pith. sign in

arxiv: 1908.06281 · v5 · pith:Z6JA3YWAnew · submitted 2019-08-17 · 💻 cs.LG · cs.CR· stat.ML

Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks

classification 💻 cs.LG cs.CRstat.ML
keywords adversarialattackexamplesmodelstransferabilityattacksgradientnesterov
0
0 comments X
read the original abstract

Deep learning models are vulnerable to adversarial examples crafted by applying human-imperceptible perturbations on benign inputs. However, under the black-box setting, most existing adversaries often have a poor transferability to attack other defense models. In this work, from the perspective of regarding the adversarial example generation as an optimization process, we propose two new methods to improve the transferability of adversarial examples, namely Nesterov Iterative Fast Gradient Sign Method (NI-FGSM) and Scale-Invariant attack Method (SIM). NI-FGSM aims to adapt Nesterov accelerated gradient into the iterative attacks so as to effectively look ahead and improve the transferability of adversarial examples. While SIM is based on our discovery on the scale-invariant property of deep learning models, for which we leverage to optimize the adversarial perturbations over the scale copies of the input images so as to avoid "overfitting" on the white-box model being attacked and generate more transferable adversarial examples. NI-FGSM and SIM can be naturally integrated to build a robust gradient-based attack to generate more transferable adversarial examples against the defense models. Empirical results on ImageNet dataset demonstrate that our attack methods exhibit higher transferability and achieve higher attack success rates than state-of-the-art gradient-based attacks.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 5 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Escaping the Linearity Trap: Manifold Detours for Black-Box Adversarial Attacks on Singing Audio Deepfake Detection

    cs.CR 2026-05 unverdicted novelty 7.0

    MARS is a transfer-based black-box attack that uses bi-level optimization on semantic and artifact anchors to escape the linearity trap and improve attack success rates on SSL-SVDD by up to 36%.

  2. Physically-Induced Atmospheric Adversarial Perturbations: Enhancing Transferability and Robustness in Remote Sensing Image Classification

    cs.CV 2026-04 unverdicted novelty 7.0

    FogFool creates fog-based adversarial perturbations using Perlin noise optimization to achieve high black-box transferability (83.74% TASR) and robustness to defenses in remote sensing classification.

  3. INTARG: Informed Real-Time Adversarial Attack Generation for Time-Series Regression

    cs.LG 2026-04 unverdicted novelty 7.0

    INTARG generates effective real-time adversarial attacks on time-series regression models by selectively targeting high-confidence high-error steps in a bounded-buffer online setting, increasing prediction error up to...

  4. Universal Adversarial Attacks against Closed-Source MLLMs via Target-View Routed Meta Optimization

    cs.AI 2026-01 unverdicted novelty 6.0

    MCRMO-Attack raises universal targeted attack success rates on unseen images by 23.7% on GPT-4o and 19.9% on Gemini-2.0 over prior universal baselines through stabilized supervision and meta-optimization.

  5. Robust Auto-associative Memory via Convolutional Restricted Hopfield Networks

    cs.NE 2026-06 unverdicted novelty 4.0

    CRHNs integrate convolutional extraction with subspace attractor retrieval trained via Subspace Rotation Algorithm and report order-of-magnitude lower reconstruction error than MHNs and PCNs on STL data under adversar...