Harmonizing Transferability and Imperceptibility: A Novel Ensemble Adversarial Attack

Abstract

Contemporary research on adversarial attacks in Intelligent Internet of Things focuses on balancing two key aspects: transferability and imperceptibility. However, achieving a balance between these aspects can be challenging. To address this, we introduce an ensemble adversarial attack method based on model interpretability. This method aims to maintain the transferability of attacks while ensuring a high degree of imperceptibility. Our method generates adversarial perturbations by leveraging information from multiple models, thereby enhancing the transferability of adversarial examples. We also increase the aggressiveness of these examples by accentuating the differences in class activation mappings between adversarial and benign images. During the perturbation optimization process, class activation mappings are utilized to generate more selective perturbations, improving the imperceptibility of the adversarial examples. Experimental results demonstrate that our method effectively balances transferability and imperceptibility. Specifically, for 13 victim classifiers, compared to the most potent attack, VNIFGSM, among nine benchmark methods, OUR demonstrates a 10.31% increase in the mean of Attack Success Rate (mASR) in non-targeted attacks, and OUR's mASR increases by 9% in targeted attacks. Meanwhile, while OUR exhibits comparable attack performance to VNIFGSM, its imperceptibility demonstrates outstanding performance.