Adaptive iterative attack towards explainable adversarial robustness

•We demonstrate the relationship between step size and iterative attack effect.•We design the first iterative attack adaptively allocates step size.•We achieve high attack effect with various models with two different norms.•We visualize attack trajectories to show the motivation of adjustment on stepsize. Image classifiers based on deep neural networks show severe vulnerability when facing adversarial examples crafted on purpose. Designing more effective and efficient adversarial attacks is attracting considerable interest due to its potential contribution to interpretability of deep learning and validation of neural networks’ robustness. However, current iterative attacks use a fixed step size for each noise-adding step, making further investigation into the effect of variable step size on model robustness ripe for exploration. We prove that if the upper bound of noise added to the original image is fixed, the attack effect can be improved if the step size is positively correlated with the gradient obtained at each step by querying the target model. In this paper, we propose Ada-FGSM (Adaptive FGSM), a new iterative attack that adaptively allocates step size of noises according to gradient information at each step. Improvement of success rate and accuracy decrease measured on ImageNet with multiple models emphasizes the validity of our method. We analyze the process of iterative attack by visualizing their trajectory and gradient contour, and further explain the vulnerability of deep neural networks to variable step size adversarial examples.