EnsembleFool: A method to generate adversarial examples based on model fusion strategy

Deep neural networks have been shown vulnerable to adversarial attacks launched by adversarial examples. These examples’ transferability makes an attack in the real-world feasible, which poses a security threat to deep learning. Considering the limited representation capacity of a single deep model,...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2021-08, Vol.107, p.102317, Article 102317
Main Authors: Peng, Wenyu, Liu, Renyang, Wang, Ruxin, Cheng, Taining, Wu, Zifeng, Cai, Li, Zhou, Wei
Format: Article
Language:English
Subjects:
Adversarial examples
Artificial neural networks
Deep learning
Ensemble models
Iterative methods
Machine learning
Self-adaptive
Transferability
White-box attack
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Deep neural networks have been shown vulnerable to adversarial attacks launched by adversarial examples. These examples’ transferability makes an attack in the real-world feasible, which poses a security threat to deep learning. Considering the limited representation capacity of a single deep model, the transferability of an adversarial example generated by a single attack model would cause the failure of attacking other different models. In this paper, we propose a new adversarial attack method, named EnsembleFool, which flexibly integrates multiple models to enhance adversarial examples’ transferability. Specifically, the model confidence concerning an input example reveals the risk of a successful attack. In an iterative attacking case, the result of a previous attack could guide us to enforce a new attack that possesses a higher probability of success. Regarding this, we design a series of integration strategies to improve the adversarial examples in each iteration. Extensive experiments on ImageNet indicate that the proposed method has superior attack performance and transferability than state-of-the-art methods.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2021.102317