Skip to main content
SpringerLink
Log in

Generate adversarial examples by adaptive moment iterative fast gradient sign method

  • Published:
Applied Intelligence Aims and scope Submit manuscript

Abstract

Deep neural networks (DNNs) are vulnerable to adversarial examples that are similar to original samples but contain the perturbations intentionally crafted by adversaries. Many efficient and typical attacks are based on the fast gradient sign method and usually against models by adding invariant perturbation magnitude to the input of DNN in each iteration. Some studies report that the loss surface demonstrates significant non-smooth variation in the input space. The invariant perturbation size may not be conducive to finding adversarial examples fast in iterations. In this work, we propose the adaptive moment iterative fast gradient sign method (Adam-FGSM), a new iterative white-box attack. According to the moment estimations of the gradients, Adam-FGSM can follow stable perturbation directions by the first-order moment estimation of gradients and adaptively compute the perturbation size with the second-order moment estimations. The experimental results show that Adam-FGSM could adopt rugged input loss space to generate adversarial examples with a higher attack success rate and acceptable transferability in fewer iterations. We analyze the attack process of Adam-FGSM to explain why it can achieve outstanding performance by visualizing the L1, \(L_{\infty }\) norms, and the cosine similarity of perturbations. Furthermore, we plot trajectories of iterative attack methods to observe the geometric characteristics intuitively.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Yu F, Qin Z, Liu C, Zhao L, Wang Y, Chen X (2019) Interpreting and evaluating neural network robustness. In: Kraus S (ed) International Joint Conference on Artificial Intelligence, pp 4199–4205, DOI https://doi.org/10.24963/ijcai.2019/583, (to appear in print)

  2. Rawat W, Wang Z (2017) Deep Convolutional Neural Networks for Image Classification: A Comprehensive Review. Neural Comput 29(9):2352–2449. https://doi.org/10.1162/neco_a_00990

    Article  MathSciNet  MATH  Google Scholar 

  3. Zhao Z-Q, Zheng P, Xu S-T, Wu X (2019) Object detection with deep learning: A review. IEEE Trans Neural Netw Learn Syst 30(11):3212–3232. https://doi.org/10.1109/TNNLS.2018.2876865

    Article  Google Scholar 

  4. Jing Y, Yang Y, Feng Z, Ye J, Yu Y, Song M (2020) Neural style transfer: A review. IEEE Trans Vis Comput Graph 26(11):3365–3385. https://doi.org/10.1109/TVCG.2019.2921336

    Article  Google Scholar 

  5. Young T, Hazarika D, Poria S, Cambria E (2018) Recent trends in deep learning based natural language processing. IEEE Comput Intell Mag 13(3):55–75. https://doi.org/10.1109/MCI.2018.2840738

    Article  Google Scholar 

  6. Hossain MD Z, Sohel F, Shiratuddin M F, Laga H (2019) A comprehensive survey of deep learning for image captioning. Acm Comput Surv 51(6):1–36. https://doi.org/10.1145/3295748

    Article  Google Scholar 

  7. Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I J, Fergus R (2014) Intriguing properties of neural networks. In: Bengio Y, LeCun Y (eds) International Conference on Learning Representations. arXiv:1312.6199

  8. Eykholt K, Evtimov I, Fernandes E, Li B, Rahmati A, Xiao C, Prakash A, Kohno T, Song D (2018) Robust physical-world attacks on deep learning visual classification. In: IEEE proceedings of international conference on computer vision and pattern recognition, pp 1625–1634, DOI https://doi.org/10.1109/CVPR.2018.00175, (to appear in print)

  9. Sharif M, Bhagavatula S, Bauer L, Reiter M K (2016) Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In: Weippl E R, Katzenbeisser S, Kruegel C, Myers A C, Halevi S (eds) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp 1528–1540, DOI https://doi.org/10.1145/2976749.2978392, (to appear in print)

  10. Nocedal J (1980) Updating quasi-Newton matrices with limited storage. Math Comput 35 (151):773–782. https://doi.org/10.1090/S0025-5718-1980-0572855-7

    Article  MathSciNet  MATH  Google Scholar 

  11. Goodfellow I J, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. In: Bengio Y, LeCun Y (eds) International Conference on Learning Representations. arXiv:1412.6572

  12. Kurakin A, Goodfellow I J, Bengio S (2016) Adversarial examples in the physical world. CoRR arXiv:1607.02533

  13. Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A (2018) Towards deep learning models resistant to adversarial attacks. In: International Conference on Learning Representations. arXiv:1706.06083

  14. Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J (2018) Boosting adversarial attacks with momentum. In: IEEE proceedings of international conference on computer vision and pattern recognition, pp 9185–9193, DOI https://doi.org/10.1109/CVPR.2018.00957, (to appear in print)

  15. Kingma D P, Ba J (2015) Adam: A method for stochastic optimization. In: Bengio Y, LeCun Y (eds) International Conference on Learning Representations. arXiv:1412.6980

  16. Ren K, Zheng T, Qin Z, Liu X (2020) Adversarial attacks and defenses in deep learning. Engineering 6(3):346–360. https://doi.org/10.1016/j.eng.2019.12.012

    Article  Google Scholar 

  17. Papernot N, McDaniel P D, Goodfellow I J (2016) Transferability in machine learning: From phenomena to black-box attacks using adversarial samples. CoRR arXiv:1605.07277

  18. Tieleman T, Hinton G (2012) Lecture 6.5-Rmsprop: Divide the gradient by a running average of its recent magnitude COURSERA. Neural Netw Mach Learn 4(2):26–30

    Google Scholar 

  19. Sutskever I, Martens J, Dahl G, Hinton G (2013) On the importance of initialization and momentum in deep learning. In: Dasgupta S, McAllester D (eds) International Conference on Machine Learning. https://proceedings.mlr.press/v28/sutskever13.html, vol 28, pp 1139–1147

  20. Goodfellow I, Bengio Y, Courville A (2016) Deep learning. MIT Press. http://www.deeplearningbook.org

  21. Duch W, Korczak J (1998) Optimization and global minimization methods suitable for neural networks. Neural Comput Surv 2:163–212. https://core.ac.uk/display/24376840

    Google Scholar 

  22. Lecun Y, Bottou L, Bengio Y, Haffner P (1998) Gradient-based learning applied to document recognition. Proc IEEE 86(11):2278–2323. https://doi.org/10.1109/5.726791

    Article  Google Scholar 

  23. Krizhevsky A, Hinton G (2009) Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep. 1(4). http://www.cs.toronto.edu/~kriz/learning-features-2009-TR.pdf

  24. Russakovsky O, Deng J, Su H, Krause J, Satheesh S, Ma S, Huang Z, Karpathy A, Khosla A, Bernstein M, Berg A C, Fei-Fei L (2015) ImageNet large scale visual recognition challenge. Int J Comput Vis 115(3):211–252. https://doi.org/10.1007/s11263-015-0816-y

    Article  MathSciNet  Google Scholar 

  25. Simonyan K, Zisserman A (2015) Very deep convolutional networks for large-scale image recognition. In: Bengio Y, LeCun Y (eds) International Conference on Learning Representations. arXiv:1409.1556

  26. He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: IEEE proceedings of international conference on computer vision and pattern recognition, pp 770–778, DOI https://doi.org/10.1109/CVPR.2016.90, (to appear in print)

  27. Huang G, Liu Z, Maaten L, Weinberger K Q (2017) Densely connected convolutional networks. In: IEEE proceedings of international conference on computer vision and pattern recognition, pp 2261–2269, DOI https://doi.org/10.1109/CVPR.2017.243, (to appear in print)

  28. Kim H (2020) Torchattacks : A pytorch repository for adversarial attacks. CoRR arXiv:2010.01950

  29. Tramèr F, Kurakin A, Papernot N, Goodfellow I J, Boneh D, McDaniel P D (2018) Ensemble adversarial training: Attacks and defenses. In: International Conference on Learning Representations. CoRR arXiv:1705.07204

  30. Liu Y, Chen X, Liu C, Song D (2017) Delving into transferable adversarial examples and black-box attacks. In: International Conference on Learning Representations. https://openreview.net/forum?id=Sys6GJqxl

Download references

Acknowledgements

This work was supported by the Research Foundation of Yunnan Province No.202002AD08001, 202001BB050043, 2019FA044, National Natural Science Foundation of China under Grants No.62162065, Provincial Foundation for Leaders of Disciplines in Science and Technology No.2019HB121, in part by the Postgraduate Research and Innovation Foundation of Yunnan University (No.2021Y281, No.2021Z078), and in part by the Postgraduate Practice and Innovation Foundation of Yunnan University (No.2021Y179, No.2021Y171). We wish to thank Hoki Kim, the author of the adversarial attacks toolkit torchattacks, for answers to my questions about the code implementation of adversarial attacks.

Author information

Authors and Affiliations

  1. School of information science and engineering, Yunnan University, Kunming, 650500, China

    Jiebao Zhang, Wenhua Qian, Rencan Nie & Dan Xu

  2. School of Automation, Southeast University, Nanjing, 210096, China

    Wenhua Qian & Rencan Nie

  3. Department of Mathematics, Southeast University, Nanjing, 210096, China

    Jinde Cao

Authors
  1. Jiebao Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wenhua Qian
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rencan Nie
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jinde Cao
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dan Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wenhua Qian.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhang, J., Qian, W., Nie, R. et al. Generate adversarial examples by adaptive moment iterative fast gradient sign method. Appl Intell 53, 1101–1114 (2023). https://doi.org/10.1007/s10489-022-03437-z

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-022-03437-z

Keywords

Search

Navigation