Method and system for generating transferable adversarial samples based on frequency domain sensitivity analysis

Abstract

The present application relates to the technical field of computer information security, and discloses a method and system for generating transferable adversarial samples based on frequency domain sensitivity analysis, which first generates a public sensitive frequency domain mask to represent the frequency region commonly sensitive to the model based on a plurality of pre-trained substitute models of different architectures through Fourier disturbance analysis; then introduces a frequency domain model enhancement operation in the iterative optimization process of the adversarial disturbance, including multiplicative noise, additive noise and sensitive region reinforcement, to simulate diversified model spectral characteristics; simultaneously constructs a joint loss function, maximizes the target class confidence through the adversarial loss, and guides the disturbance energy to the public sensitive frequency domain through the frequency domain constraint loss; finally, iteratively updates the disturbance combined with the momentum optimization strategy, and outputs the adversarial sample after clipping. The present application effectively solves the technical problems of easy overfitting of the substitute model and low transferability of the existing method by mining the common characteristics of the model frequency domain sensitivity and constraining the disturbance distribution.

Description

Technical Field

[0001] This invention relates to the field of computer information security technology, specifically to a method and system for generating transferable adversarial examples based on frequency domain sensitivity analysis. Background Technology

[0002] While deep neural networks (DNNs) have achieved great success in a variety of tasks, their vulnerability to adversarial examples has become a potential threat to practical applications. Adversarial examples are generated by adding carefully crafted tiny perturbations to an original clean image, which can cause DNNs to make incorrect predictions.

[0003] Existing adversarial attack methods are mainly divided into white-box attacks and black-box attacks. In white-box attacks, attackers have complete access to the architecture and parameters of the target model, resulting in a high success rate, as exemplified by methods such as FGSM and PGD. However, in practical applications, attackers typically cannot obtain the internal information of the target model, making black-box attacks more relevant. Transfer-based attacks are an important technique in black-box attacks, utilizing alternative models to generate adversarial examples, hoping these examples will be effective against unknown target black-box models. Currently, methods to improve the transferability of adversarial examples mainly include data augmentation and model enhancement strategies. For example, DI-FGSM increases data diversity through input transformation, while TI-FGSM utilizes translation invariance to smooth gradients. However, most of these methods operate in the spatial domain, ignoring the differences in characteristics of different models in the frequency domain. Research shows that DNNs have different sensitivities to noise at different frequencies in the frequency domain, i.e., there exists a so-called "frequency-sensitive region." Existing methods have failed to effectively utilize this frequency domain characteristic, resulting in limited success rates for generated adversarial examples when transferred to black-box models with different structures, especially in more challenging targeted attack scenarios.

[0004] However, existing technologies have obvious drawbacks: First, gradient-based iterative attack methods are prone to overfitting to specific decision boundaries of alternative models, resulting in poor transferability of adversarial examples; second, existing model enhancement methods are mostly performed in the spatial domain, which cannot effectively simulate the sensitivity differences of different models in the frequency domain; and third, in targeted attack scenarios, the transfer success rate of existing methods is generally low, making it difficult to meet the actual attack requirements. Summary of the Invention

[0005] (a) Technical problems to be solved To address the shortcomings of existing technologies, this invention provides a method and system for generating transferable adversarial examples based on frequency domain sensitivity analysis. It has the advantages of high transfer success rate, strong anti-defense capability, and good imperceptibility. It solves the problems of low adversarial example transferability, easy overfitting of replacement models, poor targeted attack effect, and failure to effectively utilize the frequency domain characteristics of DNNs in existing black-box adversarial attack technologies.

[0006] (II) Technical Solution To achieve the above objectives, the present invention provides the following technical solution: a method for generating transferable adversarial examples based on frequency domain sensitivity analysis, comprising the following steps: Step 1: Obtain the input image and initialize the attack parameters: Obtain the original image to be attacked and set the hyperparameters related to the adversarial attack; Step 2: Generate common sensitive frequency domain mask: Based on multiple pre-trained alternative models with different architectures, generate a common sensitive frequency domain mask through frequency domain sensitivity analysis; Step 3, Frequency Domain Model Enhancement: In each iteration, the current image is transformed in the frequency domain and random enhancements are introduced to simulate diverse model spectral characteristics; Step 4: Calculate the joint loss function: Calculate the joint loss function, which includes adversarial loss and frequency domain constraint loss, to guide perturbation optimization; Step 5, Perturbation Update and Momentum Optimization: Based on the gradient of the joint loss function with respect to the input image, iteratively update the momentum term to counteract the perturbation; Step 6: Perturbation clipping and output of adversarial examples: Perform projection clipping on the generated adversarial examples to ensure that the perturbation amplitude and pixel values ​​are within the legal range, and output the final adversarial examples.

[0007] Preferably, in step one, one or more original images are input. And set the attack parameters: maximum perturbation constraint ∈[0.01,0.1], number of iterations ∈[5,50], step size Frequency domain loss weights ∈[0.1,10], sensitive region enhancement coefficient β∈[0.05,0.5], multiplicative noise range ∈[0.1,0.8], additive noise standard deviation ∈[0.001,0.1], Sensitive Mask Threshold %∈[5%,30%], and determine the attack type and target label.

[0008] Preferably, the common sensitive frequency domain mask generation process in step two is as follows: S1.1 Prepare multiple alternative models and perform Fourier perturbation analysis on each model: S1.2 Add small perturbations to different frequency bases and observe the changes in model output to generate corresponding Fourier heatmaps. The higher the heatmap value, the more sensitive the model is to that frequency. S1.3 Integrate the heatmaps of all alternative models to obtain a common frequency domain sensitivity distribution map; S1.4 Finally, the distribution map is binarized, and the map with the highest sensitivity is selected. % frequency region as a public sensitive mask The remaining area serves as a non-sensitive mask. .

[0009] Preferably, the frequency domain model enhancement process in step three is as follows: S2.1, For the current image or adversarial examples First, its frequency domain representation is obtained through Fast Fourier Transform. Simultaneously, random noise is introduced in the frequency domain: generating uniformly distributed multiplicative noise. ∈[0,ρ] and with Perform Hadamard accumulation; S2.2, Regenerating Additive Noise with Gaussian Distribution The frequency domain representation and added to superior; S2.3 Continue to utilize public sensitive masks The enhanced spectrum is weighted, i.e., it is combined with the matrix ( ) to perform Hadamard accumulation, among which It is a matrix of all ones. For enhancement coefficient; S2.4 Finally, the enhanced frequency domain signal is converted back to the spatial domain using inverse Fourier transform to obtain the enhanced image. .

[0010] Preferably, in step four, the enhanced image is... Input the alternative model and calculate the adversarial loss. For targeted attacks, a ternary loss mechanism or... .

[0011] Preferably, in step four, the enhanced image is... Input the alternative model and calculate the adversarial loss. For non-targeted attacks, cross-entropy loss or... Simultaneously calculate frequency domain loss ,in Sensitive area The strength of the difference (e.g., L2 norm) between adversarial examples and the original image frequency domain representation. The intensity of difference within non-sensitive areas, To prevent division by zero for small constants, the total loss = + * , To weigh the parameters.

[0012] Preferably, the perturbation update and momentum optimization process in step five is as follows: S3.1 First calculate the total loss. For the input image gradient Introducing the momentum term: ,in, Let be the momentum decay factor, and update the perturbation based on the momentum gradient: Step length ; S3.2, then update the adversarial examples. = + As input for the next iteration.

[0013] Preferably, in step six, the perturbation pruning and adversarial example output process involves: after each iteration or after the final iteration, the perturbation... Perform projection cropping to make it The norm does not exceed the preset threshold ,Right now Simultaneously, the pixel values ​​of the adversarial examples are cropped to the [0,1] interval, after... After the second iteration, the final adversarial example is output. .

[0014] Preferably, the program embedded in the computer-readable storage medium of the image to be processed implements the method as described in any one of claims 1-8 when executed by a processor.

[0015] A transferable adversarial example generation system based on frequency domain sensitivity analysis is generated and executed according to the above-mentioned transferable adversarial example generation method based on frequency domain sensitivity analysis. The system includes an image acquisition module, a parameter configuration module, a mask generation module, a frequency domain enhancement module, a loss calculation module, a perturbation optimization module, a cropping module, and an output module. The image acquisition module is used to acquire the original input image and pass the image to subsequent modules; The parameter configuration module is used to set attack parameters, including maximum perturbation constraints. Number of iterations Step length Loss weights Enhancement coefficient Noise parameters and Mask threshold The parameters are then assigned to relevant modules, along with the percentage and attack type. The mask generation module generates a common sensitive frequency domain mask based on multiple pre-trained alternative models and through Fourier perturbation analysis. The mask is then provided to the frequency domain enhancement module and the loss calculation module. The frequency domain enhancement module performs a Fourier transform on the current image, introduces random noise, and utilizes a mask in each iteration. Weighted enhancement is performed, followed by inverse transformation back to the spatial domain to obtain the enhanced image. And send it to the loss calculation module; The loss calculation module receives the enhanced image and calculates the joint loss. = + * The loss value and gradient information are then passed to the perturbation optimization module. The perturbation optimization module calculates the momentum term based on the loss gradient and updates the adversarial perturbation. The updated perturbation is then applied to the original image to obtain new adversarial examples, and this process is repeated iteratively. The clipping module performs projection clipping on the disturbance after each update to ensure that the disturbance amplitude does not exceed [the specified value]. The cropped samples are then returned to the frequency domain enhancement module for the next iteration. The output module receives the final adversarial sample after the iteration terminates. And output it as the system output.

[0016] Compared with existing technologies, this invention provides a method and system for generating transferable adversarial examples based on frequency domain sensitivity analysis, which has the following beneficial effects: 1. This invention generates a common sensitive frequency domain mask by integrating and analyzing the Fourier heatmaps of multiple alternative models. Based on this mask, the perturbation distribution is constrained in the frequency domain, which significantly improves the cross-model transfer capability of adversarial samples. Existing technologies generate perturbations in the spatial domain, which can easily overfit the local features of specific alternative models. However, this invention mines the common sensitive frequency domain primitives of different architecture models, so that the perturbations are focused on the frequency components that are truly critical to the model's decision-making. This effectively reduces the spectral difference between the alternative model and the black-box model, and achieves a higher transfer success rate in both non-directional and directional black-box attacks.

[0017] 2. This invention achieves the beneficial effects of effectively expanding the representation range of alternative models and enhancing the generalization ability of adversarial examples to unknown models by introducing frequency domain model enhancement operations (including multiplicative noise, additive noise, and sensitive region enhancement) during the iterative optimization process. This enhancement strategy can simulate the spectral response characteristics of diverse models, so that the generated adversarial examples are no longer limited to the feature space of a single alternative model, but cover a wider frequency domain distribution. Thus, it can still maintain a high attack success rate when facing black-box models with different network architectures or training strategies, while improving the resistance of the method of this invention to various input preprocessing defense methods.

[0018] 3. This invention constructs a joint optimization objective that includes adversarial loss and frequency domain constraint loss. This explicitly guides perturbation energy to the common sensitive frequency domain and suppresses redundant perturbations in non-sensitive regions, achieving the beneficial effect of improving the imperceptibility of perturbations while ensuring the effectiveness of the attack. The frequency domain loss term maximizes the ratio of perturbation intensity in sensitive and non-sensitive regions, ensuring that the limited perturbation budget is concentrated on the frequency components that have the greatest impact on the model. This avoids the visual quality degradation problem caused by the dispersion of perturbation energy in traditional methods, enabling the generated adversarial examples to accurately mislead the target category while maintaining high PSNR and SSIM indices. Attached Figure Description

[0019] Figure 1 This is a flowchart of the method of the present invention (the steps from the input image to the generation of adversarial examples and their transformation relationships between the spatial domain and the frequency domain). Figure 2 The Fourier heatmap of this invention (visually shows the differences in frequency-sensitive regions of different models on different datasets, as well as the common sensitivity mask obtained after integration). Detailed Implementation

[0020] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0021] Please see Figures 1-2 A transferable adversarial example generation method based on frequency domain sensitivity analysis includes the following steps: Step 1: Obtain the input image and initialize the attack parameters: Obtain the original image to be attacked and set the hyperparameters related to the adversarial attack; Step 2: Generate common sensitive frequency domain mask: Based on multiple pre-trained alternative models with different architectures, generate a common sensitive frequency domain mask through frequency domain sensitivity analysis; Step 3, Frequency Domain Model Enhancement: In each iteration, the current image is transformed in the frequency domain and random enhancements are introduced to simulate diverse model spectral characteristics; Step 4: Calculate the joint loss function: Calculate the joint loss function, which includes adversarial loss and frequency domain constraint loss, to guide perturbation optimization; Step 5, Perturbation Update and Momentum Optimization: Based on the gradient of the joint loss function with respect to the input image, iteratively update the momentum term to counteract the perturbation; Step 6: Perturbation clipping and output of adversarial examples: Perform projection clipping on the generated adversarial examples to ensure that the perturbation amplitude and pixel values ​​are within the legal range, and output the final adversarial examples.

[0022] Specifically, in step one, input one or more original images. And set the attack parameters: maximum perturbation constraint ∈[0.01,0.1] (takes 8 / 255 or 16 / 255), number of iterations ∈[5,50], step size Frequency domain loss weights ∈[0.1,10], sensitive region enhancement coefficient β∈[0.05,0.5], multiplicative noise range ∈[0.1,0.8], additive noise standard deviation ∈[0.001,0.1], Sensitive Mask Threshold %∈[5%,30%], and determine the attack type (directed or undirected) and target label (if directed).

[0023] The advantages are: it covers the needs of different attack scenarios through parameter settings, the set value range is scientific and reasonable, it can flexibly adapt to targeted and non-targeted attacks, and at the same time, it clarifies the relationship between step size and maximum perturbation, thereby avoiding excessive perturbation that destroys imperceptibility or too small perturbation that causes attack failure. It provides standardized and adjustable basic parameter support for the stable advancement of subsequent attack processes and reduces the blindness of parameter settings.

[0024] Specifically, the process of generating the common sensitive frequency domain mask in step two: S1.1 Prepare multiple alternative models (such as VGG19, ResNet50, DenseNet-121), and perform Fourier perturbation analysis on each model: S1.2 Add small perturbations to different frequency bases and observe the changes in model output to generate corresponding Fourier heatmaps. The higher the heatmap value, the more sensitive the model is to that frequency. S1.3 Integrate the heatmaps of all alternative models (e.g., take the average value) to obtain a common frequency domain sensitivity distribution map; S1.4 Finally, the distribution map is binarized, and the map with the highest sensitivity is selected. % frequency region as a public sensitive mask The remaining area serves as a non-sensitive mask. .

[0025] The advantages are: by integrating and analyzing multiple architecture alternative models, the frequency domain characteristics of a single model are avoided, and the generated common sensitivity mask can accurately capture the common frequency domain sensitive areas of different models, effectively avoiding the overfitting problem of alternative models; while the visualization analysis method of Fourier heatmap can intuitively reflect the sensitivity of the model to different frequencies, thus providing a clear direction for subsequent perturbation constraints, and ultimately laying the core foundation for improving the transferability of adversarial examples.

[0026] Specifically, in step three, the frequency domain model enhancement process is as follows: S2.1, For the current image (or adversarial examples) First, its frequency domain representation is obtained through Fast Fourier Transform (FFT). Simultaneously, random noise is introduced in the frequency domain: generating uniformly distributed multiplicative noise. ∈[0,ρ] and with Perform Hadamard accumulation; S2.2, Regenerating Additive Noise with Gaussian Distribution The frequency domain representation and added to superior; S2.3 Continue to utilize public sensitive masks The enhanced spectrum is weighted, i.e., it is combined with the matrix ( ) to perform Hadamard accumulation, among which It is a matrix of all ones. For enhancement coefficient; S2.4 Finally, the enhanced frequency domain signal is converted back to the spatial domain using inverse Fourier transform (IFFT) to obtain the enhanced image. .

[0027] The advantages are: by enhancing in the frequency domain rather than the spatial domain, it accurately matches the frequency domain characteristics of DNNs; the introduction of random noise can simulate diverse model spectral characteristics, expand the representation range of the alternative model, and effectively reduce the spectral difference between the alternative model and the unknown black box model; while the weighted enhancement of sensitive regions strengthens the changes in key frequency domains, thereby further improving the transferability of adversarial examples, while avoiding ineffective enhancement in non-sensitive regions, and taking into account both the attack effect and the imperceptibility of the perturbation.

[0028] Specifically, in step four, the image will be enhanced. Input the alternative model and calculate the adversarial loss. : For targeted attacks, a ternary loss or .

[0029] Specifically, in step four, the image will be enhanced. Input the alternative model and calculate the adversarial loss. : For non-targeted attacks, cross-entropy loss or Simultaneously calculate frequency domain loss ,in Sensitive area The strength of the difference (e.g., L2 norm) between adversarial examples and the original image frequency domain representation. The intensity of difference within non-sensitive areas, To prevent division by zero for small constants, the total loss = + * , To weigh the parameters.

[0030] The advantages are: the joint loss function takes into account both adversarial effect and frequency domain constraints; the adversarial loss can accurately adapt to both directional and non-directional attack scenarios, ensuring that adversarial examples can effectively mislead model predictions; the frequency domain loss can force the perturbation energy to be concentrated in the common sensitive frequency domain, suppressing redundant perturbations in non-sensitive areas, which not only improves the transferability of adversarial examples, but also avoids excessive perturbation from destroying imperceptibility; the λ weight parameter can flexibly adjust the proportion of the two losses to adapt to different attack requirements and improve the versatility of the method.

[0031] Specifically, the perturbation update and momentum optimization process in step five: S3.1 First calculate the total loss. For the input image gradient Introducing the momentum term: ,in, Let be the momentum decay factor (set to 1.0), and update the perturbation based on the momentum gradient: Step length ; S3.2, then update the adversarial examples. = + As input for the next iteration.

[0032] The advantages are: the introduction of momentum terms can smooth the gradient update process, effectively avoid gradient oscillations, accelerate the convergence speed, and reduce overfitting to the decision boundary of the alternative model during iteration, further improving the transferability of adversarial examples; while gradient normalization can avoid the runaway perturbation caused by excessively large gradient magnitudes, and the binding of step size with maximum perturbation and number of iterations ensures that the perturbation update is stable and controllable, balancing attack efficiency and attack effect.

[0033] Specifically, in step six, the perturbation pruning and adversarial example output process involves: after each iteration or after the final iteration, the perturbation... Perform projection cropping to make it The norm does not exceed the preset threshold ,Right now Simultaneously, the pixel values ​​of the adversarial examples are cropped to the [0,1] interval (when the image has been normalized), after... After the second iteration, the final adversarial example is output. .

[0034] The advantages are: the perturbation cropping can strictly control the perturbation amplitude to ensure that it does not exceed the preset threshold, thus ensuring the imperceptibility of adversarial examples and effectively preventing them from being detected by the human eye or identified by the defense system due to excessive perturbation; while the normalization of pixel values ​​can ensure that adversarial examples conform to the legal format of the image and can be normally input into the target model for prediction, while avoiding model prediction distortion caused by abnormal pixel values, thus ensuring the stability of the attack effect.

[0035] Specifically, the program embedded in the computer-readable storage medium of the image to be processed implements the method as described in any one of claims 1-8 when executed by a processor.

[0036] The system for generating transferable adversarial examples based on frequency domain sensitivity analysis generates an execution system according to the aforementioned method for generating transferable adversarial examples based on frequency domain sensitivity analysis. The system includes an image acquisition module, a parameter configuration module, a mask generation module, a frequency domain enhancement module, a loss calculation module, a perturbation optimization module, a cropping module, and an output module. The image acquisition module is used to acquire the original input image and pass the image to subsequent modules; The parameter configuration module is used to set attack parameters, including maximum perturbation constraints. Number of iterations Step length Loss weights Enhancement coefficient Noise parameters and Mask threshold The parameters are then assigned to relevant modules, along with the percentage and attack type. The mask generation module generates a common sensitive frequency domain mask based on multiple pre-trained alternative models through Fourier perturbation analysis. The mask is then provided to the frequency domain enhancement module and the loss calculation module. The frequency domain enhancement module performs a Fourier transform on the current image, introduces random noise, and utilizes a mask in each iteration. Weighted enhancement is performed, followed by inverse transformation back to the spatial domain to obtain the enhanced image. And send it to the loss calculation module; The loss calculation module receives the enhanced image and calculates the joint loss. = + * The loss value and gradient information are then passed to the perturbation optimization module. The perturbation optimization module calculates the momentum term based on the loss gradient and updates the adversarial perturbation. The updated perturbation is then applied to the original image to obtain new adversarial examples, and this process is repeated iteratively. The trimming module performs projection trimming on the perturbation after each update to ensure that the perturbation amplitude does not exceed [the specified value]. The cropped samples are then returned to the frequency domain enhancement module for the next iteration. The output module receives the final adversarial example after the iteration terminates. And output it as the system output.

[0037] The aforementioned modules form an end-to-end transferable adversarial example generation system based on frequency domain sensitivity analysis. This system can generate adversarial examples with high transferability, strong anti-defense capabilities, and good imperceptibility even in black-box scenarios, effectively improving the success rate of targeted and non-targeted attacks on unknown deep learning models. It provides reliable technical support for deep learning model security assessment and adversarial defense research. Specifically, the system uses a mask generation module to mine common frequency domain sensitive regions among multiple alternative models, a frequency domain enhancement module to bridge the spectral differences between alternative models and black-box models, a joint loss function to guide perturbation energy to concentrate on key frequency domain components, and iterative optimization and constraint control to ensure attack effectiveness and image quality. Finally, it outputs highly transferable adversarial examples capable of deceiving various unknown model architectures, suitable for applications such as security testing of computer vision systems, evaluation of adversarial defense mechanisms, and robustness certification of deep learning models.

[0038] Example Perform targeted black-box attacks on the ResNet50 model on the Tiny-ImageNet dataset.

[0039] The following describes the generation of adversarial examples using the method of this invention: T1, Parameter Settings: Maximum Disturbance =16 / 255, number of iterations =10, step size = / =1.6 / 255, frequency domain loss weight =1.0, Sensitive Area Enhancement Coefficient =0.1, multiplicative noise range =0.5, additive noise standard deviation = And set the sensitivity mask threshold to 20%; T2. Generate Sensitive Masks: Using models trained on the Tiny-ImageNet training set using VGG19, ResNet50, DenseNet-121, and Wide-ResNet50, calculate their Fourier heatmaps respectively, and then ensemble and average them to generate a common sensitive mask. ; T3. Iteratively generate adversarial examples, then input a clean image. and its target label For each iteration, perform the frequency domain enhancement in step T1 to obtain... ; T4, will Input the alternative model (ResNet50 in this example) and calculate the adversarial loss for targeted attacks. and frequency domain loss ; T5. Calculate the total loss regarding The gradient is used to update the current perturbation δ in conjunction with the momentum term; T6, Yes +δ is used for trimming to ensure that the perturbation is within the allowable range; T7. Output: After T iterations, output the final adversarial example. ; T8. Verification: [The following is a list of steps / methods] Input the data into an unknown black-box model (such as VGG19, ResNet18, etc.) and observe whether it is misclassified as the target category. To verify the success rate of the attack migration; Experimental results show that, under the settings of this embodiment, the method of the present invention significantly improves the average migration success rate (approximately 5%-18%) in black-box targeted attacks compared to existing methods such as I-FGSM, MI-FGSM, DI-FGSM, and S2I-FGSM.

[0040] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. A method for generating transferable adversarial examples based on frequency domain sensitivity analysis, characterized in that, Includes the following steps: Step 1: Obtain the input image and initialize the attack parameters: Obtain the original image to be attacked and set the hyperparameters related to the adversarial attack; Step 2: Generate common sensitive frequency domain mask: Based on multiple pre-trained alternative models with different architectures, generate a common sensitive frequency domain mask through frequency domain sensitivity analysis; Step 3, Frequency Domain Model Enhancement: In each iteration, the current image is transformed in the frequency domain and random enhancements are introduced to simulate diverse model spectral characteristics; Step 4: Calculate the joint loss function: Calculate the joint loss function, which includes adversarial loss and frequency domain constraint loss, to guide perturbation optimization; Step 5, Perturbation Update and Momentum Optimization: Based on the gradient of the joint loss function with respect to the input image, iteratively update the momentum term to counteract the perturbation; Step 6: Perturbation clipping and output of adversarial examples: Perform projection clipping on the generated adversarial examples to ensure that the perturbation amplitude and pixel values ​​are within the legal range, and output the final adversarial examples.

2. The method for generating transferable adversarial examples based on frequency domain sensitivity analysis according to claim 1, characterized in that, In step one, one or more original images are input. And set the attack parameters: maximum perturbation constraint ∈[0.01,0.1], number of iterations ∈[5,50], step size Frequency domain loss weights ∈[0.1,10], sensitive region enhancement coefficient β∈[0.05,0.5], multiplicative noise range ∈[0.1,0.8], additive noise standard deviation ∈[0.001,0.1], Sensitive Mask Threshold %∈[5%,30%], and determine the attack type and target label.

3. The method for generating transferable adversarial examples based on frequency domain sensitivity analysis according to claim 1, characterized in that, The process of generating the common sensitive frequency domain mask in step two: S1.1 Prepare multiple alternative models and perform Fourier perturbation analysis on each model: S1.2 Add small perturbations to different frequency bases and observe the changes in model output to generate corresponding Fourier heatmaps. The higher the heatmap value, the more sensitive the model is to that frequency. S1.3 Integrate the heatmaps of all alternative models to obtain a common frequency domain sensitivity distribution map; S1.4 Finally, the distribution map is binarized, and the map with the highest sensitivity is selected. % frequency region as a public sensitive mask The remaining area serves as a non-sensitive mask. .

4. The method for generating transferable adversarial examples based on frequency domain sensitivity analysis according to claim 1, characterized in that, The frequency domain model enhancement process in step three: S2.1, For the current image or adversarial examples First, its frequency domain representation is obtained through Fast Fourier Transform. Simultaneously, random noise is introduced in the frequency domain: generating uniformly distributed multiplicative noise. ∈[0,ρ] and with Perform Hadamard accumulation; S2.2, Regenerating Additive Noise with Gaussian Distribution The frequency domain representation and added to superior; S2.3 Continue to utilize public sensitive masks The enhanced spectrum is weighted, i.e., it is combined with the matrix ( ) to perform Hadamard accumulation, among which It is a matrix of all ones. For enhancement coefficient; S2.4 Finally, the enhanced frequency domain signal is converted back to the spatial domain using inverse Fourier transform to obtain the enhanced image. .

5. The method for generating transferable adversarial examples based on frequency domain sensitivity analysis according to claim 1, characterized in that, In step four, the enhanced image will be... Input the alternative model and calculate the adversarial loss. For targeted attacks, a ternary loss mechanism or... .

6. The method for generating transferable adversarial examples based on frequency domain sensitivity analysis according to claim 1, characterized in that, In step four, the enhanced image will be... Input the alternative model and calculate the adversarial loss. For non-targeted attacks, cross-entropy loss or... Simultaneously calculate frequency domain loss ,in Sensitive area The strength of the difference (e.g., L2 norm) between adversarial examples and the original image frequency domain representation. The intensity of difference within non-sensitive areas, To prevent division by zero for small constants, the total loss = + * , To weigh the parameters.

7. The method for generating transferable adversarial examples based on frequency domain sensitivity analysis according to claim 1, characterized in that, The perturbation update and momentum optimization process in step five: S3.1 First calculate the total loss. For the input image gradient Introducing the momentum term: ,in, Let be the momentum decay factor, and update the perturbation based on the momentum gradient: Step length ; S3.2, then update the adversarial examples. = + As input for the next iteration.

8. The method for generating transferable adversarial examples based on frequency domain sensitivity analysis according to claim 1, characterized in that, The perturbation pruning and adversarial example output process in step six: After each iteration or after the final iteration, the perturbation is... Perform projection cropping to make it The norm does not exceed the preset threshold ,Right now Simultaneously, the pixel values ​​of the adversarial examples are cropped to the [0,1] interval, after... After the second iteration, the final adversarial example is output. .

9. The method for generating transferable adversarial examples based on frequency domain sensitivity analysis according to claim 1, characterized in that, When the program embedded in the computer-readable storage medium of the image to be processed is executed by a processor, it implements the method as described in any one of claims 1-8.

10. A transferable adversarial example generation system based on frequency domain sensitivity analysis, characterized in that, The system for generating transferable adversarial examples based on frequency domain sensitivity analysis, as described in claims 1-9, comprises an image acquisition module, a parameter configuration module, a mask generation module, a frequency domain enhancement module, a loss calculation module, a perturbation optimization module, a cropping module, and an output module. The image acquisition module is used to acquire the original input image and pass the image to subsequent modules; The parameter configuration module is used to set attack parameters, including maximum perturbation constraints. Number of iterations Step length Loss weights Enhancement coefficient Noise parameters and Mask threshold The parameters are then assigned to relevant modules, along with the percentage and attack type. The mask generation module generates a common sensitive frequency domain mask based on multiple pre-trained alternative models and through Fourier perturbation analysis. The mask is then provided to the frequency domain enhancement module and the loss calculation module. The frequency domain enhancement module performs a Fourier transform on the current image, introduces random noise, and utilizes a mask in each iteration. Weighted enhancement is performed, followed by inverse transformation back to the spatial domain to obtain the enhanced image. And send it to the loss calculation module; The loss calculation module receives the enhanced image and calculates the joint loss. = + * The loss value and gradient information are then passed to the perturbation optimization module. The perturbation optimization module calculates the momentum term based on the loss gradient and updates the adversarial perturbation. The updated perturbation is then applied to the original image to obtain new adversarial examples, and this process is repeated iteratively. The clipping module performs projection clipping on the disturbance after each update to ensure that the disturbance amplitude does not exceed [the specified value]. The cropped samples are then returned to the frequency domain enhancement module for the next iteration. The output module receives the final adversarial sample after the iteration terminates. And output it as the system output.

Images