Computer Engineering and Applications ›› 2021, Vol. 57 ›› Issue (16): 116-124.DOI: 10.3778/j.issn.1002-8331.2101-0301

Previous Articles     Next Articles

Adversarial Attack Algorithm Based on Erosion Batch Normalization

ZHANG Wu, ZHOU Xingyu, ZOU Junhua, PAN Zhisong, DUAN Yexin, CHEN Jun   

  1. 1.Command and Control Engineering College, Army Engineering University of PLA, Nanjing 210007, China
    2.Communications Engineering College, Army Engineering University of PLA, Nanjing 210007, China
    3.Zhenjiang Campus, Army Military Transportation University, Zhenjiang, Jiangsu 212001, China
  • Online:2021-08-15 Published:2021-08-16



  1. 1.陆军工程大学 指挥控制工程学院,南京 210007
    2.陆军工程大学 通信工程学院,南京 210007
    3.陆军军事交通学院 镇江校区,江苏 镇江 212001


For adversarial examples generation research, gradient-based attack methods are widely used due to fast generation speed and low resource consumption. However, the adversarial examples generated by most existing gradient-based attack methods still exhibit low efficiency in black-box attacks. The state-of-the-art gradient-based attack method only reaches an average success rate of 78.2% when attacking six advanced defense black-box models. To this end, a generation algorithm based on erosion batch normalization layer in deep neural network architecture is proposed to improve existing gradient-based attack methods, so as to generate adversarial examples with higher black-box attack success rates. Extensive experiments on an ImageNet-compatible dataset are conducted under single-model setting and multi-model setting, and the results show that the proposed algorithm can be effectively combined with existing gradient-based attack methods and obtain higher attack success rates with similar computational cost. In addition, the proposed algorithm makes the state-of-the-art gradient-based attack method achieve an increase of 9.0 percentage points in the average success attack rate against six advanced black-box defense models.

Key words: adversarial examples, black-box attacks, erosion, batch normalization layer



关键词: 对抗样本, 黑盒攻击, 腐蚀, 批归一化层