Next Article in Journal
Dynamic Beacon Distribution Mechanism for Internet of Vehicles: An Analytical Study
Next Article in Special Issue
Super-Resolution of Compressed Images Using Residual Information Distillation Network
Previous Article in Journal
KPE-YOLOv5: An Improved Small Target Detection Algorithm Based on YOLOv5
Previous Article in Special Issue
Zero-Trust Security Authentication Based on SPA and Endogenous Security Architecture
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 12
Issue 4
10.3390/electronics12040816
Review Report
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

ADSAttack: An Adversarial Attack Algorithm via Searching Adversarial Distribution in Latent Space

Electronics 2023, 12(4), 816; https://doi.org/10.3390/electronics12040816
by Haobo Wang 1, Chenxi Zhu 1, Yangjie Cao 1,*, Yan Zhuang 1, Jie Li 2 and Xianfu Chen 3
Reviewer 1:
Samad Sepasgozar
Reviewer 2:
Yuhua Chen
Reviewer 3: Anonymous
Electronics 2023, 12(4), 816; https://doi.org/10.3390/electronics12040816
Submission received: 12 January 2023 / Revised: 1 February 2023 / Accepted: 1 February 2023 / Published: 6 February 2023
(This article belongs to the Special Issue Advanced Techniques in Computing and Security)

Round 1

Reviewer 1 Report

The paper needs to be updated with various literature in other domains.  some applications or useability in other fields will make the paper applicable to other scholars. some are recommended here including edge detection

2019. Evaluation of classical operators and fuzzy logic algorithms for edge detection of panels at exterior cladding of buildings. Buildings9(2), p.40.

 2022. An overview of backdoor attacks against deep neural networks and possible defences. IEEE Open Journal of Signal Processing.

Please discuss the validity of Table 2.

At the end of section 4, discuss the contributions of the paper. This can be clear by comparing the findings with state-of-the-art and other publications in the field. 

please insert a wider range of applications in other fields. practical implications need to be discussed.

please discuss technical limitations at the end of section 4 and provide a set of future directions based on limitations.

The conclusion section needs to be specific and should also discuss novelty and contributions with the value or impact of the outcomes. 

how was the success rate of 98.01% validated?

Author Response

Responses to Reviewers’ Comments on the Paper:

ADSAttack: An Adversarial Attack Algorithm via Searching Adversarial Distribution in Latent Space

Haobo Wang, Chenxi Zhu, Yangjie Cao, Yan Zhuang Jie Li and Xianfu Chen

 

We sincerely thank the editor and anonymous reviewers for their thorough reviews and constructive comments. The review comments are very helpful in further improving the quality of our paper. We have carefully revised the manuscript and addressed all the comments raised by the reviewers. Below are our point-to-point responses to the reviewers’ comments. The corresponding major changes to the original version of the paper (electronics-2187003) are highlighted in red color in the revised manuscript.

 

Response to Reviewer 

The authors would like to thank the reviewer for the valuable comments and constructive suggestions. Please kindly find beneath the detailed responses to the comments and the rationale for each modification to the manuscript as well.

 

Comment 1: The paper needs to be updated with various literature in other domains.  some applications or useability in other fields will make the paper applicable to other scholars. some are recommended here including edge detection

  1. Evaluation of classical operators and fuzzy logic algorithms for edge detection of panels at exterior cladding of buildings. Buildings, 9(2), p.40.
  2. An overview of backdoor attacks against deep neural networks and possible defences. IEEE Open Journal of Signal Processing.

Response 1: We thank the reviewer for the helpful suggestion. We have added more references in the article at the appropriate places, which we hope will apply to a wider range of scholars. More specifically, we have added the following references.

[a] C. Liu, S. Shirowzhan, S. M. Sepasgozar, and A. Kaboli, “Evaluation of classical operators and fuzzy logic algorithms for edge detection of panels at exterior cladding of buildings,” Buildings, vol. 9, no. 2, p. 40, 2019.

[b] W. Guo, B. Tondi, and M. Barni, “An overview of backdoor attacks against deep neural networks and possible defences,” arXiv preprint arXiv:2111.08429, 2021.

[c] Y. Zhu, J. Sun, and Z. Li, “Rethinking adversarial transferability from a data distribution perspective,” in International Conference on Learning Representations, 2021.

[d] Z. Wang, H. Guo, Z. Zhang, W. Liu, Z. Qin, and K. Ren, “Feature importance-aware transferable adversarial attacks,” in Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021, pp. 7639–7648

[e] Z. Xiao, X. Gao, C. Fu, Y. Dong, W. Gao, X. Zhang, J. Zhou, and J. Zhu, “Improving transferability of adversarial patches on face recognition with generative models,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 459 11 845–11 854.

[f] C. Xie, Z. Zhang, Y. Zhou, S. Bai, J. Wang, Z. Ren, and A. L. Yuille, “Improving transferability of adversarial examples with input diversity,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 2730–2739.

 

Comment 2:Please discuss the validity of Table 2.

Response 2: We would like to thank the reviewer for the comment. For the results in Table 2, it shows that when our attack method targets the black-box model structure, it also has some ability to attack. We have modified and marked up the manuscript in the corresponding section 4.4.

 

Comment 3: At the end of section 4, discuss the contributions of the paper. This can be clear by comparing the findings with state-of-the-art and other publications in the field. Please insert a wider range of applications in other fields. practical implications need to be discussed. Please discuss technical limitations at the end of section 4 and provide a set of future directions based on limitations.

Response 3: We appreciate the reviewer for the valuable comment. We add to the broader application of the method and discuss its limitations, while providing an outlook on future research directions. In more detail, the attack method can also be applied to other domains, such as face recognition transfer-based attacks, where our attacks become more threatening when we learn enough information about the latent space of face recognition models. However, our ADSAttack is limited when there is less information about the available models. In future work, it is our endeavor to obtain higher transferability with more limited model information. At the end of section 4 of the manuscript, we have marked the changes.

 

Comment 4: The conclusion section needs to be specific and should also discuss novelty and contributions with the value or impact of the outcomes. 
Response 4: We thank the reviewer for pointing this out. We have added more content in the section 5, including novelty and contribution, and the value or impact of the outcomes. More specifically, we propose ADSAttack algorithm to operate adversarial attacks with higher transferability, less time consumption, and more imperceptible in visualization. We provide new ideas to fight against attacks from the perspective of biological vision. This poses a security challenge to the robustness of models in the field of artificial intelligence even more, and how to design more secure and robust models is a more worthy concern. The corresponding content in section 5 is marked with a revision.

 

Comment 5: How was the success rate of 98.01% validated?
Response 5: We thank the reviewer for the careful reading. The attack success rate of 98.02% corresponds to the attack success rate in Table 1, and we averaged the attack success rates for the four (Resnet-50, VGG-16, GoogleNet, MobileNet-v2) models.

 

    Once again, we would like to thank the reviewer for the constructive suggestions that helped improve the quality of this paper. We hope that we have been able to satisfactorily clarify all the points.

 

Author Response File: Author Response.pdf

Reviewer 2 Report

The manuscript needs extensive revision before it can be published. 

In Section 1, the paragraph before the contribution part uses essentially the same sentences as in the contribution. Please revise. Also, grammar errors in Line 66 “which is alike the feature”. Line 42, GAN is not defined. Replace “networking” with “network” for the caption of Figure 1.

Section 2 Related Work is not sufficient. More elaborated descriptions are needed. In addition to extending the text, a table comparing the similarities and differences of major methods would be good, especially for GAN-based methods. Each of the subsections (2.1, 2.2 and 2.3) needs to be extended. Additional references are expected.

In section 3, the subsections are uneven. Section 3.3 and 3.4 do not contain sufficient materials to warrant a subsection. Also, key details are missing in these sections. Current paragraphs serve as the introductory paragraphs for the sections. Disclosure and discussion of details are expected.

For Figure 3, the authors claim that the R channel should have the most distortion. However, it seems that the G channel has more visible noise. Please explain.

Please remove Section 4.1.2 Metric heading, and combine the text with other sections. Also, the format of the section is not acceptable. The key words should be listed with “:” and the text should start with a new sentence explaining the key word. Also, it should be elaborated to a short paragraph each to include important information beyond the definition.

In Section 4.3, again, 4.3.2 is too short to have a standalone subsection. Please either combine or elaborate.

The references should start with [1] in the order of citation. Right now, it starts with [29] and [30]. For all citations, there should be a space between the word and the citation (before and after). Please modify throughout.

The manuscript needs extensive revision for grammar related issues. There are sentences starting with lower case, and missing “the” everywhere. Use either “the” or the plural form of the word.

Some description needs modification. For example, in Line 187, “shows different differences for different colors”.

Line 360, “table 4” should be “Table 4”. In addition, the explanation of the table needs to be improved.

Author Response

Responses to Reviewers’ Comments on the Paper:

ADSAttack: An Adversarial Attack Algorithm via Searching Adversarial Distribution in Latent Space

Haobo Wang, Chenxi Zhu, Yangjie Cao, Yan Zhuang Jie Li and Xianfu Chen

 

We sincerely thank the editor and anonymous reviewers for their thorough reviews and constructive comments. The review comments are very helpful in further improving the quality of our paper. We have carefully revised the manuscript and addressed all the comments raised by the reviewers. Below are our point-to-point responses to the reviewers’ comments. The corresponding major changes to the original version of the paper (electronics-2187003) are highlighted in red color in the revised manuscript.

Response to Reviewer

I am very sorry, there may have been a problem with the system. Your review comments were not shown on my system at that time. After the editorial notice, I made a lot of changes according to your comments very carefully, and your valuable comments helped my article a lot.

The authors would like to thank the reviewer for the valuable comments and constructive suggestions. Please kindly find beneath the detailed responses to the comments and the rationale for each modification to the manuscript as well.

 

Comment 1: In Section 1, the paragraph before the contribution part uses essentially the same sentences as in the contribution. Please revise. Also, grammar errors in Line 66 “which is alike the feature”. Line 42, GAN is not defined. Replace “networking” with “network” for the caption of Figure 1.

Response 1: We thank the reviewer for the helpful suggestion. We have read through the entire text and corrected some issues that had grammatical errors. Added a definition of GAN. We have revised a great deal of content, the details of which we have marked in the text.

 

Comment 2: Section 2 Related Work is not sufficient. More elaborated descriptions are needed. In addition to extending the text, a table comparing the similarities and differences of major methods would be good, especially for GAN-based methods. Each of the subsections (2.1, 2.2 and 2.3) needs to be extended. Additional references are expected.

Response 2: We appreciate the reviewer for the valuable comment. We have added the focus of our study and how it differs from other work in Section II related work, with the modified parts marked in red. Moreover, we have added more references as follows:

[a] C. Liu, S. Shirowzhan, S. M. Sepasgozar, and A. Kaboli, “Evaluation of classical operators and fuzzy logic algorithms for edge detection of panels at exterior cladding of buildings,” Buildings, vol. 9, no. 2, p. 40, 2019.

[b] W. Guo, B. Tondi, and M. Barni, “An overview of backdoor attacks against deep neural networks and possible defences,” arXiv preprint arXiv:2111.08429, 2021.

[c] Y. Zhu, J. Sun, and Z. Li, “Rethinking adversarial transferability from a data distribution perspective,” in International Conference on Learning Representations, 2021.

[d] Z. Wang, H. Guo, Z. Zhang, W. Liu, Z. Qin, and K. Ren, “Feature importance-aware transferable adversarial attacks,” in Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021, pp. 7639–7648

[e] Z. Xiao, X. Gao, C. Fu, Y. Dong, W. Gao, X. Zhang, J. Zhou, and J. Zhu, “Improving transferability of adversarial patches on face recognition with generative models,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 459 11 845–11 854.

[f] C. Xie, Z. Zhang, Y. Zhou, S. Bai, J. Wang, Z. Ren, and A. L. Yuille, “Improving transferability of adversarial examples with input diversity,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 2730–2739.

 

Comment 3: In section 3, the subsections are uneven. Section 3.3 and 3.4 do not contain sufficient materials to warrant a subsection. Also, key details are missing in these sections. Current paragraphs serve as the introductory paragraphs for the sections. Disclosure and discussion of details are expected. 

Response 3: We appreciate the reviewer for the valuable comment. The adversarial distribution search network algorithm borrows directly from the traditional self-encoder structure in the hidden space feature search network structure. It is characterized by the hourglass type design of dimensionality reduction followed by dimensionality increase, which can better extract the important features of the image itself. In conventional applications, it is desired that the output is the same as the input, when the low-dimensional important information in the middle layer represents the key features of the image, and the process of extracting this information is equivalent to the feature extraction process. We have added more detailed descriptions in sections 3.3 and 3.4.

 

Comment 4: For Figure 3, the authors claim that the R channel should have the most distortion. However, it seems that the G channel has more visible noise. Please explain.

Response 4: We are very sorry about this and thank you for pointing out the problem. We have double-checked our experiments and re-looked at the results. We found that it was an oversight on our part to confuse the data of the R and G channels when selecting the data, and we have corrected this display error in the manuscript. Thank you again for pointing this out.

 

Comment 5: Please remove Section 4.1.2 Metric heading, and combine the text with other sections. Also, the format of the section is not acceptable. The key words should be listed with “:” and the text should start with a new sentence explaining the key word. Also, it should be elaborated to a short paragraph each to include important information beyond the definition.

Response 5: Thank you very much for your comments. We have removed the title of section 4.1.2 and merged it with the previous section, and corrected grammatical errors and expression problems. It is marked in the corresponding section 4.1.

 

Comment 6: In Section 4.3, again, 4.3.2 is too short to have a standalone subsection. Please either combine or elaborate.

Response 6: We appreciate you pointing this out. We have merged 4.3.2 with the previous section and the overall paragraphs have been more appropriately assigned. The specific changes are marked in section 4.3.

 

Comment 7: The references should start with [1] in the order of citation. Right now, it starts with [29] and [30]. For all citations, there should be a space between the word and the citation (before and after). Please modify throughout.

Response 7: We thank the reviewer for pointing this out. We checked and corrected the order of the citations in the text.

 

Comment 8: The manuscript needs extensive revision for grammar related issues. There are sentences starting with lower case, and missing “the” everywhere. Use either “the” or the plural form of the word.

Response 8: We thank the reviewer for pointing this out. We read through and checked the entire article and made changes to these issues.

 

Comment 9: Some description needs modification. For example, in Line 187, “shows different differences for different colors”.

Response 9: We are very grateful to you for pointing out this description problem. We have made changes to the description here. We analyze biological characteristics of human eyes, and find that those are differently sensitive to different colors. It is marked in the corresponding section 3.1

 

Comment 10: Line 360, “table 4” should be “Table 4”. In addition, the explanation of the table needs to be improved.

Response 10: We appreciate the reviewer for the valuable comment. We added more descriptions. ADSAttack has some attack capability against completely black-boxed structures, which also indicates a broader use. The comparison results in table~\ref{comp_transfer} also emphasize the excellent portability of ADSAttack. It is marked in section 4.4.

 

 

Author Response File: Author Response.pdf

Reviewer 3 Report

In this paper, the authors suggested ADSAttack algorithm to operate adversarial attacks with higher transferability, less time consumption, and more imperceptible in visualization. Some suggestions and remarks are required to be addressed to improve the paper's quality:

1) The article should undergo extensive English revisions since there are many mistakes in many phrases in terms of English.

Examples:

Lines 46-47  “ examples. using the learned knowledge, the GAN is able to directly use the network to obtain the output of the adversarial examples, thus skipping the time-consuming iterative process[8][4][3]. “

Lines 53-58 “ Our work proposes a special hidden-space noise addition method from the perspective of visual effects, which is different from the unusual pixel-level restriction criterion, but using the visual influence factors of the naked eye and based on the edge detection algorithm as well as the biological characteristics of the human eye.

Line 100, 2.1. Improvement of Transferabilty(should be Transferability)

Lines 127-128, Shamsabadi et al.[1] and Bhattad et al. [12] within unrestricted perturbation,

Line 173, convergence. the main role of the generator of AdvGAN is to prompt the DNN classifier to make errors …..

2) The citations should be started 1 ,2 ,…Please check and correct order of the citations in the text.

For example, the first paragraph started with [29][30]

“ Deep neural network (DNN) models have been widely applied for advanced works such as autonomous driving[29] and medical diagnosis[30]. However, DNN models are not secure, and when they are disturbed by adversarial attacks from high-dimensional distributions [11], they reveal many security problems, such as erroneous recognition results of the models. These adversarial examples are intentionally designed and make the model wrong, which also shows that the DNN model is not completely reliable [9]. Therefore it is of great interest to study adversarial attacks, which can be of great help in improving the robustness of the model”

 

3)In Section 2. Related Work, the Literature review is inadequate. It is important that the authors discuss (not only describe) more previous works. Furthermore, the authors should explain how different the proposed work about the previous works mentioned in this section.

 

4) In Section  3. Attack Methodology, I suggest an explanation of the proposed method using pseudo code or flowchart to clarify the proposed method.

 

5) In Section 4.3.1. Algorithm Efficiency, lines 305-307 , the authors wrote “We can find from Table 1 that ADSAttack has a higher success rate of attacks in the comparison results in the table”.  If you refer to Table 1, you will find the proposed ADSAttack did not perform the best success rate, particularly the proposed ADSAttack with GoogleNet. Thus, it is important to discuss and write the appropriate justifications for the results in Table 1.  

6) In general, the results need more discussion.

7) The authors should put the tables and figures after the explanation immediately, at least in the same section; otherwise, it is difficult for the reader to understand and track the positions of the tables and figures.

8) It is important that the authors discuss the limitations of the proposed method in Section 5. Conclusion

Author Response

Responses to Reviewers’ Comments on the Paper:

ADSAttack: An Adversarial Attack Algorithm via Searching Adversarial Distribution in Latent Space

Haobo Wang, Chenxi Zhu, Yangjie Cao, Yan Zhuang Jie Li and Xianfu Chen

 

We sincerely thank the editor and anonymous reviewers for their thorough reviews and constructive comments. The review comments are very helpful in further improving the quality of our paper. We have carefully revised the manuscript and addressed all the comments raised by the reviewers. Below are our point-to-point responses to the reviewers’ comments. The corresponding major changes to the original version of the paper (electronics-2187003) are highlighted in red color in the revised manuscript.

 

Response to Reviewer

The authors would like to thank the reviewer for the valuable comments and constructive suggestions. Please kindly find beneath the detailed responses to the comments and the rationale for each modification to the manuscript as well.

 

Comment 1: The article should undergo extensive English revisions since there are many mistakes in many phrases in terms of English.

Response 1: We thank the reviewer for the helpful suggestion. We have read through the entire text and corrected some issues that had grammatical errors.

 

Comment 2: The citations should be started 1 ,2 ,…Please check and correct order of the citations in the text.

Response 2: We thank the reviewer for pointing this out. We checked and corrected the order of the citations in the text.

 

Comment 3: In Section 2. Related Work, the Literature review is inadequate. It is important that the authors discuss (not only describe) more previous works. Furthermore, the authors should explain how different the proposed work about the previous works mentioned in this section.

Response 3: We appreciate the reviewer for the valuable comment. We have added the focus of our study and how it differs from other work in Section II related work, with the modified parts marked in red. Moreover, we have added more references as follows:

[a] C. Liu, S. Shirowzhan, S. M. Sepasgozar, and A. Kaboli, “Evaluation of classical operators and fuzzy logic algorithms for edge detection of panels at exterior cladding of buildings,” Buildings, vol. 9, no. 2, p. 40, 2019.

[b] W. Guo, B. Tondi, and M. Barni, “An overview of backdoor attacks against deep neural networks and possible defences,” arXiv preprint arXiv:2111.08429, 2021.

[c] Y. Zhu, J. Sun, and Z. Li, “Rethinking adversarial transferability from a data distribution perspective,” in International Conference on Learning Representations, 2021.

[d] Z. Wang, H. Guo, Z. Zhang, W. Liu, Z. Qin, and K. Ren, “Feature importance-aware transferable adversarial attacks,” in Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021, pp. 7639–7648

[e] Z. Xiao, X. Gao, C. Fu, Y. Dong, W. Gao, X. Zhang, J. Zhou, and J. Zhu, “Improving transferability of adversarial patches on face recognition with generative models,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 459 11 845–11 854.

[f] C. Xie, Z. Zhang, Y. Zhou, S. Bai, J. Wang, Z. Ren, and A. L. Yuille, “Improving transferability of adversarial examples with input diversity,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 2730–2739.

 

Comment 4: In Section 3. Attack Methodology, I suggest an explanation of the proposed method using pseudo code or flowchart to clarify the proposed method.
Response 4: We appreciate the reviewer for the valuable comment. We added the pseudo-code section in section 3.2.

 

Comment 5: In Section 4.3.1. Algorithm Efficiency, lines 305-307 , the authors wrote “We can find from Table 1 that ADSAttack has a higher success rate of attacks in the comparison results in the table”.  If you refer to Table 1, you will find the proposed ADSAttack did not perform the best success rate, particularly the proposed ADSAttack with GoogleNet. Thus, it is important to discuss and write the appropriate justifications for the results in Table 1.  
Response 5: We are grateful to the reviewers for pointing this out and apologizing for our mistake, and here we would like to express that ADSAttack has a faster generation rate while achieving a better balance between visual effect and attack success rate. More specific, we set 1000 examples as a batch and compare the time taken by different algorithms to generate that batch. From the Table~\ref{table1} we can find that the success rate of the ADSAttack attack reaches a better level in the comparison results in the table, with an average attack rate of 98.01\% against the four models, and is more advantageous in terms of time consumption, spending less time compared to the other algorithms. In the corresponding section 4.3.1 we have marked the changes.

 

Comment 6:  In general, the results need more discussion.
Response 6: We appreciate the reviewer for the valuable comment. We add to the broader application of the method and discuss its limitations, while providing an outlook on future research directions. In more detail, the attack method can also be applied to other domains, such as face recognition transfer-based attacks, where our attacks become more threatening when we learn enough information about the latent space of face recognition models. However, our ADSAttack is limited when there is less information about the available models. In future work, it is our endeavor to obtain higher transferability with more limited model information. At the end of section 4 of the manuscript, we have marked the changes.

 

Comment 7: The authors should put the tables and figures after the explanation immediately, at least in the same section; otherwise, it is difficult for the reader to understand and track the positions of the tables and figures.
Response 7: We thank the reviewer for the careful reading. We have made some adjustments to address this issue, and we have placed them in the same section or closer to each other as much as possible, but due to formatting and layout issues, we cannot be particularly perfect, and we apologize for this.

 

Comment 8: It is important that the authors discuss the limitations of the proposed method in Section 5. Conclusion
Response 8: We appreciate the reviewer for the valuable comment. The adversarial examples we generate using these generic adversarial features have high transferability. However, the transferability of ADSAttack is also somewhat limited when the available model information is limited. We add to the limitations of the method at the end of Section 4 as well as in the conclusion of Section 5.

 

 Once again, we would like to thank the reviewer for the constructive suggestions that helped improve the quality of this paper. We hope that we have been able to satisfactorily clarify all the points.

 

Author Response File: Author Response.pdf

Reviewer 4 Report

·       The language usage throughout this paper need to be improved, the author should do some proofreading on it. Give the article a mild language revision to get rid of few complex sentences that hinder readability and eradicate typo errors.

·       Overall, the basic background is not introduced well, where the notations are not illustrated much clear. I recommend the authors to employ certain intuitive examples to elaborate the essential notations.

·       The abstract can be rewritten to be more meaningful. The authors should add more details about their final results in the abstract. Abstract should clarify what is exactly proposed (the technical contribution) and how the proposed approach is validated.

The authors should consider more recent research done in the field of their study (especially in the years 2021 and 2022 onwards).

·       The novelty of this paper is not clear. The difference between present work and previous Works should be highlighted. 

·       The major trends of the simulation should be noted using bullet points.

·       Comparsion with recent study and methods would be appreciated. 

·       Experimental results are not clear. What are the parameters used in the proposed system and how their values are set? Also, how the parameter values can affect the proposed system? Sections like Experimentation have to be extended and improved thus providing a more convincing contribution to the paper.

·       The authors provided details about the implementation setup and working environment. However, some training info should also be given in experimental section. How long does the proposed approach take to learn parameter? These details are missing and must be added to keep the paper standalone.

The authors must correlate it with other current Technologies, such as: IoT (communications, networks, Cloud, …), in terms of latency I guess that this field is quite sensitive to the delays required to process data, which should call for new investigations around the tradeoff between learning cost and performance (e.g. Deep Learning is costly, yet attains good predictive scores… should we opt for weak learners over good features? Or complex learners over raw data? Or a mixture of both of them, e.g. learned features off-line + weak learners on-line? Should data be sent to the cloud? Be preprocessed at the edge?). This issue is also very trendy at the communications level. 

Author Response

Responses to Reviewers’ Comments on the Paper:

ADSAttack: An Adversarial Attack Algorithm via Searching Adversarial Distribution in Latent Space

Haobo Wang, Chenxi Zhu, Yangjie Cao, Yan Zhuang Jie Li and Xianfu Chen

 

We sincerely thank the editor and anonymous reviewers for their thorough reviews and constructive comments. The review comments are very helpful in further improving the quality of our paper. We have carefully revised the manuscript and addressed all the comments raised by the reviewers. Below are our point-to-point responses to the reviewers’ comments. The corresponding major changes to the original version of the paper (electronics-2187003) are highlighted in red color in the revised manuscript.

 

Response to Reviewer 3

The authors would like to thank the reviewer for the valuable comments and constructive suggestions. Please kindly find beneath the detailed responses to the comments and the rationale for each modification to the manuscript as well.

 

Comment 1: The language usage throughout this paper need to be improved, the author should do some proofreading on it. Give the article a mild language revision to get rid of few complex sentences that hinder readability and eradicate typo errors.

Response 1: We thank the reviewer for the helpful suggestion. We read through the article and revised the language, removing some complex sentences that hindered readability and addressing some grammatical errors.

 

Comment 2: Overall, the basic background is not introduced well, where the notations are not illustrated much clear. I recommend the authors to employ certain intuitive examples to elaborate the essential notations.

Response 2: We thank the reviewer for pointing this out. We apologize that our description of this may have caused a misunderstanding. More specifically, our description of the symbols in question is marked in section 3.2.

 

Comment 3: The abstract can be rewritten to be more meaningful. The authors should add more details about their final results in the abstract. Abstract should clarify what is exactly proposed (the technical contribution) and how the proposed approach is validated.

Response 3: We appreciate the reviewer for the valuable comment. In this work, we propose an effective Adversarial Distribution Searching-driven Attack (ADSAttack) algorithm to generate adversarial examples against deep neural networks. ADSAttack introduces an affiliated network to search for potential distributions in image latent space for synthesising adversarial examples. Besides, ADSAttack uses an edge detection algorithm to locate low-level features' mapping in input space to sketch the minimum effective disturbed area. Experimental results demonstrate that ADSAttack achieves higher transferability, better imperceptible visualization, and faster generation speed compared to traditional algorithms. To generate 1000 adversarial examples, ADSAttack takes 11.08s and achieves a success rate of 98.01% on average.We have further revised and refined the abstract.

 

Comment 4: The authors should consider more recent research done in the field of their study (especially in the years 2021 and 2022 onwards). The novelty of this paper is not clear. The difference between present work and previous Works should be highlighted.  
Response 4: We appreciate the reviewer for the valuable comment. We have added the focus of our study and how it differs from other work in Section II related work, with the modified parts marked in red. Moreover, we have added more references as follows:

[a] C. Liu, S. Shirowzhan, S. M. Sepasgozar, and A. Kaboli, “Evaluation of classical operators and fuzzy logic algorithms for edge detection of panels at exterior cladding of buildings,” Buildings, vol. 9, no. 2, p. 40, 2019.

[b] W. Guo, B. Tondi, and M. Barni, “An overview of backdoor attacks against deep neural networks and possible defences,” arXiv preprint arXiv:2111.08429, 2021.

[c] Y. Zhu, J. Sun, and Z. Li, “Rethinking adversarial transferability from a data distribution perspective,” in International Conference on Learning Representations, 2021.

[d] Z. Wang, H. Guo, Z. Zhang, W. Liu, Z. Qin, and K. Ren, “Feature importance-aware transferable adversarial attacks,” in Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021, pp. 7639–7648

[e] Z. Xiao, X. Gao, C. Fu, Y. Dong, W. Gao, X. Zhang, J. Zhou, and J. Zhu, “Improving transferability of adversarial patches on face recognition with generative models,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 459 11 845–11 854.

[f] C. Xie, Z. Zhang, Y. Zhou, S. Bai, J. Wang, Z. Ren, and A. L. Yuille, “Improving transferability of adversarial examples with input diversity,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 2730–2739.

 

Comment 5: The major trends of the simulation should be noted using bullet points.
Response 5: We appreciate the reviewer for the valuable comment. We added the pseudo-code section in section 3.2.

 

Comment 6: Comparsion with recent study and methods would be appreciated. 
Response 6: We thank the reviewer for the careful reading. The adversarial attack algorithms for visual orientation that we compare in our paper are relatively new in the field at present. Subsequently, we will continue to enhance the research on transferability and continue to improve the performance of the algorithms based on this paper.

 

Comment 7: Experimental results are not clear. What are the parameters used in the proposed system and how their values are set? Also, how the parameter values can affect the proposed system? Sections like Experimentation have to be extended and improved thus providing a more convincing contribution to the paper.
Response 7: We thank the reviewer for the careful reading. For the specific setup of the system, we indicate the evaluation metrics in Section 4.1.2. Then, we discuss the selection of parameters in more detail in Section 4.2. For the specifics, we have highlighted them in the manuscript.

 

Comment 8: The authors provided details about the implementation setup and working environment. However, some training info should also be given in experimental section. How long does the proposed approach take to learn parameter? These details are missing and must be added to keep the paper standalone.
Response 8: We appreciate the reviewer for the valuable comment. For the training information, since the amount of data is different for different tasks, we show it in the form of comparison experiments. Compared with the traditional training of GAN, as shown in fig6, we converge faster on the same batch size dataset. We marked it in the corresponding section 4.3.1.

 

Comment 9: The authors must correlate it with other current Technologies, such as: IoT (communications, networks, Cloud, …), in terms of latency I guess that this field is quite sensitive to the delays required to process data, which should call for new investigations around the tradeoff between learning cost and performance (e.g. Deep Learning is costly, yet attains good predictive scores… should we opt for weak learners over good features? Or complex learners over raw data? Or a mixture of both of them, e.g. learned features off-line + weak learners on-line? Should data be sent to the cloud? Be preprocessed at the edge?). This issue is also very trendy at the communications level. 
Response 9: We appreciate the reviewer for the valuable comment. We add to the broader application of the method and discuss its limitations, while providing an outlook on future research directions. In more detail, the attack method can also be applied to other domains, such as face recognition transfer-based attacks, where our attacks become more threatening when we learn enough information about the latent space of face recognition models. However, our ADSAttack is limited when there is less information about the available models. In future work, it is our endeavor to obtain higher transferability with more limited model information. At the end of section 4 of the manuscript, we have marked the changes. Besides, the IoT issues you mentioned have given us valuable guidance. We will conduct more related studies.

 

 Once again, we would like to thank the reviewer for the constructive suggestions that helped improve the quality of this paper. We hope that we have been able to satisfactorily clarify all the points.

 

Author Response File: Author Response.pdf

Round 2

Reviewer 2 Report

I don't think the authors addressed most of my concerns. There is no response letter either. 

Author Response

I am very sorry, there may have been a problem with the system. Your review comments were not shown on my system at that time. After the editorial notice, I made a lot of changes according to your comments very carefully, and your valuable comments helped my article a lot.

I have submitted my revised manuscript, as well as a response to your valuable comments.

Author Response File: Author Response.pdf

Reviewer 3 Report

The authors addressed all the comments effectively 

Author Response

We sincerely thank you for your review of the manuscript. The manuscript has been improved following your comments and suggestions.

Reviewer 4 Report

The authors have considered all my recommendations

Author Response

We sincerely thank you for your review of the manuscript. The manuscript has been improved following your comments and suggestions.

Round 3

Reviewer 2 Report

Please fix spacing in line 144. Why figure 6 was discussed before figure 5? Also, figure 5 is too far from where it was cited. 

Otherwise, the revision was satisfactory. Please carefully proofread the final version.

Author Response

We thank the reviewer for the careful reading.

We have modified the spacing issue. We have adjusted the position of Figures 5 and 6. Also, adjusting the Figure position closer to the cited position.

We sincerely thank you for your review of the manuscript. The manuscript has been improved following your comments and suggestions.

Author Response File: Author Response.pdf

Back to TopTop