Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

NODE-AdvGAN: Improving the transferability and perceptual similarity of adversarial examples by dynamic-system-driven adversarial generative model

Xinheng Xie, Yue Wu, Cuiyu He

TL;DR

The paper tackles the challenge of creating adversarial examples that are both highly transferable and perceptually similar to the original images. It introduces NODE-AdvGAN, which models adversarial perturbation generation as a continuous-time dynamical process using a Neural Ordinary Differential Equation based generator, and NODE-AdvGAN-T, a training strategy that dynamically tunes the perturbation budget to boost transferability while keeping evaluation budgets fixed. Empirical results on FMNIST and CIFAR-10 demonstrate that NODE-AdvGAN and especially NODE-AdvGAN-T achieve higher attack success rates and preserve image quality relative to gradient-based methods and the original AdvGAN, in both white-box and black-box transfer settings. The work suggests that combining continuous-time dynamics with targeted noise-tuning can significantly improve adversarial robustness research, with potential applications in defense training, model evaluation, and further integration with diffusion-inspired generators.

Abstract

Understanding adversarial examples is crucial for improving model robustness, as they introduce imperceptible perturbations to deceive models. Effective adversarial examples, therefore, offer the potential to train more robust models by eliminating model singularities. We propose NODE-AdvGAN, a novel approach that treats adversarial generation as a continuous process and employs a Neural Ordinary Differential Equation (NODE) to simulate generator dynamics. By mimicking the iterative nature of traditional gradient-based methods, NODE-AdvGAN generates smoother and more precise perturbations that preserve high perceptual similarity when added to benign images. We also propose a new training strategy, NODE-AdvGAN-T, which enhances transferability in black-box attacks by tuning the noise parameters during training. Experiments demonstrate that NODE-AdvGAN and NODE-AdvGAN-T generate more effective adversarial examples that achieve higher attack success rates while preserving better perceptual quality than baseline models.

NODE-AdvGAN: Improving the transferability and perceptual similarity of adversarial examples by dynamic-system-driven adversarial generative model

TL;DR

The paper tackles the challenge of creating adversarial examples that are both highly transferable and perceptually similar to the original images. It introduces NODE-AdvGAN, which models adversarial perturbation generation as a continuous-time dynamical process using a Neural Ordinary Differential Equation based generator, and NODE-AdvGAN-T, a training strategy that dynamically tunes the perturbation budget to boost transferability while keeping evaluation budgets fixed. Empirical results on FMNIST and CIFAR-10 demonstrate that NODE-AdvGAN and especially NODE-AdvGAN-T achieve higher attack success rates and preserve image quality relative to gradient-based methods and the original AdvGAN, in both white-box and black-box transfer settings. The work suggests that combining continuous-time dynamics with targeted noise-tuning can significantly improve adversarial robustness research, with potential applications in defense training, model evaluation, and further integration with diffusion-inspired generators.

Abstract

Understanding adversarial examples is crucial for improving model robustness, as they introduce imperceptible perturbations to deceive models. Effective adversarial examples, therefore, offer the potential to train more robust models by eliminating model singularities. We propose NODE-AdvGAN, a novel approach that treats adversarial generation as a continuous process and employs a Neural Ordinary Differential Equation (NODE) to simulate generator dynamics. By mimicking the iterative nature of traditional gradient-based methods, NODE-AdvGAN generates smoother and more precise perturbations that preserve high perceptual similarity when added to benign images. We also propose a new training strategy, NODE-AdvGAN-T, which enhances transferability in black-box attacks by tuning the noise parameters during training. Experiments demonstrate that NODE-AdvGAN and NODE-AdvGAN-T generate more effective adversarial examples that achieve higher attack success rates while preserving better perceptual quality than baseline models.

Paper Structure

This paper contains 21 sections, 10 equations, 6 figures, 9 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. A dynamic-system perspective
  3. A novel training strategy
  4. Organisation
  5. Preliminaries
  6. Adversarial Generative Adversarial Network (AdvGAN)
  7. Neural Ordinary Differential Equations (NODEs)
  8. NODE-AdvGAN for adversarial image
  9. Problem Statement
  10. Our Proposed NODE-AdvGAN
  11. Training Strategy of NODE-AdvGAN-T
  12. Loss Function
  13. Experiments
  14. Environment Setup
  15. Parameter Selection and Ablation Experiments
  16. ...and 6 more sections

Figures (6)

  • Figure 1: An example of a benign image (left) and its adversarial counterpart (right).
  • Figure 2: Architecture of the NODE-AdvGAN.
  • Figure 3: Heatmap of ASR, SSIM, and their average for different configurations of $\alpha$ and $\beta$.
  • Figure 4: ASR (Blue) and PSNR (Red) for various $N$ values in NODE-AdvGAN model compared to baseline AdvGAN.
  • Figure 5: Transfer ASR(left) and PSNR(right) for AdvGAN(top) and NODE-AdvGAN-T(bottom) models across different $\epsilon_\text{train}$ ($\times 255$) (All experiments evaluated at $\epsilon=15/255$.).
  • ...and 1 more figures