Generate adversarial examples by adaptive moment iterative fast gradient sign method
Abstract: Deep neural networks (DNNs) are vulnerable to adversarial examples that are similar to original samples but contain the perturbations intentionally crafted by adversaries. Many efficient and typical attacks are based on the fast gradient sign method and usually against models by adding invariant perturbation magnitude to the input of DNN in each iteration. Some studies report that the loss surface demonstrates significant non-smooth variation in the input space. The invariant perturbation size may not be conducive to finding adversarial examples fast in iterations. In this work, we propose the adaptive moment iterative fast gradient sign method (Adam-FGSM), a new iterative white-box attack. According to the moment estimations of the gradients, Adam-FGSM can follow stable perturbation directions by the first-order moment estimation of gradients and adaptively compute the perturbation size with the second-order moment estimations. The experimental results show that Adam-FGSM could adopt rugged input loss space to generate adversarial examples with a higher attack success rate and acceptable transferability in fewer iterations. We analyze the attack process of Adam-FGSM to explain why it can achieve outstanding performance by visualizing the L1, \(L_{\infty }\) norms, and the cosine similarity of perturbations. Furthermore, we plot trajectories of iterative attack methods to observe the geometric characteristics intuitively.
Loading