZA M, et al. Generative Adversarial Nets // Proc of the 27th International Confe-rence on Advances in Neural Information Processing Systems. Cambridge, USA: The MIT Press, 2014, II: 2672-2680. [15] DONG Y P, LIAO F Z, PANG T Y, et al. Boosting Adversarial Attacks with Momentum // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2018: 9185-9193. [16] XIE C H, ZHANG Z S, WANG J Y, et al. Improving Transferability of Adversarial Examples with Input Diversity // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2019: 2730-2739. [17] TRAMER F, KURAKIN A, PAPERNOT N, et al. Ensemble Adversarial Training: Attacks and Defenses[C/OL]. [2020-03-14]. https://arxiv.org/pdf/1705.07204.pdf. [18] MADRY A, MAKELOV A, SCHMIDT L, et al. Towards Deep Learning Models Resistant to Adversarial Attacks [C/OL]. [2020-03-14]. https://arxiv.org/pdf/1706.06083.pdf. [19] ZHU J Y, PARK T S, ISOLA P, et al. Unpaired Image-to-Image Translation Using Cycle-Consistent Adversarial Networks // Proc of the IEEE International Conference on Computer Vision. Washington, USA: IEEE, 2017: 2242-2251. [20] ULYANOV D, VEDALDI A, LEMPITSKY V, et al. Instance Normalization: The Missing Ingredient for Fast Stylization [C/OL]. [2020-03-14]. https://arxiv.org/pdf/1607.08022.pdf. [21] KURAKIN A, GOODFELLOW I J, BENGIO S, et al. Adversarial Attacks and Defences Competition // ESCALERA S, WEIMER M, eds. The NIPS′17 Competition: Building Intelligent Systems. Berlin, Germany: Springer, 2018: 195-231. [22] XIAO C W, LI B, ZHU J Y, et al. Generating Adversarial Examples with Adversarial Networks // Proc of the 27th International Joint Conference on Artificial Intelligence. Berlin, Germany: Springer, 2018: 3905-3911. [23] GULRAJANI I, AHMED F, ARJOVSKY M, et al. Improved Training of Wasserstein GANs // Proc of the 30th International Conference on Advances in Neural Information Processing Systems. Cambridge, USA: The MIT Press, 2017: 5769-5779. [24] HE K M, ZHANG X Y, REN S Q, et al. Deep Residual Learning for Image Recognition // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2016: 770-778. [25] ZAGORUYKO S, KOMODAKIS N. Wide Residual Networks [C/OL]. [2020-03-14]. https://arxiv.org/pdf/1605.07146.pdf. [26] SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the Inception Architecture for Computer Vision // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2016: 2818-2826. [27] SZEGEDY C, IOFFE S, VANHOUCKE V, et al. Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning // Proc of the 31st AAAI Conference on Artificial Intelligence. Palo Alto, USA: AAAI Press, 2017: 4278-4284. [28] KINGMA D P, BA J. Adam: A Method for Stochastic Optimiza-tion [C/OL]. [2020-03-14]. https://arxiv.org/pdf/1412.6980.pdf.