Boosting Adversarial Attacks with Nadam Optimizer

Abstract

Deep neural networks are extremely vulnerable to attacks and threats from adversarial examples. These adversarial examples deliberately crafted by attackers can easily fool classification models by adding imperceptibly tiny perturbations on clean images. This brings a great challenge to image security for deep learning. Therefore, studying and designing attack algorithms for generating adversarial examples is essential for building robust models. Moreover, adversarial examples are transferable in that they can mislead multiple different classifiers across models. This makes black-box attacks feasible for practical applications. However, most attack methods have low success rates and weak transferability against black-box models. This is because they often overfit the model during the production of adversarial examples. To address this issue, we propose a Nadam iterative fast gradient method (NAI-FGM), which combines an improved Nadam optimizer with gradient-based iterative attacks. Specifically, we introduce the look-ahead momentum vector and the adaptive learning rate component based on the Momentum Iterative Fast Gradient Sign Method (MI-FGSM). The look-ahead momentum vector is dedicated to making the loss function converge faster and get rid of the poor local maximum. Additionally, the adaptive learning rate component is used to help the adversarial example to converge to a better extreme point by obtaining adaptive update directions according to the current parameters. Furthermore, we also carry out different input transformations to further enhance the attack performance before using NAI-FGM for attack. Finally, we consider attacking the ensemble model. Extensive experiments show that the NAI-FGM has stronger transferability and black-box attack capability than advanced momentum-based iterative attacks. In particular, when using the adversarial examples produced by way of ensemble attack to test the adversarially trained models, the NAI-FGM improves the success rate by 8% to 11% over the other attack methods. Last but not least, the NAI-DI-TI-SI-FGM combined with the input transformation achieves a success rate of 91.3% on average.

1. Introduction

Currently, deep learning as the core technology of artificial intelligence is widely applied in various scenarios in life. In particular, deep neural networks (DNNs) show strong advantages in improving the performance of various visual tasks, including image classification [1,2], natural language processing [3], autonomous driving [4] and medical diagnosis [5], and in some areas, even surpass human processing power. However, DNNs show great vulnerability to threats and attacks from adversarial examples [6]. These adversarial examples deliberately crafted by attackers can make the network model misclassify by adding imperceptibly tiny perturbations on clean images. This brings a great challenge to image security for deep learning. Therefore, studying and designing attack algorithms for generating adversarial examples is essential for building robust models. It can also help us to better test and evaluate the security of these models [7,8,9].

We can classify the attack methods into white-box and black-box attacks based on whether all relevant information of the model can be successfully accessed during the attack. In the white-box situation, the attacker has a sufficient amount of details of the target model. In contrast, in the black-box situation, the attacker only obtains the inputs and outputs to the model. Gradient-based attacks [8,10,11] are extensively used in white-box situations due to their simplicity and speed. This method produces perturbations in the gradient direction of the image about the loss function by maximizing the loss.

In real-world scenarios, attackers are often faced with black-box situations where they cannot access the details of the model. As a result, black-box attacks are often more challenging to implement, but more practical. The most commonly used black-box attacks are transfer-based methods [12,13,14,15,16,17,18,19,20], with the idea that the adversarial examples produced in a certain model setting may also be adversarial for other models. Liu et al. [21] refer to this property of adversarial examples as transferability. Therefore, we can take full advantage of the transferability property to perform black-box attacks.

To this end, different kinds of strategies have been proposed to boost transfer-based attacks. On the one hand, some works focused on better optimization algorithms for gradient computation [13,14,15,16]. On the other hand, other works concentrate on input transformations to perform data augmentation [17,18]. In addition, Dong et al. [13] considered simultaneously attacking ensembles of models to perform model augmentation, while Lin et al. [14] proposed to derive multiple models from the source model for model augmentation. In this paper, we focus on a better optimization algorithm.

However, there are still some problems with the current study. (1) Most of the attacks are less effective and have lower success rates in the black-box situation. (2) The adversarial examples produced by transfer-based attacks normally overfit the training model easily, and usually fall into a poor local extremum. This leads to weaker transferability.

In order to better optimize and solve the above issues, we propose the Nadam Iterative Fast Gradient Method (NAI-FGM), which combines an improved Nadam optimizer with gradient-based iterative attacks. Specifically, we introduce the look-ahead momentum vector and the adaptive learning rate component based on the Momentum Iterative Fast Gradient Sign Method (MI-FGSM) [13]. The look-ahead momentum vector is dedicated to making the loss function converge faster and get rid of the poor local maximum. Additionally, the adaptive learning rate component is used to help the adversarial example to converge to a better extreme point by obtaining adaptive update directions according to the current parameters. We validate the NAI-FGM through a large number of experiments and compare it with advanced attacks. Experimental results show that the NAI-FGM has stronger transferability and black-box attack capability than advanced attacks. The adversarial examples produced by several momentum-based iterative attacks are shown in Figure 1.

The contributions of this paper are as follows:

• Inspired by the idea of the Nesterov-accelerated Adaptive Moment Estimation (Nadam) [22] optimization algorithm, we apply the modified Nadam optimizer for adversarial example generation in each iteration. Based on the MI-FGSM, the look-ahead momentum vector and adaptive learning rate component are introduced. The proposed method can update the direction adaptively according to the current gradient information, optimize the convergence process, and enhance gradient-based adversarial attack transferability.
• We further improve the attack transferability by naturally combining advanced data augmentation methods with the proposed NAI-FGM.
• We apply the strategy of ensemble attack to NAI-FGM to produce higher success rates of the black-box attack.

Figure 1. Raw images and adversarial examples after attack by MI-FGSM [13], NI-FGSM [14], and the proposed NAI-FGM on Inc-v3 [23].

Figure 1. Raw images and adversarial examples after attack by MI-FGSM [13], NI-FGSM [14], and the proposed NAI-FGM on Inc-v3 [23].

2. Related Work

2.1. Adversarial Attacks

Existing attack methods can be broadly classified into white-box attacks and black-box attacks. Figure 2 briefly depicts the principles and differences between the various kinds of attacks. White-box attacks are further subdivided into gradient-based attacks [8,10,11] and optimization-based attacks [6,7]. Optimization-based attacks can produce visually better adversarial examples than gradient-based attacks, but they can also consume greater time costs. Black-box attacks can also be further classified into transfer-based attacks [12,13,14,15,16,17,18,19], score-based attacks [24,25], and decision-based attacks [26]. In contrast to transfer-based attacks, both score-based and decision-based attacks involve massive accesses and queries to the neural network, which is harder to implement in practical scenarios. Therefore, we focus our research around transfer-based attacks. Transfer-based attacks usually occur in two steps. First, a white-box attack is employed under an alternative model to generate adversarial examples. Afterwards, these examples are transferred to the target model for the attack. This white-box attack is typically referred to as gradient-based attacks, as they are relatively efficient and easy to implement. Here, we mainly review the work related to transfer-based attacks.

Dong et al. [13] applied the momentum idea to the Iterative Fast Gradient Sign Method (I-FGSM) [11]. Additionally, they also considered simultaneous attacks on multiple models to enhance attack performance. Lin et al. [14] proposed the Nesterov Iterative Fast Gradient Sign Method (NI-FGSM), which combined Nesterov’s accelerated gradient with I-FGSM. The Diverse Input Method (DIM) [17] resizes and pads the input images with a certain probability of transformation. The Translation-Invariant Method (TIM) [18] adopts a translation operation for the input image. The Scale-Invariant Method (SIM) [14] applies a set of scaling transformations to the image. Yin et al. [16] proposed the Adam Iterative Fast Gradient Method (AI-FGM), which uses the Adam optimizer [27] to optimize the gradient calculation. Wu et al. [20] proposed the Adversarial Transformation-Enhanced Transfer Attack (ATTA), which uses blurring and coloring transformations on input images and trains an adversarial transformation network to produce adversarial examples. Wang et al. [15] optimize the adversarial perturbation by variance adjustment strategy. Wang et al. [28] proposed a spatial momentum attack to accumulate the contextual gradients of different regions within the image. Huang et al. [12] superimpose feature information with variances on the images before iterative attacks. Additionally, double sampling variance aggregation is used to optimize the image gradient. Wang et al. [19] designed an affiliated network to capture the potential spatial information of images. Additionally, an edge detection algorithm was combined to find out the minimum effective perturbation region.

However, the transferability of the adversarial examples generated by most existing transfer-based attacks remains poor. The underlying reason is that these adversarial examples tend to overfit the alternative models and usually fall into poor local optima during the generation process. For this reason, we apply a better optimizer to the generation algorithm of adversarial examples. The gradient direction is more rationally computed and optimized so that the adversarial examples converge to a better local optimum during the generation process. The final effect of mitigating the overfitting phenomenon of the adversarial examples and improving the transferability of the attacks is achieved.

2.2. Adversarial Defenses

To improve the robustness of DNNs, several advanced defense methods have been proposed. We can roughly summarize these methods into three categories.

Adversarial Training: Adversarial training is widely regarded by academia as the most powerful defense strategy against attacks. This method trains clean examples and adversarial examples in the same model [6,8,10,29]. Tram’er et al. [9] involved adversarial examples from multiple other models in the local model for training, in terms of augmenting the training dataset. This is referred to as ensemble adversarial training.

Input Preprocessing: Input preprocessing aims to alleviate the impact of perturbations on the model by transforming the inputs. Xie et al. [30] used two randomization operations, that is, random resizing of the image and random padding around the image. Guo et al. [31] adopted conversion techniques, such as total variance minimization and image stitching for input images. Liu et al. [32] developed a compression framework of JPEG to improve defense efficiency and reduce marginal accuracy.

Adversarial Examples Detection: Adversarial examples detection includes inconsistency judgments by differences between adversarial examples and normal examples or training additional detectors to detect adversarial examples. Xu et al. [33] adopted a feature compression strategy that combines images corresponding to different feature vectors into one sample, reducing the attacker’s search space. Pang et al. [34] used a minimization reverse cross-entropy and threshold strategy as a detector for adversarial examples. Ma et al. [35] designed a technique to extract the invariants of DNNs to detect adversarial examples by analyzing the internal structure of DNNs under different attacks.

3. Methodology

Let x denote a clean example, and y denote its real label. Additionally, f denotes a trained deep neural network classifier that correctly classifies x as y. The attacker generates the adversarial example $x^{adv}=x+\delta$ by adding perturbation $\delta$ to x, thus causing f to misclassify. The perturbation $\delta$ is obtained in most cases by maximizing the cross-entropy loss function $J(x,y;\theta )$, where $\theta$ denotes the parameter of f. For the perturbation $\delta$, we use the $L_{\infty }$ norm to restrict its size, that is, $\left|\right|x^{adv}-x{\left|\right|}_{\infty }\le ϵ$, $ϵ$ denotes the maximum perturbation value.

Let $f_1$ and $f_2$ denote two different deep neural network classifiers, and their corresponding network parameters are, respectively, ${\theta }_1$ and ${\theta }_2$. Both of them can correctly classify clean example x as label y. In the black-box situation, only ${\theta }_1$ is known and ${\theta }_2$ is unknown. The goal of transfer-based attacks is to produce an adversarial example $x^{adv}$ under $f_1$ by applying its transferability; $f_1$ and $f_2$ can simultaneously classify the clean example x incorrectly, that is, satisfy $f_1\left(x^{adv}\right)\ne y$ and $f_2\left(x^{adv}\right)\ne y$.

3.1. Gradient-Based Attacks

Since our algorithm is based on MI-FGSM for research and improvement, we briefly introduce MI-FGSM and its related attack methods here.

FGSM [10] is a one-step attack and the first gradient-based method. The updated equation is:

$$x^{adv}=x+ϵ·sign\left({▽}_{x}J(x,y;\theta )\right)$$

(1)

where $ϵ$ is the factor regulating the size of the perturbation, ${▽}_{x}J(·)$ is the gradient of $J(·)$ about x, and $sign(·)$ is the sign function to make $\delta$ meet the $L_{\infty }$ norm bound.

I-FGSM [11] subdivides the one-step perturbation computation process in FGSM into T steps and restricts the image pixels to the effective area by a clipping operation. The updated equation is:

$$x_0^{adv}=x,x_{t+1}^{adv}=Cli{p}_x^{ϵ}\{x_t^{adv}+\alpha ·sign\left({▽}_{x}J(x_t^{adv},y;\theta )\right)\}$$

(2)

where T is the total number of iterations, $\alpha =ϵ/T$ is the step size, and $Cli{p}_x^{ϵ}\{·\}$ serves to constrain adversarial examples $x_t^{adv}$ in the $ϵ$ neighborhood of x.

MI-FGSM [13] introduces the idea of momentum based on I-FGSM, which significantly improves the transferability. The updated equation is:

$$\begin{array}{c}\hfill g_{t+1}=\mu ·g_t+\frac{{▽}_{x}J(x_t^{adv},y;\theta )}{\left|\right|{▽}_{x}J(x_t^{adv},y;\theta ){\left|\right|}_1}\\ \hfill x_{t+1}^{adv}=Cli{p}_x^{ϵ}\{x_t^{adv}+\alpha ·sign\left(g_{t+1}\right)\}\end{array}$$

(3)

where $g_t$ is the gradient sum accumulated over t iterations, $g_0=0$ and $\mu$ is the decay factor of the momentum term $g_t$.

NI-FGSM [14] applies Nesterov’s accelerated gradient [36] to I-FGSM, and substitutes to $x_t^{adv}$ in Equation (3) with $x_t^{adv}+\alpha ·\mu ·g_t$ to further enhance the transferability.

DIM [17] adopts random resizing and padding transformations to images with a certain probability before the start of each iteration, from the perspective of data augmentation to enhance adversarial attacks transferability.

TIM [18] applies translation operations to images to generate adversarial examples. Specifically, TIM uses a Gaussian kernel matrix to convolve the gradients of untranslated images instead of computing the gradients of translating different pixel images, further improving the transferability.

SIM [14] considers model augmentation to improve transferability and exploits the scale-invariant property of DNNs to calculate gradients on the scale copies of the input images.

3.2. Motivation

FGSM is the earliest gradient-based attack with low time cost but a low success rate. I-FGSM subdivides the one-step perturbation calculation process in FGSM into multiple steps to improve attack efficiency. However, I-FGSM are often easy to overfit to the local maximum, so the transferability is weak. MI-FGSM introduces momentum terms into I-FGSM, which helps adversarial examples to escape from the poor local maximum and stabilize the updating direction. NI-FGSM adopts NAG into I-FGSM to make use of its looking-ahead property to modify the previously accumulated gradient and further improve the transferability.

Momentum and NAG are two algorithms for optimizing gradient descent that can significantly enhance the effect of deep learning models. MI-FGSM and NI-FGSM after combining the advantages of Momentum and NAG, respectively, help the adversarial examples to obtain better transferability. Therefore, we suppose that other gradient descent optimization algorithms can also be applied to attacks to improve their performance.

In this work, we consider applying the modified Nadam optimizer to gradient-based iterative attacks to optimize the gradient calculation.

3.3. Nadam Iterative Fast Gradient Method

Nadam, proposed by Dozat [22], is an advanced gradient descent optimization algorithm, which improves the convergence speed and quality of the DNNs. Nadam is a modification of the Adam [27]. Nadam naturally combines Nesterov’s accelerated gradient (NAG) [36] and Adam and modifies the momentum component of Adam while retaining the adaptive learning rate component.

To improve the transferability of adversarial examples, we propose the NAI-FGM (Nadam Iterative Fast Gradient Method), which combines an improved Nadam optimizer with gradient-based iterative attacks. Specifically, we introduce the look-ahead momentum vector and the adaptive learning rate component based on MI-FGSM. Figure 3 describes the attack idea of NAI-FGM. First, we input the pre-processed clean image into the network to obtain the gradient. Then, we process the gradients with the NAI-FGM algorithm to produce adversarial perturbations. Finally, the input images are superimposed with the perturbations to generate adversarial examples after multiple iterations.

Specifically, different from the momentum in MI-FGSM, the momentum in NAI-FGSM accumulates both the gradient and the square of the gradient during the iteration, which helps the loss function converge quickly on the small gradient dimension. At the same time, we directly applied the look-ahead momentum vector to replace applying the momentum step twice to update the gradient and parameter separately in NI-FGSM, which helped us get rid of the poor local maximum more quickly. The adaptive learning rate component uses the gradually decreasing step size, which is helpful to obtain the adaptive updating direction, so as to converge to a better extreme point.

The Nadam iterative fast gradient method (NAI-FGM) is summarized in Algorithm 1. Specifically, we first initialize the clean example x as an adversarial example $x_0^{adv}$ and input $x_t^{adv}$ into the classifier f at the first t iteration to obtain the gradient ${▽}_{x}J(x_t^{adv},y;\theta )$, then normalize it by its $L_1$ distance, defined in Equation (5). The term $m_t$ denotes the first momentum used to accumulate the sum of the gradients of t iterations, defined in Equation (6). The term $n_t$ denotes the second momentum used to accumulate the sum of squares of gradients for t iterations, defined in Equation (7). The terms ${\mu }_1$ and ${\mu }_2$ denote the decay factors of $m_t$ and $n_t$, respectively. The look-ahead momentum vector is ${\mu }_1·m_{t+1}+(1-{\mu }_1)·g_t$. The terms $m_t^{\prime }$ and $n_t^{\prime }$ compute the bias-corrected first and second momentums, defined in Equations (8) and (9), respectively. The updated equation of an adversarial example $x_t^{adv}$ is defined in Equation (10), where $\xi$ is the denominator stability factor to make sure the denominator is not equal to zero. The adaptive learning rate component is $1/\sqrt{n_{t+1}^{\prime }+\xi }$.

Existing works typically use the sign function to compute the direction of the gradient such that the adversarial perturbation satisfies the limitation of the $L_{\infty }$ norm. However, our method adaptively updates and calculates the gradient direction. Therefore, we constrain the perturbation within the $L_2$ norm bound, defined in Equation (10).

3.4. Attacking Ensemble of Models

The attack performance of NAI-FGM can be further enhanced by attacking the ensemble of models. Liu et al. [21] shows that if an adversarial example can fool different network models at the same time, it can also attack other models to a large extent. We adopt the logits ensemble attack strategy in the literature [13], that is, we simultaneously attack several different networks that fuse logit activations together. Specifically, the logits fusion equation for attacking an ensemble of K models is as follows:

$$l\left(x\right)=\sum _{k=1}^K{\omega }_k{L}_k\left(x\right)$$

(4)

where $l_k\left(x\right)$ are the logits output of the k-th model, ${\omega }_k$ is the ensemble weight with ${\omega }_k\ge 0$ and ${\displaystyle \sum _{k=1}^K}{\omega }_k=1$.

Algorithm 1 NAI-FGM

Input: A classifier f with loss function J; a clean example x and ground-truth label y;

Input: Perturbation size $ϵ$; maximum iterations T; the dimension of the input image N;

Input: Nadam decay factors ${\mu }_1$ and ${\mu }_2$; a denominator stability factor $\xi$.

Output: An adversarial example $x^{adv}$ with $\left|\right|x^{adv}-x{\left|\right|}_{\infty }\le ϵ$.

1: $\alpha =ϵ·\sqrt{N}/T$

2: $m_0=0;n_0=0;g_0=0;x_0^{adv}=x$

3: for $t=0$ to $T-1$ do

4:  obtain the gradient ${▽}_{x}J(x_t^{adv},y;\theta )$

5:  $g_t=\frac{{▽}_{x}J(x_t^{adv},y;\theta )}{\left|\right|{▽}_{x}J(x_t^{adv},y;\theta ){\left|\right|}_1}$ (5)

6:  $m_{t+1}={\mu }_1·m_t+(1-{\mu }_1)·g_t$ (6)

7:  $n_{t+1}={\mu }_2·n_t+(1-{\mu }_2)·g_t^2$ (7)

8:  $m_{t+1}^{\prime }=\frac{{\mu }_1·m_{t+1}+(1-{\mu }_1)·g_t}{1-{\mu }_1^{t+1}}$ (8)

9:  $n_{t+1}^{\prime }=\frac{{\mu }_2·n_{t+1}}{1-{\mu }_2^{t+1}}$ (9)

10:  $x_{t+1}^{adv}=Cli{p}_x^{ϵ}\{x_t^{adv}+\alpha \hspace{0.17em}·\hspace{0.17em}(\frac{m_{t+1}^{{}^{\prime }}}{\sqrt{n_{t+1}^{\prime }+\xi }}/\left|\right|\frac{m_{t+1}^{\prime }}{\sqrt{n_{t+1}^{\prime }+\xi }}{\left|\right|}_2\left)\right\}$ (10)

11: end for

12: return $x^{adv}=x_T^{adv}$

3.5. Differences from Existing Advanced Attacks

In

Table 1. The differences between gradient-based attacks.

Feature	FGSM	I-FGSM	MI-FGSM	NI-FGSM	AI-FGM	NAI-FGM
The one-step attack	Yes
The iterative attack		Yes	Yes	Yes	Yes	Yes
The momentum/The first momentum				Yes	Yes	Yes
The second momentum					Yes	Yes
The look-ahead momentum vector				Yes		Yes
The adaptive learning rate component					Yes	Yes
The constant step size	Yes	Yes	Yes	Yes		Yes
The variable step size					Yes
$L_{\infty }$ norm	Yes	Yes	Yes	Yes
$L_2$ norm					Yes	Yes

, we compare the proposed NAI-FGM with various advanced gradient-based attacks according to the features of different algorithms. The meanings of all the features in the table are mentioned in Section 3.3. Here we can clearly draw the difference between NAI-FGM and any attack algorithm in the table. For example, compared with AI-FGM, we add a look-ahead momentum vector to optimize the gradient calculation and adopt a constant step size to add perturbation to the image. For another example, we introduce the second momentum and adaptive learning rate component on the basis of NI-FGSM, and replace the limit of $L_{\infty }$ on adversarial perturbation with $L_2$.

Table 2. The difference between attacks with input transformations.

Feature	DIM	TIM	SIM	ATTA
Transformation method of input image	Resizing and padding	Translation	Scaling	Blurring and coloring

provides a distinction between the current state-of-the-art attacks with input transformations. Each attack in the table has a different input transformation method. In particular, ATTA is quite different from the input transformation methods of other attacks. ATTA first trains an additional adversarial transformation network to destroy the perturbation, and then makes the generated adversarial examples resistant to this transformation, thus enhancing the transferability of the adversarial examples.

4. Experiments

We conduct relevant experiments for NAI-FGM and compare it with some advanced attacks. In Section 4.1, the detailed experimental setup is described. In Section 4.2, we show the experimental results of attacking a single network model using gradient-based methods and combined data and model enhancement methods respectively. In Section 4.3, we provide experimental results of attacking an ensemble of models using several momentum-based iterative methods. Finally, we investigate the influence of NAI-FGM on the attack effect under different hyperparameter settings in Section 4.4. Additionally, we give suggestions for the values of the relevant parameters involved in the attack based on the experimental findings.

4.1. Experimental Setup

Dataset. We use 1000 images from the ImageNet dataset [37], which are randomly selected from different categories. Almost all images are able to be correctly classified by the networks we tested. Before using this dataset, these images are preprocessed to a size of 299 × 299 × 3.

Models. We consider testing the proposed attack method on seven networks, including normally trained models—Inception-v3 (Inc-v3) [23], Inception-v4 (Inc-v4), Inception-Resnet-v2 (IncRes-v2) [38] and Resnet-v2-101 (Res-101) [2], and adversarially trained models—Inc-v3ens3, Inc-v3ens4 and IncRes-v2ens [9].

Hyper-parameters. We set the maximum perturbation $ϵ=16$ of each pixel, total iteration number $T=10$, step size $\alpha =ϵ/T$ and decay factor $\mu =1.0$ [13]. We set the transformation probability $p=0.5$ of input images for DIM [17] and the size of the Gaussian kernel matrix to 7 × 7 for TIM [18]. For SIM [14], we set up five scale copies. For NAI-FGM, the denominator stability factor is set to $\xi ={10}^{-8}$, the Nadam decay factors ${\mu }_1=0.99$ and ${\mu }_2=0.999$ [16]. Additionally, the dimension N of the input image is set to 299 × 299 × 3, step size $\alpha =ϵ·\sqrt{N}/T$.

4.2. Attack a Single Model

4.2.1. Comparison with Advanced Gradient-Based Attacks

First, we compare and test the attack performance of FGSM, I-FGSM, MI-FGSM and NAI-FGM on seven models. The experimental results are presented in

Table 3. The success rates (%) of NAI-FGM compared to advanced gradient-based attacks when attacking a single model. * indicates the white-box attacks.

Model	Attack	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3ens3	Inc-v3ens4	IncRes-v2ens	Time Complexity	The Generation Time (s) of an Adversarial Example
Inc-v3	FGSM	67.7 *	26.4	25.7	24.7	10.2	10.1	4.8	O(1)	0.3
	I-FGSM	100.0 *	22.2	19.4	15.4	5.8	5.4	3.1	O(n)	2.3
	MI-FGSM	100.0 *	44.7	41.6	35.4	14.6	12.4	6.2	O(n)	3.5
	NAI-FGM	100.0 *	47.5	44.6	36.1	16.7	14.3	8.6	O(n)	2.2
Inc-v4	FGSM	27.9	52.5 *	23.0	23.3	9.9	9.8	5.6	O(1)	0.4
	I-FGSM	31.6	99.9 *	21.8	20.9	5.6	6.6	4.1	O(n)	4.2
	MI-FGSM	55.2	99.7 *	46.1	41.1	16.5	15.0	7.7	O(n)	6.9
	NAI-FGM	60.4	100.0 *	49.6	43.1	19.7	18.7	9.7	O(n)	4.1
IncRes-v2	FGSM	27.3	20.2	42.3 *	24.5	9.9	9.5	5.8	O(1)	0.5
	I-FGSM	32.5	26.2	98.1 *	21.1	7.7	6.6	4.9	O(n)	4.7
	MI-FGSM	60.1	51.4	98.0 *	45.2	21.8	16.8	11.6	O(n)	7.8
	NAI-FGM	61.7	52.0	98.5 *	45.1	27.0	20.5	15.6	O(n)	4.9
Res-101	FGSM	36.7	31.4	30.4	78.5 *	15.1	13.6	7.2	O(1)	0.5
	I-FGSM	31.4	25.3	23.5	99.8 *	9.0	8.7	5.4	O(n)	5.0
	MI-FGSM	57.7	51.5	48.8	99.3 *	25.0	21.2	12.9	O(n)	8.1
	NAI-FGM	59.2	54.2	49.7	99.9 *	27.9	26.1	17.0	O(n)	5.1

, where * indicate the white-box attacks and the data in bold indicates the highest success rates of four attack algorithms for testing the same model. We use the four network models in the first column to produce adversarial examples by four attacks mentioned above. The seven network models in the first row are used for testing transferable effects of these adversarial examples. The attack success rate is used as an assessment indicator for the transferable effect of the adversarial example. Here, the attack success rate means the percentage of the number of adversarial images that can cause the test model to misclassify to the total number of adversarial images generated by each attack. In addition, in the last two columns of the table, we evaluate and calculate the time complexity of various attack algorithms and the generation time of each adversarial example.

We can observe that the success rate of all the other three iterative attacks in the white-box setting is almost 100% except the one-step attack FGSM. This indicates that iterative attacks have a significant advantage over one-step attacks. Meanwhile, I-FGSM show the worst results among the six black-box tests in comparison to the other attacks. Therefore, in subsequent experiments, we only compare with momentum-based attacks. And in the black-box situation, NAI-FGM has the highest success rate among these four attack methods. For example, NAI-FGM achieved a 100% white-box success rate when attacking Inc-v3, which is the same effect as I-FGSM and MI-FGSM. In addition, the success rate of NAI-FGM is 60.4% and 18.7% when the adversarial examples produced on Inc-v4 are transferred to Inc-v3 and Inc-v3ens4. Nevertheless, the success rate of MI-FGSM with good transferability is 55.2% and 15.0%, respectively, which fully demonstrates the advantage of NAI-FGM in improving attack transferability.

Moreover, from the time complexity point of view, the time complexity of iterative attacks is $O\left(1\right)$, while that of single-step attacks is $O\left(n\right)$. This indicates that iterative attacks consume more time. Meanwhile, the time to generate an adversarial example for NAI-FGM under Res-101 is 5.1 s, compared to 8.1 s for MI-FGSM and 5.0 s for I-FGSM. This shows that NAI-FGM only needs to spend approximately the same time as I-FGSM to obtain better effects than MI-FGSM.

4.2.2. Comparison with Momentum-Based Iterative Attacks with Input Transformations

The work of DIM, TIM and SIM shows that integrating the ideas of data augmentation and model augmentation into gradient-based adversarial attacks can significantly improve the transferability. Therefore, we combine NAI-FGM and two other momentum-based iterative attacks (MI-FGSM, NI-FGSM) with the above mentioned enhancement methods, called NAI-DI-TI-SI-FGM, MI-DI-TI-SI-FGSM and NI-DI-TI-SI-FGSM. We use these three methods to attack a single model and compare the success rates.

From

Table 4. Comparison of the success rates (%) of attacking a single model by three momentum-based iterative attacks with input transformations. * indicates the white-box attacks.

Model	Attack	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3ens3	Inc-v3ens4	IncRes-v2ens	Time Complexity	The Generation Time (s) of an Adversarial Example
Inc-v3	MI-DI-TI-SI-FGSM	99.5 *	85.0	80.5	76.0	65.1	62.5	47.5	O($n^2$)	10.5
	NI-DI-TI-SI-FGSM	99.5 *	84.3	81.0	77.2	60.1	56.6	40.1	O($n^2$)	10.5
	NAI-DI-TI-SI-FGM	99.5 *	87.0	81.3	76.4	70.4	70.0	51.6	O($n^2$)	10.5
Inc-v4	MI-DI-TI-SI-FGSM	86.2	98.8 *	82.6	77.1	70.0	67.5	56.7	O($n^2$)	19.8
	NI-DI-TI-SI-FGSM	87.1	99.6 *	83.7	77.5	66.5	62.8	50.0	O($n^2$)	19.8
	NAI-DI-TI-SI-FGM	87.8	98.6 *	83.8	78.7	75.9	70.4	60.9	O($n^2$)	20.0
IncRes-v2	MI-DI-TI-SI-FGSM	88.7	86.4	98.4 *	83.9	78.6	74.5	72.6	O($n^2$)	21.7
	NI-DI-TI-SI-FGSM	89.6	88.5	99.5 *	83.1	73.0	67.6	63.5	O($n^2$)	22.0
	NAI-DI-TI-SI-FGM	90.1	88.6	98.5 *	85.4	82.7	79.3	78.0	O($n^2$)	22.0
Res-101	MI-DI-TI-SI-FGSM	85.5	81.7	84.3	98.9 *	75.8	71.7	62.1	O($n^2$)	22.8
	NI-DI-TI-SI-FGSM	85.7	84.0	85.0	99.6 *	72.9	67.8	57.3	O($n^2$)	22.4
	NAI-DI-TI-SI-FGM	86.4	83.5	84.6	98.9 *	80.4	76.8	69.4	O($n^2$)	22.5

we can observe that NAI-DI-TI-SI-FGM has significantly higher success rates in testing the three adversarially trained networks. Specially, the success rate of NAI-DI-TI-SI-FGM outperforms NI-DI-TI-SI-FGSM against adversarially trained models by 5–15%, and the average success rate of NAI-DI-TI-SI-FGM increased by more than 5% of MI-DI-TI-SI-FGSM. As described in Table 2, the integrated methods enable the attack to be transferred more effectively.

4.3. Attack an Ensemble of Models

Furthermore, we also implement ensemble attacks on multiple network models simultaneously with NAI-FGM and NAI-DI-TI-SI-FGM, respectively. Specifically, we attack the ensemble of Inc-v3, Inc-v4, IncRes-v2, and Res-101, and each model is set to the same ensemble weights, that is, ${\omega }_k=1/4$. It is worth noting that we set up 2 scale copies of the SIM for the time cost.

From

Table 5. Comparison of the success rates (%) of various advanced momentum-based iterative attacks when attacking an ensemble of models. The bolded data indicates the highest success rate for the same type of attack.

Attack	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3ens3	Inc-v3ens4	IncRes-v2ens	Time Complexity	The Generation Time (s) of an Adversarial Example
MI-FGSM	99.9	99.6	99.3	99.0	47.8	43.2	28.0	O(n)	14.6
NI-FGSM	100.0	99.9	99.9	100.0	46.1	40.6	25.9	O(n)	14.8
NAI-FGM	100.0	100.0	99.5	100.0	57.4	52.1	36.1	O(n)	14.8
MI-DI-TI-SI-FGSM	99.6	99.4	99.0	99.4	88.5	87.4	81.2	O($n^2$)	30.4
NI-DI-TI-SI-FGSM	100.0	99.9	99.8	100.0	91.7	88.4	83.0	O($n^2$)	30.9
NAI-DI-TI-SI-FGM	99.9	99.9	99.8	99.9	93.0	92.0	88.9	O($n^2$)	31.2

we can observe that the success rates of NAI-FGM in attacking the three adversarially trained models can improve MI-FGSM by more than 8% and NI-FGSM by more than 11%. In addition, NAI-DI-TI-SI-FGM obtains 88.9–93.0% attack success rates on all three adversarially training models. However, MI-DI-TI-SI-FGSM and NI-DI-TI-SI-FGSM only obtained the corresponding 81.2–88.5% and 83.0–91.7% attack success rates, respectively, further demonstrating the advantage of NAI-DI-TI-SI-FGM. Meanwhile, the proposed method can still maintain similar white-box success rates as the two other momentum-based iterative attacks.

4.4. Study on Hyperparameters

Decay factors ${\mu }_1$ and ${\mu }_2$. First, we study the effects of the decay factors ${\mu }_1$ and ${\mu }_2$ on the attack performance. We produce adversarial examples on Inc-v3 and test them on Inc-v3, Inc-v4 and Inc-v3ens4. These three models are chosen because they represent a white-box attack, an attack against an undefended model and an attack against a defended model, respectively. This makes our study more adequate and experimental findings more general. Figure 4 shows the attack effect of NAI-FGM with different decay factor settings. In the experiment, ${\mu }_1$ and ${\mu }_2$ are set to the same value and the size varies from 0.1 to 0.9 in step of 0.1. From the Figure 4, we can observe that the success rate of the white-box model remains at 100% as ${\mu }_1$ and ${\mu }_2$ increase, and the success rates of the two black-box models as a whole are increasing.

From this, we can draw a preliminary conclusion that the size of the decay factor is irrelevant to the effectiveness of the white-box attack. Meanwhile, as the gradual grow of the value of the decay factor, the effect of the black-box attack improve accordingly. Also, since we first set the values of the two decay factors in the interval $[0.1,0.9]$, then we should continue to explore in the interval with values $[0.9,1)$. Here, values of the two decay factors cannot be set to 0, 1 or other range of values due to the limitation of our algorithm.

To further study the optimal values of the two decay factors on the attack performance, we choose different combinations of values for ${\mu }_1$ and ${\mu }_2$ in the interval of $[0.9,1)$ to test the success rate of NAI-FGM. From

Table 6. Attack success rates (%) of NAI-FGM on seven networks using adversarial examples produced on Inc-v3 with different combinations of decay factors. The data marked with * indicate the highest success rate on each black-box model, and the bolded data indicate the success rate that is in the largest integer interval in each model.

${\mathit{\mu }}_1$ & ${\mathit{\mu }}_2$	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3ens3	Inc-v3ens4	IncRes-v2ens
0.9 & 0.9	100.0	45.8	42.1	35.2	15.9	14.3	8.0
0.9 & 0.99	100.0	45.4	41.2	35.8	15.9	14.0	7.0
0.9 & 0.999	100.0	44.3	42.8	35.2	15.3	14.2	7.9
0.99 & 0.9	100.0	47.4	44.9 *	37.9 *	17.1	13.7	8.5
0.99 & 0.99	100.0	47.6	44.4	36.6	16.8	14.3	8.5
0.99 & 0.999	100.0	47.5	44.6	36.1	16.7	14.3	8.6 *
0.999 & 0.9	100.0	47.7 *	44.4	37.1	17.1	14.6 *	7.7
0.999 & 0.99	100.0	46.2	44.2	36.8	17.4 *	14.5	7.6
0.999 & 0.999	100.0	46.6	44.9 *	37.4	17.4 *	14.1	8.2

we can observe that the maximum values of the success rate of each model of the attack fall in the interval of ${\mu }_1\in (0.99,0.999)$. Additionally, we conjecture that the sensitivity of different models to the decay factors ${\mu }_1$ and ${\mu }_2$ may be different, but the optimal value of ${\mu }_1$ should be in the interval of $(0.99,1)$ and the optimal value of ${\mu }_2$ should be in the interval of $(0.9,1)$. Therefore, we can select and set the optimal value of the decay factor according to the specific attack target. In this experiment, we set the values of ${\mu }_1$ and ${\mu }_2$ to 0.99 and 0.999, respectively.

Size of perturbation $ϵ$. Second, we study the effect of the $ϵ$ on the attack performance. Figure 5 demonstrates the effect of NAI-FGM attack at different sizes of perturbation. In this experiment, the size of perturbation $ϵ$ varies from 0 to 20 in step of 2. From the Figure 5, we can clearly see that the success rate of the white-box model of NAI-FGM can reach 100% very quickly. Additionally, The effectiveness of the attack under the six black-box models tested improves with increasing of $ϵ$.

However, the larger the perturbation value, the worse the visual effect of the antagonistic example produced by the attack will be. Ultimately, we propose to set the perturbation size of NAI-FGM to $ϵ=16$.

Total iteration number T. Finally, we study the effect of the T on the attack performance against three adversarially trained black-box models. Figure 6 shows the effect of three momentum-based iterative attacks (NAI-FGM, MI-FGSM and NI-FGSM) with different iteration number. In this experiment, T varies from 2 to 16 in step of 2. We use adversarial examples produced on Inc-v3 to attack Inc-v3ens3, Inc-v3ens4 and IncRes-v2ens models. From figure (a), (b) and (c), we can observe that the overall success rates of NAI-FGM outperform MI-FGSM and NI-FGSM for different black-box model settings and different iteration number settings. Because the points on the red line representing the success rate of the NAI-FGM are above the blue and green line points. From another perspective, NAI-FGM requires only fewer iterations to can obtain similar success rates as other two attacks. This indicates that NAI-FGM requires less time cost when the success rates are the same. For example, when attacking the Inc-v3ens3, NAI-FGM achieves a success rate of about 15% in only 4 iterations, while MI-FGSM requires 10 iterations, which fully shows the advantages of NAI-FGM.

In addition, Figure 6 presents that the attack success rate curve of NAI-FGM under different iteration number settings undergoes a slight oscillation. However, with T increases, the attack effect is getting better in the overall. Therefore, we can derive that the greater the number of iterations, the better the attack effect, but the corresponding time cost will also increase. Ultimately, we propose to set the number of iterations of NAI-FGM to $T=10$.

5. Discussion

We design a new adversarial example generation algorithm: NAI-FGM. First, a look-ahead momentum component is added to MI-FGSM, which speeds up the convergence of the loss function and gets rid of the poorer local maxima. Secondly, we introduce an adaptive learning rate component to obtain an adaptive update direction based on the current gradient information and converge to a better local extreme point. After extensive experimental validation, our approach mitigates the overfitting effect of the adversarial examples produced in the current attack methods and enhances the transferability of them to some extent.

However, our method still has some shortcomings. For example, without combining input transformation and integration, our black-box attack success rate is only about 50% for the undefended model. Additionally, our attack success rate is still less than 30% for the model with defense. This indicates that the transfer-based attacks still need to be improved. We conjecture that it may be due to the fact that our study only produces adversarial examples relied on the information of the current gradient, and does not consider the gradient information of multiple samples in different time states. This is an important reason why the attack is less effective under black-box testing and it is something that will be investigated in our next work.

In future research, we will also consider linking adversarial attacks to IoT-related technologies. In particular, in the field of communication, the attack efficiency is quite sensitive to the latency of data processing. How to trade-off and choose between time cost, complexity of training alternative models and attack algorithm performance is the issue we have to focus on.

6. Conclusions

In this work, we propose the Nadam iterative fast gradient method (NAI-FGM) to boost adversarial attacks from the perspective of improving the transferability of adversarial examples. Although our attack is based on MI-FGSM with improvements, there are still some differences. First, the momentum term of MI-FGSM accumulates only the sum of the gradients during the iteration. While the first momentum term of NAI-FGM is used to accumulate the gradient sums, the second momentum term gathers the sum of squares of the gradients. Meanwhile, the second momentum term constitutes the adaptive learning rate component, which is used to help the adversarial example to converge to a better extreme point by obtaining adaptive update directions according to the current parameters. Second, we introduce the look-ahead momentum vector, which is dedicated to make the loss function converge faster and get rid of the poor local maximum. Thirdly, we use $L_2$ norm instead of $L_{\infty }$ norm to calculate the direction of change of the current gradient, with the aim of matching our algorithm to obtain adaptive update directions.

Experimental results indicate that NAI-FGM realizes obviously higher attack success rates in the black-box case and obtains similar success rates against the white-box models compared to traditional momentum-based iterative attack methods. In particular, when using the adversarial examples produced by way of ensemble attack to test the adversarially trained models, the NAI-FGM improves the success rate by 8% to 11% over the other attack methods on attacking ensemble models. Last but not least, the NAI-DI-TI-SI-FGM combined with the input transformation achieves a high success rate of 91.3% on average. This poses higher requirements and greater challenges to the security of DNNs. Therefore, it is urgent and necessary to study and design models with better performance and higher robustness.