Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Improving the transferability of adversarial examples with path tuning

  • Published:
Applied Intelligence Aims and scope Submit manuscript

Abstract

Adversarial attacks pose a significant threat to real-world applications based on deep neural networks (DNNs), especially in security-critical applications. Research has shown that adversarial examples (AEs) generated on a surrogate model can also succeed on a target model, which is known as transferability. Feature-level transfer-based attacks improve the transferability of AEs by disrupting intermediate features. They target the intermediate layer of the model and use feature importance metrics to find these features. However, current methods overfit feature importance metrics to surrogate models, which results in poor sharing of the importance metrics across models and insufficient destruction of deep features. This work demonstrates the trade-off between feature importance metrics and feature corruption generalization, and categorizes feature destructive causes of misclassification. This work proposes a generative framework named PTNAA to guide the destruction of deep features across models, thus improving the transferability of AEs. Specifically, the method introduces path methods into integrated gradients. It selects path functions using only a priori knowledge and approximates neuron attribution using nonuniform sampling. In addition, it measures neurons based on the attribution results and performs feature-level attacks to remove inherent features of the image. Extensive experiments demonstrate the effectiveness of the proposed method. The code is available at https://github.com/lounwb/PTNAA.

Graphical abstract

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Algorithm 1
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  1. Alhussan AA, Talaat FM, El-kenawy ESM, Abdelhamid AA, Ibrahim A, Khafaga DS, Alnaggar M (2023) Facial expression recognition model depending on optimized support vector machine. Computers, Materials & Continua 76 (1)

  2. Ammad M, Misro MY, Ramli A (2022) A novel generalized trigonometric bézier curve: properties, continuity conditions and applications to the curve modeling. Math Comput Simul 194:744–763

  3. Arnab A, Miksik O, Torr PHS (2019) On the robustness of semantic segmentation models to adversarial attacks. IEEE Trans Pattern Anal Mach Intell 42(12):3040–3053

  4. Aumann RJ, Shapley LS (2015) Values of non-atomic games. Princeton University Press, Princeton, NJ, 2015

  5. Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: IEEE symposium on security and privacy (SP), pp 39–57

  6. Chen G, Chenb S, Fan L, Du X, Zhao Z, Song F, Liu Y (2021) Who is real bob? adversarial attacks on speaker recognition systems. In: IEEE symposium on security and privacy (SP), pp 694–711

  7. Chowdhury PN, Bhunia AK, Sain A, Koley S, Xiang T, Song YZ (2023) What can human sketches do for object detection? In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pp 15083–15094

  8. Cores D, Brea VM, Mucientes M (2023) Spatiotemporal tubelet feature aggregation and object linking for small object detection in videos. Appl Intell 53(1):1205–1217

  9. Costa G, Montemurro M, Pailhès J (2021) Nurbs hyper-surfaces for 3d topology optimization problems. Mech Adv Mater Struct 28(7):665–684

  10. Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J (2018) Boosting adversarial attacks with momentum. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pp 9185–9193

  11. Dong Y, Pang T, Su H, Zhu J (2019) Evading defenses to transferable adversarial examples by translation-invariant attacks. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pp 4312–4321

  12. Friedman EJ (2004) Paths and consistency in additive cost sharing. Int J Game Theory 32(4):501–518

  13. Ganeshan A, BS V, Babu RV (2019) Fda: feature disruptive attack. In: Proceedings of the IEEE international conference on computer vision (ICCV), pp 8069–8079

  14. Gao L, Zhang Q, Song J, Liu X, Shen HT (2020) Patch-wise attack for fooling deep neural network. In: Proceedings of the European conference on computer vision (ECCV), pages 307–322, 2020

  15. Goodfellow IJ, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. Stat, 1050:20

  16. He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pp 770–778

  17. Howard A, Sandler M, Chu G, Chen LC, Chen B, Tan M, Wang W, Zhu Y, Pang R, Vasudevan V etal (2019) Searching for mobilenetv3. In Proceedings of the IEEE/CVF international conference on computer vision, pp 1314–1324

  18. Hu J, Shen L, Albanie S, Sun G, Wu E (2020) Squeeze-and-excitation networks. IEEE Trans Pattern Anal Mach Intell 42(08):2011–2023

  19. Huang G, Liu Z, Pleiss G, Der Maaten LV, Weinberger KQ (2019) Convolutional networks with dense connectivity. IEEE Trans Pattern Anal Mach Intell 44 (12): 8704–8716

  20. Huang Q, Katsman I, He H, Gu Z, Belongie S, Lim SN (2019) Enhancing adversarial example transferability with an intermediate level attack. In: Proceedings of the IEEE international conference on computer vision (ICCV)

  21. Ilyas A, Santurkar S, Tsipras D, Engstrom L, Tran B, Madry A (2019) Adversarial examples are not bugs, they are features. In: Advances in neural information processing systems (NeurIPS), pp 125–136

  22. Jin Z, Zhu Z, Wang X, Zhang J, Shen J, Chen H (2023) Danaa: towards transferable attacks with double adversarial neuron attribution. In: Advanced data mining and applications, pp 456–470. Springer Nature Switzerland

  23. Kim WJ, Hong S, Yoon SE (2022) Diverse generative perturbations on attention space for transferable adversarial attacks. In: 2022 IEEE international conference on image processing (ICIP), pp 281–285. IEEE

  24. Kurakin A, Goodfellow IJ, Bengio S (2017) Adversarial machine learning at scale. In: International conference on learning representations (ICLR)

  25. Li J, Liu C, Liu S (2022) The quartic catmull–rom spline with local adjustability and its shape optimization. Adv Contin Discret Model 2022(1):59

  26. Li P, Liu F, Jiao L, Li S, Li L, Liu X, Huang X (2023) Knowledge transduction for cross-domain few-shot learning. Pattern Recog 141:109652

  27. Li Y, Yosinski J, Clune J, Lipson H, Hopcroft J (2015) Convergent learning: do different neural networks learn the same representations? In: Proceedings of machine learning research (PMLR), vol 44. pp 196–212

  28. Lin J, Song C, He K, Wang L, Hopcroft JE (2020) Nesterov accelerated gradient and scale invariance for adversarial attacks. In: International conference on learning representations (ICLR)

  29. Lundberg SM, Lee SI (2017) A unified approach to interpreting model predictions. In: Advances in neural information processing systems (NeurIPS), pp 4765–4774

  30. Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A (2018) Towards deep learning models resistant to adversarial attacks. In: International conference on learning representations (ICLR)

  31. Maho T, Furon T, Le Merrer E (2021) Surfree: a fast surrogate-free black-box attack. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 10430–10439

  32. Marques G, Agarwal D, de la Torre Dìez I (2020) Automated medical diagnosis of covid-19 through efficientnet convolutional neural network. Applied Soft Computing, 96:106691

  33. Modas A, Sanchez-Matilla R, Frossard P, Cavallaro A (2020) Toward robust sensing for autonomous vehicles: an adversarial perspective. IEEE Signal Process Mag 37(4):14–23

  34. Montavon G, Binder A, Lapuschkin S, Samek W, Klaus-Robert M (2019) An overview, layer-wise relevance propagation

  35. Ruiz A, Agudo A, Moreno-Noguer F (2021) Generating attribution maps with disentangled masked backpropagation. In: Proceedings of the IEEE international conference on computer vision (ICCV), pp 905–914

  36. Olga R, Jia D, Su H, Jonathan K, Sanjeev S, Sean M, Zhiheng H, Andrej K, Aditya K, Michael B et al (2015) Imagenet large scale visual recognition challenge. Int J Comput Vision 115(3):211–252

  37. Sarvar A, Amirmazlaghani M (2023) Defense against adversarial examples based on wavelet domain analysis. Appl Intell 53(1):423–439

  38. Selvaraju RR, Cogswell M, Das A, Vedantam R, Parikh D, Batra D (2017) Grad-cam: Visual explanations from deep networks via gradient-based localization. In: Proceedings of the IEEE international conference on computer vision (ICCV), pp 618–626

  39. Simonyan K, Vedaldi A, Zisserman A (2014) Deep inside convolutional networks: visualising image classification models and saliency maps. In: International conference on learning representations (ICLR)

  40. Struppek L, Hintersdorf D, Correira ADA, Adler A, Kersting K (2022) Plug & play attacks: towards robust and flexible model inversion attacks. In: International conference on machine learning (ICML), pp 20522–20545

  41. Sundararajan M, Taly A, Yan Q (2017) Axiomatic attribution for deep networks. In: Proceedings of the international conference on machine learning (ICML), pp 3319–3328

  42. Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2014) Intriguing properties of neural networks. In: International conference on learning representations (ICLR)

  43. Szegedy C, Vanhoucke V, Ioffe S, Shlens J, Wojna Z (2016) Rethinking the inception architecture for computer vision. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pp 2818–2826

  44. Szegedy C, Ioffe S, Vanhoucke V, Alemi A (2017) Inception-v4, inception-resnet and the impact of residual connections on learning. In: Proceedings of the AAAI conference on artificial intelligence (AAAI), pp 4278–4284

  45. Tan M, Le Q (2019) Efficientnet: rethinking model scaling for convolutional neural networks. In: International conference on machine learning, pp 6105–6114. PMLR

  46. Tramèr F, Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P (2018) Ensemble adversarial training: attacks and defenses. In: International conference on learning representations (ICLR)

  47. Wang L, Hu L, Gu J, Hu Z, Wu Y, He K, Hopcroft J (2018) Towards understanding learning representations: to what extent do different neural networks learn the same representation. In: Advances in neural information processing systems (NeurIPS), pp 9607–9616

  48. Wang S, Wang Z, Li H, Chang J, Ouyang W, Tian Q (2024) Accurate fine-grained object recognition with structure-driven relation graph networks. Int J Comput Vis 132(1):137–160

  49. Wang Z, Guo H, Zhang Z, Liu W, Qin Z, Ren K (2021) Feature importance-aware transferable adversarial attacks. In: Proceedings of the IEEE international conference on computer vision (ICCV), pp 7639–7648

  50. Wu W, Su Y, Chen X, Zhao S, King I, Lyu MR, Tai YW (2020) Boosting the transferability of adversarial samples via attention. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pp 1161–1170

  51. Xiao C, Li B, Zhu JY, He W, Liu M, Song D (2018) Generating adversarial examples with adversarial networks. In: International joint conference on artificial intelligence (IJCAI), pp 3905–3911

  52. Xie C, Zhang Z, Zhou Y, Bai S, Wang J, Ren Z, Yuille AL (2019) Improving transferability of adversarial examples with input diversity. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pp 2730–2739

  53. Yeh R, Nashed YSG, Peterka T, Tricoche X (2020) Fast automatic knot placement method for accurate b-spline curve fitting. Computer-aided design, 128:102905

  54. Zhang J, Wu W, Huang JT, Huang Y, Wang W, Su Y, Lyu MR (2022) Improving adversarial transferability via neuron attribution-based attacks. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pp 14993–15002

  55. Zhang Y, Jia R, Pei H, Wang W, Li B, Song D (2020) The secret revealer: generative model-inversion attacks against deep neural networks. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pp 253–261

  56. Zhang Z, Xue Z, Chen Y, Liu S, Zhang Y, Liu J, Zhang M (2023) Boosting verified training for robust image classifications via abstraction. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pp 16251–16260

  57. Zheng D, Ke W, Li X, Zhang S, Yin G, Qian W, Zhou Y, Min F, Yang S (2024) Channel-augmented joint transformation for transferable adversarial attacks. Appl Intell 54(1):428–442

  58. Zhou W, Hou X, ChenY, Tang M, Huang X, Gan X, YangY (2018) Transferable adversarial perturbations. In: Proceedings of the European conference on computer vision (ECCV)

  59. Zhu H, Ren Y, Sui X, Yang L, Jiang W (2023) Boosting adversarial transferability via gradient relevance attack. In: Proceedings of the IEEE international conference on computer vision (ICCV), pp 4741–4750

  60. Zhu Z, Chen H, Wang X, Zhang J, Jin Z, Choo KKR, Shen J, Yuan D (2024) Ge-advgan: improving the transferability of adversarial samples by gradient editing-based adversarial generative model. In: Proceedings of the 2024 SIAM international conference on data mining (SDM), pp 706–714. SIAM

Download references

Acknowledgements

This work was supported by the National Key R&D Program of China (No. J2019-V-0001-0092) and the Xinjiang Ethnic Minority Science and Technology Talent Special Cultivation Program (2022D03041)

Author information

Authors and Affiliations

  1. School of Information and Software Engineering, University of Electronic Science and Technology of China, 610054, Chengdu, China

    Tianyu Li & Xiaoyu Li

  2. Kash Institute of Electronics and Information Industry, 844000, Kash, Xinjiang, China

    Xiaoyu Li & Desheng Zheng

  3. School of Computer Science and Software Engineering, Southwest Petroleum University, 610500, Chengdu, China

    Wuping Ke & Desheng Zheng

  4. Clinical Medical Research Center, The First People’s Hospital of Kashi Prefecture, 844000, Kashi, Xinjiang, China

    Xuwei Tian

  5. AECC Sichuan Gas Turbine Establishment, 621700, MianYang, China

    Chao Lu

Authors
  1. Tianyu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaoyu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wuping Ke
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xuwei Tian
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Desheng Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Chao Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xiaoyu Li.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Li, T., Li, X., Ke, W. et al. Improving the transferability of adversarial examples with path tuning. Appl Intell 54, 12194–12214 (2024). https://doi.org/10.1007/s10489-024-05820-4

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-024-05820-4

Keywords

Search

Navigation