Leveraging Information Consistency in Frequency and Spatial Domain for Adversarial Attacks

TL;DR

The paper addresses the susceptibility of deep neural networks to adversarial perturbations by proposing a frequency-spatial consistency framework (FSA) that aligns gradient information across both the spatial domain and the frequency domain via DCT/IDCT transforms. By computing and reconciling spatial and frequency gradients through a binary consistency mask, FSA directs perturbations to maximize misclassification under a budget while decoupling from model parameters. Empirical results across multiple white-box attacks show state-of-the-art improvements, with up to 28.98% relative gain and an average improvement of 5.23%, validating the efficacy of cross-domain consistency in adversarial generation. The work highlights the importance of considering multi-domain information when crafting adversarial examples and provides code for reproducibility.

Abstract

Adversarial examples are a key method to exploit deep neural networks. Using gradient information, such examples can be generated in an efficient way without altering the victim model. Recent frequency domain transformation has further enhanced the transferability of such adversarial examples, such as spectrum simulation attack. In this work, we investigate the effectiveness of frequency domain-based attacks, aligning with similar findings in the spatial domain. Furthermore, such consistency between the frequency and spatial domains provides insights into how gradient-based adversarial attacks induce perturbations across different domains, which is yet to be explored. Hence, we propose a simple, effective, and scalable gradient-based adversarial attack algorithm leveraging the information consistency in both frequency and spatial domains. We evaluate the algorithm for its effectiveness against different models. Extensive experiments demonstrate that our algorithm achieves state-of-the-art results compared to other gradient-based algorithms. Our code is available at: https://github.com/LMBTough/FSA.

Figures (6)

• Figure 1: Attack samples at different perturbation rates (EPS values). The first image, labeled 'espresso' by ResNet-50, is the original. The following images are adversarial examples generated with increasing EPS values, along with their incorrect predictions. The second row shows magnified regions of the images. As EPS increases, the noise becomes more noticeable, starting to be visible at EPS=3, and becoming increasingly pronounced with higher values.
• Figure 2: Schematic diagram of FSA (We first extract gradient information from both the spatial and frequency domains of the original image. The information is then combined through a consistency check, where only gradients with matching directions in both domains are considered valid. To facilitate this, we employ a mask to control the updating of dimensions in the image. This mask is integrated into the adversarial example update process, resulting in the intermediate image $\widetilde{x}_{t+1}$. Following this, the mask is inverted (denoted as $\neg m$) and applied to $\widetilde{x}_{t+1}$ for a subsequent attack iteration, yielding the final adversarial sample $x_{t+1}^*$. Finally, the gradient information verified for consistency is iterated into previous round of $x_t$ to obtain $x_{t+1}$.)
• Figure 3: Box plot of FSA compared to other methods for indicators
• Figure 4: Mean attack success rate improvement with different Epsilon values
• Figure 5: Mean attack success rate improvement with different Steps