Empirical Perturbation Analysis of Two Adversarial Attacks: Black Box versus White Box

Through the addition of humanly imperceptible noise to an image classified as belonging a category ca, targeted adversarial attacks can lead convolutional neural networks (CNNs) classify modified any predefined target class ct≠ca. To achieve better understanding inner workings attacks, this study analyzes images created by two completely opposite against 10 ImageNet-trained CNNs. A total 2×437 are EAtarget,C, black-box evolutionary algorithm (EA), and basic iterative method (BIM), white-box, gradient-based attack. We inspect compare these sets from different perspectives: behavior CNNs at smaller regions, frequency, transferability, texture change, penultimate CNN layer activations. find that change is side effect rather than means for ct-relevant features only build up significantly regions size 56×56 onwards. In layers, both increase activation units positively related ct negatively ca. contrast EAtarget,C’s white nature, BIM predominantly introduces low-frequency noise. affects original ca more thus producing slightly transferable images. However, transferability with low, since attacks’ ct-related information specific output layers CNN. actually sizes full scale.