To improve the attack success rate and image perceptual quality of adversarial examples against deep neural networks(DNNs), we propose a new Generative Adversarial Network (GAN) based attacker, named Elastic-net Regularized Boundary Equilibrium Generative Adversarial Network(ERBEGAN). Recent studies have shown that DNNs are easy to attack by adversarial examples(AEs) where benign images with small-magnitude perturbations mislead DNNs to incorrect results. A number of methods are proposed to generate AEs, but how to generate them with high attack success rate and perceptual quality needs more effort. Most attackers generate AEs by restricting $L_2$-norm and $L_{\infty }$-norm of adversarial perturbations. However, very few works have been developed on $L_1$ distortion matrix which encourages sparsity in the perturbation. In this paper, we penalize both $L_2$-norm and $L_1$-norm of perturbation as Elastic-Net regularization to improve the diversity and robustness of AEs. We further improve GAN by minimizing the additional pixel-wise loss derived from the Wasserstein distance between benign and adversarial auto-encoder loss distributions. Extensive experiments and visualizations on several datasets show that the proposed ERBEGAN can yield higher attack success rates than the state-of-the-art GAN-based attacker AdvGAN under the semi-whitebox and black-box attack settings. Besides, our method efficiently generates diverse adversarial examples that are more perceptually realistic.

为了提高对抗示例对深度神经网络（DNN）的攻击成功率和图像感知质量，我们提出了一种基于生成对抗网络（GAN）的新型攻击者，称为弹性网正则化边界均衡生成对抗网络（ERBEGAN）。最近的研究表明，DNN易于通过对抗性示例（AE）进行攻击，在这些示例中，具有小幅度扰动的良性图像会误导DNN给出错误的结果。提出了多种生成AE的方法，但是如何生成具有高攻击成功率和感知质量的AE则需要付出更多的努力。大多数攻击者通过限制${\mathrm{大号}}_2$-规范和 ${\mathrm{大号}}_{\infty }$-对抗性干扰的规范。但是，关于${\mathrm{大号}}_{\mathrm{1个}}$失真矩阵，它鼓励扰动稀疏。在本文中，我们对两者都进行了惩罚${\mathrm{大号}}_2$-规范和 ${\mathrm{大号}}_{\mathrm{1个}}$-摄动范数作为Elastic-Net正则化来提高AE的多样性和鲁棒性。我们通过最小化从良性和对抗性自动编码器损失分布之间的Wasserstein距离得出的附加像素级损失来进一步改善GAN。在几个数据集上的大量实验和可视化结果表明，在半白盒和黑盒攻击设置下，所提出的ERBEGAN可以比基于GAN的最新攻击者AdvGAN产生更高的攻击成功率。此外，我们的方法有效地生成了各种更具对抗性的对抗示例。