| Deep neural networks(DNNs)have achieved phenomenal success in various tasks,e.g.,computer vision.However,recent works have demonstrated that DNNs are vulnerable to adversarial examples that are generated for malicious purposes.This observation has raised serious concerns on the robustness of the state-of-the-art DNNs and restricts their applicability in various security-sensitive applications.Recent works on adversarial examples for image classification focus on directly modifying pixels with minor perturbations,hereinafter called small-perturbation-based adversarial examples.The small perturbation requirement is imposed to ensure the generated adversarial examples to be natural and realistic to humans,which,however,puts a curb on the attack space thus limits the transferability.Therefore,the smallperturbation-based adversarial examples perform low black-box attack ability,especially when a defense mechanism is applied.In this thesis,we propose the novel concepts of structure patterns and structureaware perturbations that relax the small perturbation constraint while still keeping images natural.Built upon these concepts,we propose the attack based on structure preservation,called structure-preserving attack(SPA),which generates natural adversarial examples with extremely high transferability.SPA attempts to generate structural adversarial perturbations that maintain the same structure as the original images.Specifically,SPA enforces that the same perturbation is applied to all the pixels in the same structure pattern so that the computed perturbation for the given image is structural.By considering the intrinsic structures of images,structural adversarial examples generated under relatively large perturbations are comparably natural or even more natural than small-perturbation-based adversarial examples.Thus,SPA could demonstrate higher transferability and stronger black-box attack ability.Empirical results on the MNIST and the CIFAR10 datasets show that SPA exhibits strong attack ability in both the white-box and black-box setting even defense mechanisms are applied.Especially,SPA exhibits higher transferability than that of other attacks.SPA consistently achieves low accuracy with or without defense and is extremely effective in the black-box setting.Furthermore,with the integration of PGD or CW attack,its attack ability escalates sharply under the white-box setting without losing the outstanding transferability inherited from SPA.Moreover,models trained with the SPA-based adversarial training method are still vulnerable to adversarial examples generated by SPA method,which further demonstrates the effectiveness of SPA.In addition,We analyze the relationship between attack ability and attack space from the perspective of space flexibility and distortion flexibility.We show that to obtain strong attack ability,it is profitable to sacrifice a bit of space flexibility to acquire greater distortion flexibility. |
PDF Full Text Request