Go to DBLP homepageIDSA: Integer-domain sparse adversarial attack
Abstract: Deep neural networks(DNNs) have achieved outstanding performances in many fields, but many studies have shown that DNNs are vulnerable to adversarial examples, which limits their applications, especially in some security sensitive industries. Sparse adversarial attacks are an important branch of adversarial attacks that only perturb a small number of pixels to fool DNNs, with the goal of minimizing the \(l_{0}\)-norm of perturbations. Since solving the \(l_{0}\)-norm is an Np-Hard problem, existing sparse adversarial attack algorithms have shortcomings in the magnitude and sparsity of perturbations. Furthermore, they ignore the fact that pixels are stored as integers in computers, so treating perturbations as floating-point numbers may result in losing adversarial properties after adversarial examples are saved. In this paper, we propose a sparse adversarial attack algorithm IDSA, which can generate sparse and tiny perturbations in both targeted and untargeted attacks. Specifically, it determines the perturbed positions by calculating the gradient of pixels, and then simultaneously solves the optimal perturbation for each position by genetic algorithm. Considering the relatively flat decision boundary of DNN, we also propose a method of eliminating redundant perturbations through binary search. Extensive experiments on CIFAR-10 and ImageNet demonstrate that the proposed algorithm outperforms the state-of-the-art algorithms in terms of the number of perturbed pixels and the overall perturbation magnitude.
External IDs:dblp:journals/sivp/YangLWL25
Loading