The output of convolutional neural networks (CNNs) has been shown to be discontinuous which can make the CNN image classifier vulnerable to small well-tuned artificial perturbation. That is, images modified by conducting such alteration (i.e., adversarial perturbation) that make little difference to the human eyes can completely change the CNN classification results. In this paper, we propose a practical attack using differential evolution (DE) for generating effective adversarial perturbations. We comprehensively evaluate the effectiveness of different types of DEs for conducting the attack on different network structures. The proposed method only modifies five pixels (i.e., few-pixel attack), and it is a black-box attack which only requires the miracle feedback of the target CNN systems. The results show that under strict constraints which simultaneously control the number of pixels changed and overall perturbation strength, attacking can achieve 72.29%, 72.30%, and 61.28% non-targeted attack success rates, with 88.68%, 83.63%, and 73.07% confidence on average, on three common types of CNNs. The attack only requires modifying five pixels with 20.44, 14.28, and 22.98 pixel value distortion. Thus, we show that current deep neural networks are also vulnerable to such simpler black-box attacks even under very limited attack conditions.

中文翻译：

---

使用差分进化攻击卷积神经网络

卷积神经网络（CNN）的输出已显示为不连续的，这会使CNN图像分类器容易受到微调的人工扰动的影响。也就是说，通过进行这种改变（即对抗性扰动）而对人眼几乎没有影响的图像可以完全改变CNN分类结果。在本文中，我们提出了一种使用差分进化（DE）的实用攻击来生成有效的对抗性扰动。我们综合评估了不同类型的DE对不同网络结构进行攻击的有效性。所提出的方法仅修改了五个像素（即，少像素攻击），这是一种黑匣子攻击，仅需要目标CNN系统的奇迹反馈。结果表明，在严格控制像素变化数量和总体摄动强度的严格约束下，攻击的非目标攻击成功率可达到72.29％，72.30％和61.28％，置信度为88.68％，83.63％和73.07％平均而言，三种常见的CNN类型。攻击只需要修改5个具有20.44、14.28和22.98像素值失真的像素即可。因此，我们表明，即使在非常有限的攻击条件下，当前的深度神经网络也容易受到这种更简单的黑盒攻击的攻击。攻击仅需要修改五个像素，使其具有20.44、14.28和22.98像素值失真。因此，我们表明，即使在非常有限的攻击条件下，当前的深度神经网络也容易受到这种更简单的黑盒攻击的攻击。攻击仅需要修改五个像素，使其具有20.44、14.28和22.98像素值失真。因此，我们表明，即使在非常有限的攻击条件下，当前的深度神经网络也容易受到这种更简单的黑盒攻击的攻击。