An Adversarial Attack via Penalty Method

Deep learning systems have achieved significant success across various machine learning tasks. However, they are highly vulnerable to attacks. For example, adversarial examples can fool deep learning systems easily by perturbing inputs with small, imperceptible noises. There has been extensive research regarding the generation of and defense against adversarial examples in computer vision tasks, and existing attacking methods based on optimization fall into two categories: maximizing the loss and minimizing the perturbation size. To solve the optimization problem for generating adversarial examples, the latter approach incorporates a misclassifying constraint into the objective using a Lagrangian multiplier or penalty parameter, usually determined by binary search. However, this is relatively inefficient because the parameter varies for each input. To address this inefficiency, based on the penalty method, also called the sequential unconstrained minimization technique, we propose PenaltyAttack. Unlike traditional methods, it generates white-box \ell _{2} and \ell _{1} adversarial examples by progressively increasing the penalty parameter instead of employing binary search. Extensive experiments on three test benches (MNIST, CIFAR10, and ImageNet) demonstrate that compared with existing methods, our attack can generate adversarial examples with minor perturbations at a higher success rate. The implementation and experimental code are publicly available at https://github.com/sjysjy1/PenaltyMethodAttack