Saved in:
Bibliographic Details
Main Authors: Zhang, Zhun, Zeng, Yi, Liu, Qihe, Zhou, Shijie
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2404.10202
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910411861786624
author Zhang, Zhun
Zeng, Yi
Liu, Qihe
Zhou, Shijie
author_facet Zhang, Zhun
Zeng, Yi
Liu, Qihe
Zhou, Shijie
contents Enhancing our understanding of adversarial examples is crucial for the secure application of machine learning models in real-world scenarios. A prevalent method for analyzing adversarial examples is through a frequency-based approach. However, existing research indicates that attacks designed to exploit low-frequency or high-frequency information can enhance attack performance, leading to an unclear relationship between adversarial perturbations and different frequency components. In this paper, we seek to demystify this relationship by exploring the characteristics of adversarial perturbations within the frequency domain. We employ wavelet packet decomposition for detailed frequency analysis of adversarial examples and conduct statistical examinations across various frequency bands. Intriguingly, our findings indicate that significant adversarial perturbations are present within the high-frequency components of low-frequency bands. Drawing on this insight, we propose a black-box adversarial attack algorithm based on combining different frequency bands. Experiments conducted on multiple datasets and models demonstrate that combining low-frequency bands and high-frequency components of low-frequency bands can significantly enhance attack efficiency. The average attack success rate reaches 99\%, surpassing attacks that utilize a single frequency segment. Additionally, we introduce the normalized disturbance visibility index as a solution to the limitations of $L_2$ norm in assessing continuous and discrete perturbations.
format Preprint
id arxiv_https___arxiv_org_abs_2404_10202
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Towards a Novel Perspective on Adversarial Examples Driven by Frequency
Zhang, Zhun
Zeng, Yi
Liu, Qihe
Zhou, Shijie
Machine Learning
Artificial Intelligence
Enhancing our understanding of adversarial examples is crucial for the secure application of machine learning models in real-world scenarios. A prevalent method for analyzing adversarial examples is through a frequency-based approach. However, existing research indicates that attacks designed to exploit low-frequency or high-frequency information can enhance attack performance, leading to an unclear relationship between adversarial perturbations and different frequency components. In this paper, we seek to demystify this relationship by exploring the characteristics of adversarial perturbations within the frequency domain. We employ wavelet packet decomposition for detailed frequency analysis of adversarial examples and conduct statistical examinations across various frequency bands. Intriguingly, our findings indicate that significant adversarial perturbations are present within the high-frequency components of low-frequency bands. Drawing on this insight, we propose a black-box adversarial attack algorithm based on combining different frequency bands. Experiments conducted on multiple datasets and models demonstrate that combining low-frequency bands and high-frequency components of low-frequency bands can significantly enhance attack efficiency. The average attack success rate reaches 99\%, surpassing attacks that utilize a single frequency segment. Additionally, we introduce the normalized disturbance visibility index as a solution to the limitations of $L_2$ norm in assessing continuous and discrete perturbations.
title Towards a Novel Perspective on Adversarial Examples Driven by Frequency
topic Machine Learning
Artificial Intelligence
url https://arxiv.org/abs/2404.10202