skip to content

Toward feature space adversarial attack in the frequency domain

Attacking in the feature space via spectral transformation.

DOI | PDF

Yajie Wang, Yu-an Tan, Haoran Lyu, Shangbo Wu, Yuhang Zhao, Yuanzhang Li†

TL;DR

We propose a novel adversarial attack with high transferability initiated in the feature space. We (1) corrupt abstract features by maximizing feature distance between the adversarial example and clean images with Perceptual Similarity, and (2) apply spectral transformation to the input to narrow the search space in the frequency domain. Disrupting crucial features in a specific frequency component achieves a higher transferability.

Figure

GradCAM comparison between existing work and our FDA

Comparison between the traditional attack and our Feature Distant Attack. We exhibit the GradCam image of the clean image and adversarial examples. The adversarial example generated by the traditional approach still keeps the target model focused on the object region. Our approach forces the target model to focus more on trivial areas that do not contain the object. The adversarial examples are generated on the local model ResNet‐50, and the black‐box target model of the attack is VGG‐16.

Comments

I mostly helped with experiments and the final polishing of this paper.

Citing our work

@article{Wang2022TowardFS,
  title={Toward feature space adversarial attack in the frequency domain},
  author={Yajie Wang and Yu-an Tan and Haoran Lyu and Shan-Hung Wu and Yuhang Zhao and Yuanzhang Li},
  journal={International Journal of Intelligent Systems},
  year={2022}
}