A Perceptual Distortion Reduction Framework: Toward Generating Adversarial Examples With High Perceptual Quality and Attack Success Rate

Most of the transfer-based adversarial attack methods suffer from large perceptual distortions, i.e., visible artifacts, when the attack success rate is relatively high. It is worth noting that these distortions usually contain a large portion which contributes less to the attack success rate. This portion of distortions, which is induced by unnecessary modifications and lack of proper perceptual distortion constraint, is our target. In this article, we propose a perceptual distortion reduction framework to achieve high attack success rates and good perceptual qualities, by explicitly modeling the tradeoff between perceptual quality and attack success rate. Specifically, we propose a perceptual distortion constraint to constrain the generated adversarial example to comply with human perceptions. Second, by considering the discrepancy among different samples, we propose an adaptive penalty factor λ to automatically assign necessary importance to the perceptual distortion constraint and guarantee a certain attack success rate. Third, since the proposed optimization formulation is a complex non-convex problem, the commonly used momentum optimization technique cannot be directly applied because they cannot converge decently, as proved in the experiments. Therefore, we exploit the second moment of gradient to achieve an effective and efficient convergence. Extensive experiments have verified the superiority of our proposed work.