Improving the transferability of adversarial examples with separable positive and negative disturbances
Adversarial examples demonstrate the vulnerability of white-box models but exhibit weak transferability to black-box models. In image processing, each adversarial example usually consists of original image and disturbance. The disturbances are essential for the adversarial examples, determining the...
Gespeichert in:
| Veröffentlicht in: | Neural computing & applications 2024-03, Vol.36 (7), p.3725-3736 |
|---|---|
| Hauptverfasser: | , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 3736 |
|---|---|
| container_issue | 7 |
| container_start_page | 3725 |
| container_title | Neural computing & applications |
| container_volume | 36 |
| creator | Yan, Yuanjie Bu, Yuxuan Shen, Furao Zhao, Jian |
| description | Adversarial examples demonstrate the vulnerability of white-box models but exhibit weak transferability to black-box models. In image processing, each adversarial example usually consists of original image and disturbance. The disturbances are essential for the adversarial examples, determining the attack success rate on black-box models. To improve the transferability, we propose a new white-box attack method called separable positive and negative disturbance (SPND). SPND optimizes the positive and negative perturbations instead of the adversarial examples. SPND also smooths the search space by replacing constrained disturbances with unconstrained variables, which improves the success rate of attacking the black-box model. Our method outperforms the other attack methods in the MNIST and CIFAR10 datasets. In the ImageNet dataset, the black-box attack success rate of SPND exceeds the optimal CW method by nearly ten percentage points under the perturbation of
L
∞
=
0.3
. |
| doi_str_mv | 10.1007/s00521-023-09259-5 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2924060577</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2924060577</sourcerecordid><originalsourceid>FETCH-LOGICAL-c319t-dadfef251534dbb1428d4f2cdb2116fc9127cdb8c3ac5410ccbaa0c34160e2213</originalsourceid><addsrcrecordid>eNp9kEtLAzEUhYMoWKt_wFXA9ejNax5LKT4KBTe6Dpk8pinTmTFJq_57Yyu4c3U53O-cyz0IXRO4JQDVXQQQlBRAWQENFU0hTtCMcMYKBqI-RTNoeF6XnJ2jixg3AMDLWsxQt9xOYdz7ocNpbXEKaojOBtX63qcvPDqszN6GqIJXPbafajv1NuIPn9Y42kllsrd4GqNPfm-xGgwebKcOwviYdqFVg7bxEp051Ud79Tvn6O3x4XXxXKxenpaL-1WhGWlSYZRx1lFBBOOmbQmnteGOatNSQkqnG0KrLGrNlBacgNatUqAZJyVYSgmbo5tjbv7qfWdjkptxF4Z8UtKGcihBVFWm6JHSYYwxWCen4LcqfEkC8qdQeSxU5kLloVApsokdTTHDQ2fDX_Q_rm_D5nuQ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2924060577</pqid></control><display><type>article</type><title>Improving the transferability of adversarial examples with separable positive and negative disturbances</title><source>Springer Nature - Complete Springer Journals</source><creator>Yan, Yuanjie ; Bu, Yuxuan ; Shen, Furao ; Zhao, Jian</creator><creatorcontrib>Yan, Yuanjie ; Bu, Yuxuan ; Shen, Furao ; Zhao, Jian</creatorcontrib><description>Adversarial examples demonstrate the vulnerability of white-box models but exhibit weak transferability to black-box models. In image processing, each adversarial example usually consists of original image and disturbance. The disturbances are essential for the adversarial examples, determining the attack success rate on black-box models. To improve the transferability, we propose a new white-box attack method called separable positive and negative disturbance (SPND). SPND optimizes the positive and negative perturbations instead of the adversarial examples. SPND also smooths the search space by replacing constrained disturbances with unconstrained variables, which improves the success rate of attacking the black-box model. Our method outperforms the other attack methods in the MNIST and CIFAR10 datasets. In the ImageNet dataset, the black-box attack success rate of SPND exceeds the optimal CW method by nearly ten percentage points under the perturbation of
L
∞
=
0.3
.</description><identifier>ISSN: 0941-0643</identifier><identifier>EISSN: 1433-3058</identifier><identifier>DOI: 10.1007/s00521-023-09259-5</identifier><language>eng</language><publisher>London: Springer London</publisher><subject>Artificial Intelligence ; Black boxes ; Computational Biology/Bioinformatics ; Computational Science and Engineering ; Computer Science ; Data Mining and Knowledge Discovery ; Datasets ; Disturbances ; Hypotheses ; Image processing ; Image Processing and Computer Vision ; Mathematical models ; Methods ; Neural networks ; Original Article ; Perturbation ; Probability and Statistics in Computer Science ; Success</subject><ispartof>Neural computing & applications, 2024-03, Vol.36 (7), p.3725-3736</ispartof><rights>The Author(s), under exclusive licence to Springer-Verlag London Ltd., part of Springer Nature 2023. Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c319t-dadfef251534dbb1428d4f2cdb2116fc9127cdb8c3ac5410ccbaa0c34160e2213</citedby><cites>FETCH-LOGICAL-c319t-dadfef251534dbb1428d4f2cdb2116fc9127cdb8c3ac5410ccbaa0c34160e2213</cites><orcidid>0000-0003-4308-9247</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://link.springer.com/content/pdf/10.1007/s00521-023-09259-5$$EPDF$$P50$$Gspringer$$H</linktopdf><linktohtml>$$Uhttps://link.springer.com/10.1007/s00521-023-09259-5$$EHTML$$P50$$Gspringer$$H</linktohtml><link.rule.ids>314,777,781,27905,27906,41469,42538,51300</link.rule.ids></links><search><creatorcontrib>Yan, Yuanjie</creatorcontrib><creatorcontrib>Bu, Yuxuan</creatorcontrib><creatorcontrib>Shen, Furao</creatorcontrib><creatorcontrib>Zhao, Jian</creatorcontrib><title>Improving the transferability of adversarial examples with separable positive and negative disturbances</title><title>Neural computing & applications</title><addtitle>Neural Comput & Applic</addtitle><description>Adversarial examples demonstrate the vulnerability of white-box models but exhibit weak transferability to black-box models. In image processing, each adversarial example usually consists of original image and disturbance. The disturbances are essential for the adversarial examples, determining the attack success rate on black-box models. To improve the transferability, we propose a new white-box attack method called separable positive and negative disturbance (SPND). SPND optimizes the positive and negative perturbations instead of the adversarial examples. SPND also smooths the search space by replacing constrained disturbances with unconstrained variables, which improves the success rate of attacking the black-box model. Our method outperforms the other attack methods in the MNIST and CIFAR10 datasets. In the ImageNet dataset, the black-box attack success rate of SPND exceeds the optimal CW method by nearly ten percentage points under the perturbation of
L
∞
=
0.3
.</description><subject>Artificial Intelligence</subject><subject>Black boxes</subject><subject>Computational Biology/Bioinformatics</subject><subject>Computational Science and Engineering</subject><subject>Computer Science</subject><subject>Data Mining and Knowledge Discovery</subject><subject>Datasets</subject><subject>Disturbances</subject><subject>Hypotheses</subject><subject>Image processing</subject><subject>Image Processing and Computer Vision</subject><subject>Mathematical models</subject><subject>Methods</subject><subject>Neural networks</subject><subject>Original Article</subject><subject>Perturbation</subject><subject>Probability and Statistics in Computer Science</subject><subject>Success</subject><issn>0941-0643</issn><issn>1433-3058</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><recordid>eNp9kEtLAzEUhYMoWKt_wFXA9ejNax5LKT4KBTe6Dpk8pinTmTFJq_57Yyu4c3U53O-cyz0IXRO4JQDVXQQQlBRAWQENFU0hTtCMcMYKBqI-RTNoeF6XnJ2jixg3AMDLWsxQt9xOYdz7ocNpbXEKaojOBtX63qcvPDqszN6GqIJXPbafajv1NuIPn9Y42kllsrd4GqNPfm-xGgwebKcOwviYdqFVg7bxEp051Ud79Tvn6O3x4XXxXKxenpaL-1WhGWlSYZRx1lFBBOOmbQmnteGOatNSQkqnG0KrLGrNlBacgNatUqAZJyVYSgmbo5tjbv7qfWdjkptxF4Z8UtKGcihBVFWm6JHSYYwxWCen4LcqfEkC8qdQeSxU5kLloVApsokdTTHDQ2fDX_Q_rm_D5nuQ</recordid><startdate>20240301</startdate><enddate>20240301</enddate><creator>Yan, Yuanjie</creator><creator>Bu, Yuxuan</creator><creator>Shen, Furao</creator><creator>Zhao, Jian</creator><general>Springer London</general><general>Springer Nature B.V</general><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0003-4308-9247</orcidid></search><sort><creationdate>20240301</creationdate><title>Improving the transferability of adversarial examples with separable positive and negative disturbances</title><author>Yan, Yuanjie ; Bu, Yuxuan ; Shen, Furao ; Zhao, Jian</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c319t-dadfef251534dbb1428d4f2cdb2116fc9127cdb8c3ac5410ccbaa0c34160e2213</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Artificial Intelligence</topic><topic>Black boxes</topic><topic>Computational Biology/Bioinformatics</topic><topic>Computational Science and Engineering</topic><topic>Computer Science</topic><topic>Data Mining and Knowledge Discovery</topic><topic>Datasets</topic><topic>Disturbances</topic><topic>Hypotheses</topic><topic>Image processing</topic><topic>Image Processing and Computer Vision</topic><topic>Mathematical models</topic><topic>Methods</topic><topic>Neural networks</topic><topic>Original Article</topic><topic>Perturbation</topic><topic>Probability and Statistics in Computer Science</topic><topic>Success</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Yan, Yuanjie</creatorcontrib><creatorcontrib>Bu, Yuxuan</creatorcontrib><creatorcontrib>Shen, Furao</creatorcontrib><creatorcontrib>Zhao, Jian</creatorcontrib><collection>CrossRef</collection><jtitle>Neural computing & applications</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Yan, Yuanjie</au><au>Bu, Yuxuan</au><au>Shen, Furao</au><au>Zhao, Jian</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Improving the transferability of adversarial examples with separable positive and negative disturbances</atitle><jtitle>Neural computing & applications</jtitle><stitle>Neural Comput & Applic</stitle><date>2024-03-01</date><risdate>2024</risdate><volume>36</volume><issue>7</issue><spage>3725</spage><epage>3736</epage><pages>3725-3736</pages><issn>0941-0643</issn><eissn>1433-3058</eissn><abstract>Adversarial examples demonstrate the vulnerability of white-box models but exhibit weak transferability to black-box models. In image processing, each adversarial example usually consists of original image and disturbance. The disturbances are essential for the adversarial examples, determining the attack success rate on black-box models. To improve the transferability, we propose a new white-box attack method called separable positive and negative disturbance (SPND). SPND optimizes the positive and negative perturbations instead of the adversarial examples. SPND also smooths the search space by replacing constrained disturbances with unconstrained variables, which improves the success rate of attacking the black-box model. Our method outperforms the other attack methods in the MNIST and CIFAR10 datasets. In the ImageNet dataset, the black-box attack success rate of SPND exceeds the optimal CW method by nearly ten percentage points under the perturbation of
L
∞
=
0.3
.</abstract><cop>London</cop><pub>Springer London</pub><doi>10.1007/s00521-023-09259-5</doi><tpages>12</tpages><orcidid>https://orcid.org/0000-0003-4308-9247</orcidid></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0941-0643 |
| ispartof | Neural computing & applications, 2024-03, Vol.36 (7), p.3725-3736 |
| issn | 0941-0643 1433-3058 |
| language | eng |
| recordid | cdi_proquest_journals_2924060577 |
| source | Springer Nature - Complete Springer Journals |
| subjects | Artificial Intelligence Black boxes Computational Biology/Bioinformatics Computational Science and Engineering Computer Science Data Mining and Knowledge Discovery Datasets Disturbances Hypotheses Image processing Image Processing and Computer Vision Mathematical models Methods Neural networks Original Article Perturbation Probability and Statistics in Computer Science Success |
| title | Improving the transferability of adversarial examples with separable positive and negative disturbances |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-21T01%3A56%3A38IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Improving%20the%20transferability%20of%20adversarial%20examples%20with%20separable%20positive%20and%20negative%20disturbances&rft.jtitle=Neural%20computing%20&%20applications&rft.au=Yan,%20Yuanjie&rft.date=2024-03-01&rft.volume=36&rft.issue=7&rft.spage=3725&rft.epage=3736&rft.pages=3725-3736&rft.issn=0941-0643&rft.eissn=1433-3058&rft_id=info:doi/10.1007/s00521-023-09259-5&rft_dat=%3Cproquest_cross%3E2924060577%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2924060577&rft_id=info:pmid/&rfr_iscdi=true |