Adversarial sample generation problem is a hot issue in the security field of deep learning. Evolutionary algorithm has been widely used to solve this problem in recent years because of its good global search ability. However, existing methods still suffer from the “curse of dimensionality” when attacking high-resolution images. In this paper, a two-stage frequency domain generation algorithm of black-box adversarial samples based on differential evolution is proposed. In the first stage, a representative image-guided differential evolution method is proposed to quickly generate a universal adversarial perturbation with a high attack success rate in the frequency-domain. In the second stage, a space reduction strategy based on frequency-domain pixel blocks is designed to reduce the search space and alleviate the problem of “curse of dimensionality”. In addition, a new space–frequency interaction sensitivity measure is introduced to evaluate the similarity between the adversarial samples and the original images. The adversarial perturbations obtained by the measure are more in line with the subjective perception of the human eye. Finally, compared with several typical black-box adversarial sample generation algorithms, experimental results show that the proposed algorithm can achieve higher attack success rate with less prediction times.

中文翻译：

---

基于差分进化的黑盒对抗样本两阶段频域生成算法

对抗样本生成问题是深度学习安全领域的热点问题。进化算法由于其良好的全局搜索能力，近年来被广泛应用于解决这一问题。然而，现有方法在攻击高分辨率图像时仍然遭受“维数灾难”的困扰。本文提出了一种基于差分进化的黑盒对抗样本两阶段频域生成算法。在第一阶段，提出了一种具有代表性的图像引导差分进化方法，以快速生成频域中具有高攻击成功率的通用对抗性扰动。第二阶段，设计基于频域像素块的空间缩减策略，以减少搜索空间，缓解“维数灾难”问题。此外，还引入了一种新的空频交互敏感性度量来评估对抗样本与原始图像之间的相似性。该测量获得的对抗性扰动更符合人眼的主观感知。最后，与几种典型的黑盒对抗样本生成算法进行比较，实验结果表明，该算法能够以更少的预测次数获得更高的攻击成功率。