Improving the Sar Image Adversarial Transferability Through Dual-Loop Ensemble Gradient Attack

• Published in: Proceedings (IEEE International Conference on Multimedia and Expo) pp. 1 - 6
• Main Authors: Liu, Xin, Xu, Yue, He, Kun
• Format: Conference Proceeding
• Language: English
• Published: IEEE 15.07.2024
• Subjects: adversarial examples; Closed box; dual-loop ensemble gradient attack; Estimation; Image recognition; Integrated optics; model ensemble attack; Optical computing; Optical design; Perturbation methods; Synthetic Aperture Radar
• ISSN: 1945-788X
• DOI: 10.1109/ICME57554.2024.10687760

Deep neural networks have been widely used in Synthetic Aperture Radar (SAR) image recognition. However, they are susceptible to adversarial examples crafted by adding human-imperceptible perturbations to clean examples. Model ensemble attack, designed for optical images, is an effective way to enhance the transferability of adversarial examples. Nevertheless, existing model ensemble attacks do not fully consider the differences of model architectures, which makes a huge difference between adversarial perturbations. In this work, we propose a novel attack method called Dual-loop Ensemble Gradient Attack (DEGA). DEGA introduces a dual-loop structure where the accumulated gradient in the outer loop is updated using an ensemble gradient estimated from a randomly chosen subset of models in the inner loop. In this way, the gradient is updated more accurately, improving the transferability of adversarial examples. Extensive experiments demonstrate that DEGA outperforms other model ensemble attacks on SAR recognition in the black-box setting.