Evolutionary Multi-Label Adversarial Examples: An Effective Black-Box Attack

Kong，Linghao1; Luo，Wenjian1; Zhang，Hongwei1; Liu，Yang1; Shi，Yuhui2

2022

10.1109/TAI.2022.3198629

IEEE Transactions on Artificial Intelligence   Impact Factor & Quartile

2691-4581

2691-4581

Studies have shown that deep neural networks (DNNs) are vulnerable to adversarial attack. Minor malicious modifications of examples will lead to the DNN misclassification. Such maliciously modified examples are called adversarial examples. So far, the work on adversarial examples is mainly focused on multi-class classification tasks, there is less work in the field of multi-label classification. In this paper, for the first time, a differential evolution (DE) algorithm that can effectively generate multi-label adversarial examples is proposed, which is called MLAE-DE. Different from traditional differential evolution, we designed a complementary mutation operator for MLAE-DE, which can improve attack performance and reduce the number of fitness evaluations. As a black-box attack, MLAE-DE does not need to access model parameters, and only uses model outputs to generate adversarial examples. Experiments on two typical multi-label classification models and three typical datasets under the black-box settings are conducted in this paper. Experimental results demonstrate that, compared with existing black-box attack algorithms for multi-label classification models, the attack success rate of our proposed algorithm is much better. Impact Statement— Deep neural networks (DNNs) have been widely used in computer vision and other fields. However, DNN models can be easily misled by adversarial examples with tiny perturbations added, leading to misclassification. Our proposed differential evolution-based attack algorithm could achieve efficient attacks in black-box environments without internal information of models. The proposed algorithm achieves over 90% attack success rate on multiple models and datasets in black-box environments, exceeding other multi-label attack algorithms. The article serves multiple purposes. First, it provides a new attack algorithm for practitioners in the fields of deep learning, artificial intelligence, and security systems, which helps to promote related research and improve the security of DNN models. Second, it promotes the combination of evolutionary algorithms and deep learning related fields, and provides future research ideas for applying evolutionary algorithms to adversarial attacks. Third, it aims to stimulate more interest and ideas in the field of adversarial attack.

Adversarial examples Computational modeling Deep learning deep neural networks differential evolution Evolutionary computation multi-label classification Optimization Perturbation methods Security Sociology

EI

English

Others

20223512666030

Classification (of information) ; Evolutionary algorithms ; Learning algorithms ; Neural network models ; Optimization ; Perturbation techniques

Ergonomics and Human Factors Engineering:461.4 ; Information Theory and Signal Processing:716.1 ; Artificial Intelligence:723.4 ; Machine Learning:723.4.2 ; Information Sources and Analysis:903.1 ; Mathematics:921 ; Optimization Techniques:921.5

2-s2.0-85136662415

Scopus

1.Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies, the School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen, China
2.Guangdong Provincial Key Laboratory of Brain-inspired Intelligent Computation, School of Computer Science and Engineering, Southern University of Science and Technology, Shenzhen, China

Kong，Linghao,Luo，Wenjian,Zhang，Hongwei,et al. Evolutionary Multi-Label Adversarial Examples: An Effective Black-Box Attack[J]. IEEE Transactions on Artificial Intelligence,2022,PP(99):1-12.

Kong，Linghao,Luo，Wenjian,Zhang，Hongwei,Liu，Yang,&Shi，Yuhui.(2022).Evolutionary Multi-Label Adversarial Examples: An Effective Black-Box Attack.IEEE Transactions on Artificial Intelligence,PP(99),1-12.

Kong，Linghao,et al."Evolutionary Multi-Label Adversarial Examples: An Effective Black-Box Attack".IEEE Transactions on Artificial Intelligence PP.99(2022):1-12.