By adding human-imperceptible noise to clean images, the resultant adversarial examples can fool other unknown models. Features of a pixel extracted by deep neural networks (DNNs) are influenced by its surrounding regions, and different DNNs generally focus on different discriminative regions in recognition. Motivated by this, we propose a patch-wise iterative algorithm -- a black-box attack towards mainstream normally trained and defense models, which differs from the existing attack methods manipulating pixel-wise noise. In this way, without sacrificing the performance of white-box attack, our adversarial examples can have strong transferability. Specifically, we introduce an amplification factor to the step size in each iteration, and one pixel's overall gradient overflowing the $\epsilon$-constraint is properly assigned to its surrounding regions by a project kernel. Our method can be generally integrated to any gradient-based attack methods. Compared with the current state-of-the-art attacks, we significantly improve the success rate by 9.2\% for defense models and 3.7\% for normally trained models on average. Our code is available at \url{https://github.com/qilong-zhang/Patch-wise-iterative-attack}

中文翻译：

---

欺骗深度神经网络的补丁式攻击

通过在干净的图像中添加人类无法察觉的噪声，由此产生的对抗样本可以欺骗其他未知模型。深度神经网络 (DNN) 提取的像素特征受其周围区域的影响，不同的 DNN 在识别中通常侧重于不同的判别区域。受此启发，我们提出了一种逐块迭代算法——一种针对主流正常训练和防御模型的黑盒攻击，它不同于现有的操纵逐像素噪声的攻击方法。这样，在不牺牲白盒攻击性能的情况下，我们的对抗样本可以具有很强的可迁移性。具体来说，我们在每次迭代的步长中引入了一个放大因子，一个像素' 溢出 $\epsilon$-constraint 的整体梯度由项目内核正确分配给其周围区域。我们的方法通常可以集成到任何基于梯度的攻击方法中。与当前最先进的攻击相比，我们将防御模型的成功率显着提高了 9.2%，正常训练模型的成功率平均提高了 3.7%。我们的代码位于 \url{https://github.com/qilong-zhang/Patch-wise-iterative-attack}