Adversarial attack method based on sampling enhanced momentum initialization and attenuated dynamic step length

By sampling to enhance momentum initialization and decay dynamic step size, the problem of initial direction easily getting trapped in local optima and migration decay in momentum iterative attacks is solved, thereby improving the cross-model migration and attack success rate of adversarial examples.

CN122244638APending Publication Date: 2026-06-19GUIZHOU UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GUIZHOU UNIV
Filing Date
2026-05-15
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing momentum-based iterative attack methods suffer from a lack of simplistic momentum initialization, which makes the initial perturbation direction prone to getting trapped in local optima. Furthermore, the fixed step size strategy fails to adapt to the law of mobility decay, resulting in insufficient cross-model mobility of adversarial examples.

Method used

The method of sampling to enhance momentum initialization and decaying dynamic step size is adopted. Multiple sets of neighborhood sampling samples are constructed by applying random masking to the original image, the gradient mean of the loss function is calculated to update the cumulative momentum, and a dynamic step size sequence in the form of exponential decay is generated to optimize the initial momentum and iterative perturbation allocation.

Benefits of technology

It improves the cross-model transferability and attack success rate of adversarial examples, suppresses the transferability decay phenomenon, and realizes efficient black-box adversarial attacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122244638A_ABST
    Figure CN122244638A_ABST
Patent Text Reader

Abstract

This invention discloses an adversarial attack method based on sampled enhanced momentum initialization and decaying dynamic step size, comprising: inputting an original image, performing sampled enhanced momentum initialization to obtain initial momentum; calculating an initial dynamic step size according to a preset perturbation budget upper limit, the total number of attack iterations, and a perturbation intensity factor, and generating a decaying dynamic step size sequence in exponential decay form according to the iteration rounds; initiating a formal iteration based on the initial momentum, and updating the adversarial sample according to the decaying dynamic step size sequence of the current round and the sign function of the updated cumulative momentum, constraining it within a preset perturbation range, and completing a single formal iteration; repeating the formal iteration steps until the preset total number of iterations, and outputting the final adversarial sample. This invention solves the problems of poor momentum initialization quality and the difficulty of adapting fixed step sizes to the migration decay law in current adversarial attack methods, effectively improving the cross-model migrationability of adversarial samples and the success rate of black-box adversarial attacks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the fields of artificial intelligence security and computer vision, and in particular, relates to an adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size. Background Technology

[0002] In recent years, deep neural networks (DNNs) have been widely applied in computer vision fields such as image classification, face recognition, and autonomous driving. However, deep neural networks generally suffer from adversarial vulnerability, meaning that attackers can induce the model to output incorrect predictions by adding tiny perturbations to the original input image. Such maliciously constructed inputs are called adversarial examples. The cross-model transferability of adversarial examples is a core attribute in black-box adversarial attacks. Transferability means that adversarial examples generated on a known alternative model with known structure and parameters can still effectively attack the black-box target model with unknown internal information. Currently, momentum-based iterative methods have become the mainstream technical path to improve the transferability of adversarial examples. These methods accumulate historical gradient information during the iteration process to stabilize the update direction of adversarial perturbations, thereby optimizing the effect of black-box attacks.

[0003] Current momentum-based iterative attack methods generally suffer from two limitations. First, the momentum initialization methods are relatively simplistic, typically employing zero initialization or simple iterations based on a single path to obtain initial momentum. This makes the initial perturbation direction prone to getting trapped in local optima, limiting the convergence quality of subsequent attacks. Second, the use of a fixed step size strategy during the iterative attack phase fails to fully consider the dynamic changes in the adversarial sample transferability at different iteration stages. This leads to a transferability decay phenomenon, where early iterations exhibit strong transferability, while later iterations overfit and replace the model, resulting in an overall reduction in the adversarial sample's cross-model transferability.

[0004] In summary, to address the technical problems of low momentum initialization quality and migration decay caused by fixed step length in existing momentum iteration attack methods, an adversarial attack method based on sampling-enhanced momentum initialization and dynamic decay step length is proposed. Summary of the Invention

[0005] The main objective of this invention is to provide an adversarial attack method based on sampling-enhanced momentum initialization and decaying dynamic step size. This method obtains high-quality initial momentum through sampling-enhanced momentum initialization and redistributes the perturbation contribution weights of each iteration step through decaying dynamic step size. Under a fixed perturbation budget, it strengthens the effect of early high-transferability perturbations, suppresses overfitting of later perturbations, improves the cross-model transferability of adversarial examples, and achieves efficient black-box adversarial attacks. This solves the technical problems of existing momentum-based adversarial attack methods, such as low momentum initialization quality, fixed iteration step size, failure to adapt to the transferability decay law of adversarial attacks, leading to adversarial examples easily overfitting to replace the model and insufficient cross-model transferability.

[0006] Based on the first main aspect of the present invention, an adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size is provided, comprising the following steps:

[0007] Input the original image, perform sampling enhancement momentum initialization, apply random masking to the original image to construct multiple sets of neighborhood sampling samples, and update the cumulative momentum and image based on the gradient mean of the loss function corresponding to the multiple sets of neighborhood sampling samples, repeat until the initial momentum is obtained;

[0008] Based on the preset upper limit of the perturbation budget, the total number of attack iterations, and the perturbation intensity factor, the initial dynamic step size is calculated, and an exponentially decaying dynamic step size sequence is generated according to the iteration rounds.

[0009] Based on the initial momentum, the formal iteration is started. In each round, the gradient of the loss function corresponding to the current adversarial sample is calculated and the cumulative momentum is updated. The adversarial sample is updated according to the decay dynamic step size sequence of the current round and the sign function of the updated cumulative momentum, and constrained within a preset perturbation range to complete a single formal iteration.

[0010] Repeat the formal iteration steps until the preset total number of iterations is reached, and output the final adversarial example.

[0011] As a further preferred embodiment, in the aforementioned method, the steps for constructing multiple sets of neighborhood sampling samples are as follows:

[0012] For the original image being processed, a random mask tensor is generated according to a set mask probability. Each position in the random mask tensor has a non-zero decay value with the mask probability and a zero value is obtained by subtracting the mask probability from the probability.

[0013] Based on the mask tensor, the following formula is used to construct multiple sets of neighborhood sampling samples in the neighborhood of the original image;

[0014] The formula is:

[0015] ;

[0016] in, The first image generated based on the original image Group neighborhood sampling samples, This represents the original image currently being processed. This represents element-wise multiplication. Represents a mask tensor. Indicates the index of the original image sample. This indicates the group number of the sampled neighboring area.

[0017] As a further preferred embodiment, in the aforementioned method, the steps for updating the cumulative momentum and image based on the gradient mean of the loss function corresponding to multiple sets of neighborhood sampled samples are as follows:

[0018] Calculate the gradient of the loss function corresponding to each group of neighborhood samples, sum the gradients of multiple groups of samples and take the average to obtain the average gradient of the current iteration;

[0019] The accumulated momentum is updated using the momentum decay factor and the average gradient. The current image is updated by combining the global search factor, the basic step size and the sign function of the accumulated momentum, thus completing a single initialization iteration.

[0020] Repeated sampling, gradient calculation, momentum update, and image update operations are performed until all momentum initialization iterations are completed, resulting in the initial momentum for the actual attack.

[0021] This momentum initialization mechanism based on random masked neighborhood sampling systematically advances the enhancement approach to the momentum initialization stage. By distributing and calculating the loss gradient on multiple sets of neighborhood image variants processed by random masking and merging them on an average basis, an initial momentum direction with local surface smoothing is provided for the formal attack.

[0022] This mechanism shifts the focus of existing methods from gradient optimization in the formal iteration phase to the impact of initialization quality on the final transferability performance.

[0023] Specifically, multiple different random mask tensors are generated for the original image. Each mask tensor takes a non-zero decay value at each position with a preset probability and a zero value with a complementary probability. By multiplying the original image element-wise with the tensor after masking, the image's main semantic structure can be preserved while generating several neighborhood sampling samples with subtle pixel intensity differences. Mathematically, these samples constitute random sampling points within a very small neighborhood surrounding the original image.

[0024] Subsequently, the gradient vector of the loss function relative to the input image is independently calculated for each group of neighborhood samples. Since the small offsets of different samples in the pixel space correspond to different positions on the loss surface, the gradient directions calculated by each sample can reflect different aspects of the surface geometry in the local region.

[0025] Finally, the average gradient of the current iteration is obtained by summing the vectors of all sampled gradients and taking the average value. This average gradient is fused with the historical accumulated momentum through the momentum decay factor and used to update the image and obtain the accumulated momentum required for the next round of initialization. This improves the average attack success rate of adversarial examples on unknown black-box models and also reduces the volatility of attack results under different random initialization conditions.

[0026] Furthermore, this scheme transforms the uncertainty introduced by the random mask into a more robust estimate of the local geometry of the loss surface by performing multiple sampling operations and averaging them during the initialization phase. The adversarial examples generated after the momentum initialization mechanism based on random mask neighborhood sampling can effectively suppress the variance of their attack success rate when facing target models with different network structures.

[0027] The deeper significance of this effect lies in the fact that traditional zero-initialization methods tend to make the attack path overly dependent on the specific geometric shape of the loss surface of the alternative model at a specific single point. This highly specific local shape often lacks a correspondence with the loss surface of the target model, resulting in drastic fluctuations in attack performance between different target models. In contrast, this scheme obtains the initial momentum through neighborhood aggregation, which integrates the average gradient trend in the region surrounding the original image, reflecting the common evolution of the loss surface in that region.

[0028] This common direction has stronger transferability between deep neural networks with different structures, which can greatly improve the average success rate and enhance the cross-model stability of attack performance.

[0029] As a further preferred embodiment, in the aforementioned method, the calculation of the initial dynamic step size specifically involves:

[0030] ;

[0031] in, This indicates the upper limit of the disturbance budget. Indicates the initial dynamic step size. This represents the disturbance intensity factor. Indicates the total number of iterations;

[0032] The specific method for generating the exponentially decaying dynamic step size sequence is as follows:

[0033] ;

[0034] in, Indicates the first The actual step size used during round iteration. Indicates the initial dynamic step size. This represents the disturbance intensity factor. Indicates the current iteration step;

[0035] The sum of all iteration steps equals the upper limit of the perturbation budget.

[0036] In the decaying dynamic step size mechanism, by establishing a mathematical relationship between the step size sequence, the total perturbation budget, and the total number of iterations, the sum of the step sizes of all iterations is precisely equal to the upper limit of the perturbation budget during the planning stage, thereby internalizing the perturbation constraints of adversarial examples into the mathematical model of step size generation itself.

[0037] In this scheme, an initial step size is calculated using the upper limit of the perturbation budget, the total number of iterations, and the perturbation strength factor. In each subsequent formal iteration, the actual step size for the current iteration is calculated by multiplying the initial dynamic step size by a specific power of the perturbation strength factor. Since the perturbation strength factor is strictly limited to between zero and one, the actual step size used will exhibit a gradually decreasing exponential decay pattern as the number of iterations increases.

[0038] This design structurally suppresses the migration decay phenomenon prevalent during attacks. The exponential decay step size strategy dynamically matches the step size allocation ratio with the migration change pattern. The step size is larger in the early stages of the attack, fully leveraging the value of high migration gradients. In the later stages of the attack, the step size shrinks sharply, reducing the weight of low-migration, high-specificity perturbation components in the final adversarial example from the source. Mathematically, this is equivalent to applying a very strong time-domain low-pass filter to the specific gradient of the alternative model in the later stages of iteration, blocking the influence of high-frequency non-robust features on the morphology of the final adversarial example.

[0039] As a further preferred embodiment, in the aforementioned method, the step of calculating the gradient of the loss function corresponding to the previous adversarial example and updating the cumulative momentum in each round is as follows:

[0040] The initial momentum obtained from initialization is used as the starting point for formal iteration. In each round of attack iteration, the gradient of the loss function corresponding to the current adversarial sample is calculated. Combining the momentum decay factor, historical cumulative momentum and the current gradient, a new round of cumulative momentum is updated.

[0041] As a further preferred embodiment, in the aforementioned method, the steps for updating the adversarial examples are as follows:

[0042] The current round's decay dynamic step size is called, and the adversarial sample is updated by combining the sign function of the accumulated momentum; the updated adversarial sample is constrained within the perturbation budget of the original image to complete a single attack iteration.

[0043] As a further preferred option, in the aforementioned method, the execution steps of sampling to enhance momentum initialization and generating the exponentially decaying dynamic step sequence can be embedded into momentum iteration-based adversarial attack methods without modifying the target model or introducing additional computational overhead. It can also be used in conjunction with input transformation and model ensemble attack methods.

[0044] Based on a second key aspect of the present invention, an adversarial attack system based on sampling-enhanced momentum initialization and decay dynamic step size is provided for implementing the aforementioned method, comprising:

[0045] The sampling enhancement momentum initialization module is used to construct multiple sets of neighborhood sampling samples by applying random masking to the original image in the initial momentum stage, and update the accumulated momentum and image based on the gradient mean of the loss function corresponding to the multiple sets of neighborhood sampling samples, repeating until the initial momentum is obtained.

[0046] The decay dynamic step size sequence module is used to calculate the initial dynamic step size based on the upper limit of the perturbation budget, the total number of attack iterations, and the perturbation intensity factor, and generate a decay dynamic step size sequence in the form of exponential decay according to the iteration rounds.

[0047] The adversarial example iterative generation module is used to iteratively generate adversarial examples based on initial momentum and decay dynamic step size;

[0048] The output module is used to iterate until the total number of iterations is completed, and then output the final adversarial sample.

[0049] Based on a third key aspect of the present invention, an electronic device is provided, comprising: a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other via the communication bus;

[0050] The memory stores a computer program, which, when executed by the processor, causes the processor to perform the aforementioned adversarial attack method based on sampling-enhanced momentum initialization and decaying dynamic step size.

[0051] Based on the fourth principal aspect of the present invention, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed, implements the aforementioned adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size.

[0052] Compared with existing technologies, this invention solves the problem of initial directions easily getting trapped in local optima due to the single momentum initialization method in momentum iteration methods. By applying random masking to the original image during the momentum initialization stage to construct multiple sets of neighborhood sampling samples, and accumulating momentum and updating the image based on the gradient mean of the loss function corresponding to each set of samples, an initial momentum with higher generalization and directional representativeness is provided for the formal attack. This sampling-enhanced initialization mechanism breaks through the limitations of traditional zero initialization or single-path pre-iteration amplification, and can more comprehensively explore the surface features of the loss function in the input space, so that the initial perturbation direction can avoid local optima, thereby laying a better directional starting point for subsequent iterative attacks and improving the cross-model transferability of adversarial examples.

[0053] Meanwhile, this invention addresses the deficiency of migration decay caused by fixed-length step sizes in existing methods by incorporating a dynamic step size sequence generation strategy that gradually decays with the iteration process. By using the upper limit of the perturbation and the total number of attack iterations as constraints to generate an exponentially decaying step size sequence, it achieves differentiated perturbation allocation: a larger step size in the early stages of the attack to quickly approach the decision boundary, and a smaller step size for fine-tuning in the later stages. This decaying dynamic step size mechanism effectively suppresses the tendency for overfitting to the alternative model in later iterations due to excessively large step sizes, fundamentally alleviating the migration decay phenomenon. It ensures the reasonable allocation and dynamic optimization of adversarial perturbations throughout the iteration process, further enhancing the attack success rate and stability of adversarial examples in black-box scenarios.

[0054] Finally, this invention lays the technical foundation for a high-quality attack starting point through sampling-enhanced momentum initialization, and the decaying dynamic step size sequence provides dynamic optimization assurance for perturbation amplitude control during the iteration process. The synergistic effect of these two mechanisms enables a full-process attack from initialization to update. Furthermore, the two mechanisms proposed in this invention do not require modification of the model structure or introduce additional computational overhead, and can be easily embedded into existing momentum-based adversarial attack frameworks, exhibiting good versatility and compatibility. This provides a reliable technical solution for promoting the application of adversarial attack technology in practical scenarios such as black-box model evaluation and defense hardening. Attached Figure Description

[0055] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, obtaining other drawings based on these drawings without creative effort still falls within the scope of the present invention.

[0056] Figure 1The following is a flowchart illustrating the execution of an adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size in one embodiment of the present invention.

[0057] Figure 2 A flowchart of an adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size is shown in one embodiment of the present invention.

[0058] Figure 3 The diagram shows a visualization of the adversarial sample generated by an adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size, as well as other attacks, in one embodiment of the present invention.

[0059] Figure 4 This diagram illustrates a comparison of the heatmap effects of an adversarial attack method based on sampling-enhanced momentum initialization and decaying dynamic step size in one embodiment of the present invention, showing the model of the adversarial sample and the original sample. Detailed Implementation

[0060] The preferred embodiments of the present invention will be described in detail below to provide a clearer understanding of the purpose, features, and advantages of the invention. It should be understood that the following embodiments are not intended to limit the scope of the invention, but are merely illustrative of the essential spirit of the technical solution of the invention.

[0061] In the following description, certain specific details are set forth for the purpose of illustrating various disclosed embodiments in order to provide a thorough understanding of the various disclosed embodiments. However, those skilled in the art will recognize that embodiments may be practiced without one or more of these specific details. In other instances, well-known techniques associated with the invention may not have been shown or described in detail to avoid unnecessarily obscuring the description of the embodiments.

[0062] Throughout this specification, references to "an embodiment" or "an embodiment" indicate that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. Therefore, the appearance of "in an embodiment" or "an embodiment" in various places throughout the specification does not necessarily refer to the same embodiment. Furthermore, a particular feature, structure, or characteristic may be combined in any manner in one or more embodiments.

[0063] The following is a description of the specific meanings of technical terms, English abbreviations, and formula parameters that may be used in this invention:

[0064] Mask probability: A preset scalar parameter used to control the frequency of specific events during the generation of a random mask. Its value is usually limited to a closed interval between zero and one.

[0065] Mask tensor: refers to a multidimensional array of target data tensors with the same dimensional structure, whose internal element values ​​are used to selectively preserve, attenuate or mask corresponding positions in the target tensor.

[0066] Cumulative momentum refers to a state variable with inertial characteristics formed by weighting and accumulating historical gradient information in a certain proportion during the iterative update process.

[0067] Adversarial examples refer to special input samples formed by adding minute perturbations that are difficult for the human eye or conventional detection methods to detect on the basis of the original input data. Their core feature is that they can mislead deep learning models to output erroneous predictions that are completely inconsistent with the real situation.

[0068] MI-FGSM: Momentum Iterative Fast Gradient Method is an improved iterative fast gradient symbol attack algorithm, mainly used to generate adversarial examples to evaluate the robustness of deep learning models. By introducing a momentum term to optimize the gradient update direction, it maintains a high attack rate while enhancing the transfer capability in black-box scenarios.

[0069] Combination Figure 1 As shown, one embodiment of the present invention provides an adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size, including the following steps S1-S4:

[0070] Step S1: Input the original image, perform sampling enhancement momentum initialization, apply random masking to the original image to construct multiple sets of neighborhood sampling samples, and update the cumulative momentum and image based on the gradient mean of the loss function corresponding to the multiple sets of neighborhood sampling samples, repeat until the initial momentum is obtained;

[0071] Step S2: Calculate the initial dynamic step size based on the preset upper limit of the perturbation budget, the total number of attack iterations, and the perturbation intensity factor, and generate a decay dynamic step size sequence in the form of exponential decay according to the iteration rounds.

[0072] Step S3: Based on the initial momentum, start the formal iteration. In each round, calculate the gradient of the loss function corresponding to the current adversarial sample and update the cumulative momentum. Update the adversarial sample according to the decay dynamic step size sequence of the current round and the sign function of the updated cumulative momentum, and constrain it within the preset perturbation range to complete a single formal iteration.

[0073] Step S4: Repeat the formal iteration steps until the preset total number of iterations is reached, and output the final adversarial sample.

[0074] In one feasible embodiment, combined with Figures 2 to 4As shown, this invention provides an adversarial attack method based on sampling-enhanced momentum initialization and decaying dynamic step size. The method optimizes the initial gradient direction by sampling-enhanced momentum initialization and adjusts the iterative perturbation allocation by decaying dynamic step size, thereby improving the transferability of adversarial examples.

[0075] Specifically, in Figure 3 The image, from left to right, shows the original clean image, adversarial examples generated using the momentum iteration fast gradient sign method, adversarial examples generated using the input transformation enhanced momentum iteration method, and adversarial examples generated using the sampling enhanced momentum initialization and decay dynamic step size adversarial attack method provided by this invention.

[0076] exist Figure 4 The image above, from left to right, displays the original clean image, the heatmap of the model of the original clean image, the heatmap of the model of the adversarial example generated using the momentum iteration fast gradient sign method, the heatmap of the model of the adversarial example generated using the momentum iteration method enhanced by input transformation, and the heatmap of the model of the adversarial example generated by the adversarial attack method based on sampling enhancement momentum initialization and decay dynamic step size provided by this invention.

[0077] The specific implementation steps of this invention are as follows:

[0078] First, perform sampling-enhanced momentum initialization.

[0079] During the momentum initialization iteration phase, a random mask tensor is generated for the currently processed image according to a set mask probability:

[0080] ;

[0081] in, Represents a random mask tensor; Represents a random mask tensor; Indicates color channels; Indicates the mask probability; Represents the random mask tensor Each position Above, based on probability The value is 0.5. Indicates that at the same location, with probability The value is 0.

[0082] Multiple sets of neighborhood sampling samples are constructed in the neighborhood of the original image based on the mask tensor:

[0083] ;

[0084] in, The first image generated based on the original image Group neighborhood sampling samples, This represents the original image currently being processed. This represents element-wise multiplication. Represents a random mask tensor. Indicates the index of the original image sample. This indicates the group number of the sampled neighboring area.

[0085] For random mask tensors Each position in the mask probability Take a non-zero attenuation value of 0.5, and use 1- The probability is 0.

[0086] Then, the gradient of the loss function corresponding to each group of neighborhood samples is calculated, and the average of the multiple sampling gradients is obtained to get the average gradient of the current iteration.

[0087] The accumulated momentum is updated using the momentum decay factor and the average gradient. The current image is then updated by combining the global search factor, the basic step size, and the sign function of the accumulated momentum, thus completing a single initialization iteration.

[0088] Repeat the above sampling, gradient calculation, momentum update, and image update operations until all momentum initialization iterations are completed, obtaining the initial momentum for the actual attack. .

[0089] Secondly, calculate the decay dynamic step size sequence.

[0090] Specifically, the initial dynamic step size is calculated based on the upper limit of the perturbation budget, the total number of attack iterations, and the perturbation intensity factor.

[0091] A dynamic step size sequence in the form of exponential decay is generated according to the iteration rounds, ensuring that the sum of all iteration step sizes is equal to the upper limit of the perturbation budget, so that the perturbation of the adversarial example always satisfies the constraint conditions.

[0092] ;

[0093] in, Indicates the first The actual step size used during round iteration. Indicates the initial dynamic step size. This represents the disturbance intensity factor. Indicates the current iteration step;

[0094] ;

[0095] in, This indicates the upper limit of the disturbance budget. Indicates the initial dynamic step size. This represents the disturbance intensity factor. This represents the total number of iterations.

[0096] Then, adversarial examples are generated iteratively based on the initial momentum and dynamic step size.

[0097] The initial momentum obtained from initialization is used as the starting point for formal iteration. In each round of attack iteration, the gradient of the loss function corresponding to the current adversarial sample is calculated.

[0098] By combining the momentum decay factor, historical cumulative momentum, and the current gradient, a new round of cumulative momentum is obtained.

[0099] The adversarial example is updated by invoking the decay dynamic step size of the current round and combining it with the sign function of the accumulated momentum.

[0100] The updated adversarial examples are constrained within the perturbation budget of the original image to complete a single attack iteration.

[0101] The specific formula is as follows:

[0102] ;

[0103] in, Indicates the first The cumulative momentum after each iteration, i.e., the first... The momentum accumulation gradient during round iteration; Indicates the first The cumulative momentum gradient during round iteration; Represents the loss function; Indicates the first Adversarial examples generated during round iteration; This represents the true category label corresponding to the original image; Indicates the momentum decay factor; This represents the initial momentum at the start of the formal attack iteration; Represents the loss function For input variables The gradient (partial derivative vector).

[0104] ;

[0105] in, Indicates the first New adversarial examples generated after rounds of iterative updates; Indicates the first Adversarial examples generated during round iteration; Indicates the first The actual step size used during round iteration; Indicates the first The cumulative momentum after each iteration update; This represents a function that conforms to the given information.

[0106] Finally, adversarial examples are generated, and mechanism integration is achieved.

[0107] The process iteratively generates adversarial examples based on initial momentum and dynamic step size until the total number of iterations is completed, at which point the final adversarial examples are output.

[0108] The sampling-enhanced momentum initialization mechanism and decaying dynamic step size mechanism of this invention can be embedded in existing momentum-based adversarial attack methods. For example, in the framework of Momentum Iteration Fast Gradient Method (MI-FGSM), the momentum initialization is performed first, and then the iteration step size of each round is replaced to form the Momentum Iteration Fast Gradient Method (SEMD-MI-FGSM) based on sampling-enhanced momentum initialization and decaying dynamic step size. At the same time, it can be used in combination with input transformation and model ensemble attack methods. The whole process does not require modification of the target model structure and does not introduce additional computational overhead.

[0109] Specifically, in the typical momentum iterative fast gradient method framework, the original momentum accumulation process starts directly from the zero vector, and each iteration uses a constant step size. The mechanism proposed in this invention allows developers to replace the original zero initialization step with a sampling-enhanced momentum initialization process without modifying the core code structure of the framework, and replace the original fixed step size list with an exponentially decaying dynamic step size sequence pre-generated based on the perturbation budget and the total number of iterations.

[0110] This modular embedding capability enables the sampling-enhanced momentum initialization mechanism and the decay dynamic step size mechanism to be deployed in any attack implementation that follows the momentum iteration paradigm with extremely low engineering cost.

[0111] Both mechanisms involved in this invention operate at the meta-control level of the attack process, rather than interfering with the target model itself or the basic gradient calculation process. The sampling-enhanced momentum initialization essentially involves a series of controllable preprocessing transformations of the original input image. Gradient information is then obtained using the exact same loss function and backpropagation interface path as the actual attack, ultimately outputting an initial momentum tensor with a data structure completely identical to that of traditional momentum variables. Once this initial momentum tensor is generated, it can be seamlessly adopted by the momentum update formula in the existing framework, and subsequent gradient accumulation and momentum decay operations require no adaptation modifications.

[0112] Similarly, the generation of the decaying dynamic step size sequence is completely independent of the model inference process. It only calls the step size parameter in each round to replace the original fixed value, and the step size parameter itself is an exogenous variable in the existing framework.

[0113] Therefore, neither mechanism intrudes on the forward or backward propagation computation graph of the target model, does not require modification of the model's network structure weights, and does not introduce any additional online computation branches or auxiliary loss terms.

[0114] By embedding these two mechanisms, a structural improvement in overall performance and ease of deployment are achieved. Furthermore, when these two mechanisms are combined with enhancement strategies such as input transformation and model integration, the system-level synergistic effect can significantly improve the final attack success rate because their respective domains cover three mutually orthogonal optimization dimensions: spatial transformation robustness, time series initial baseline, and time series energy scheduling.

[0115] This invention also provides an adversarial attack system based on sampling-enhanced momentum initialization and decay dynamic step size, comprising:

[0116] The sampling-enhanced momentum initialization module is used to construct multiple sets of neighborhood sampling samples by applying random masking to the original image in the initial momentum stage, and to update the accumulated momentum and image based on the gradient mean of the loss function corresponding to the multiple sets of neighborhood sampling samples. This process is repeated until the initial momentum is obtained.

[0117] The decay dynamic step size sequence module is used to calculate the initial dynamic step size based on the upper limit of the perturbation budget, the total number of attack iterations, and the perturbation intensity factor, and generate a decay dynamic step size sequence in the form of exponential decay according to the iteration rounds.

[0118] The adversarial example iterative generation module is used to iteratively generate adversarial examples based on initial momentum and decay dynamic step size.

[0119] The output module is used to iterate until the total number of iterations is completed, and then output the final adversarial sample.

[0120] This invention obtains high-quality initial momentum through sampling-enhanced momentum initialization, and redistributes the perturbation contribution weights of each iteration step by decaying the dynamic step size. Under a fixed perturbation budget, it strengthens the role of early high-transferability perturbations, suppresses overfitting of later perturbations, improves the cross-model transferability of adversarial examples, and achieves efficient black-box adversarial attacks.

[0121] The technical terms, principles, or means related to the technical solutions of the present invention mentioned in the above embodiments, which are not described in detail above, are all well-known technologies or common practices that are known to those skilled in the art.

[0122] The foregoing has shown and described the basic principles, main features, and advantages of the present invention. Those skilled in the art should understand that the present invention is not limited to the above embodiments. The embodiments and descriptions in the specification are merely illustrative of the principles of the invention. Various changes and modifications can be made to the invention without departing from its spirit and scope, and all such changes and modifications fall within the scope of the present invention as claimed. The scope of protection of this invention is defined by the appended claims and their equivalents.

Claims

1. An adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size, characterized in that, Includes the following steps: Input the original image, perform sampling enhancement momentum initialization, apply random masking to the original image to construct multiple sets of neighborhood sampling samples, and update the cumulative momentum and image based on the gradient mean of the loss function corresponding to the multiple sets of neighborhood sampling samples, repeating until the initial momentum is obtained; Based on the preset upper limit of the perturbation budget, the total number of attack iterations, and the perturbation intensity factor, the initial dynamic step size is calculated, and an exponentially decaying dynamic step size sequence is generated according to the iteration rounds. Based on the initial momentum, the formal iteration is started. In each round, the gradient of the loss function corresponding to the current adversarial sample is calculated and the cumulative momentum is updated. The adversarial sample is updated according to the decay dynamic step size sequence of the current round and the sign function of the updated cumulative momentum, and constrained within a preset perturbation range to complete a single formal iteration. Repeat the formal iteration steps until the preset total number of iterations is reached, and output the final adversarial example.

2. The adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size according to claim 1, characterized in that, The steps for constructing multiple sets of domain sampling samples are as follows: For the original image being processed, a random mask tensor is generated according to a set mask probability. Each position in the random mask tensor has a non-zero decay value with the mask probability and a zero value is obtained by subtracting the mask probability from the probability. Based on the mask tensor, multiple sets of neighborhood sampling samples are constructed in the neighborhood of the original image using the following formula; The formula is: ; in, The first image generated based on the original image Group neighborhood sampling samples, This represents the original image currently being processed. This represents element-wise multiplication. Represents a mask tensor. Indicates the index of the original image sample. This indicates the group number of the sampled neighboring area.

3. The adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size according to claim 1, characterized in that, The steps for updating the cumulative momentum and image based on the gradient mean of the loss function corresponding to multiple sets of neighborhood sampled samples are as follows: Calculate the gradient of the loss function corresponding to each group of neighborhood samples, sum the gradients of multiple groups of samples and take the average to obtain the average gradient of the current iteration; The accumulated momentum is updated using the momentum decay factor and the average gradient. The current image is updated by combining the global search factor, the basic step size and the sign function of the accumulated momentum, thus completing a single initialization iteration. Repeated sampling, gradient calculation, momentum update, and image update operations are performed until all momentum initialization iterations are completed, resulting in the initial momentum for the actual attack.

4. The adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size according to claim 1, characterized in that, The calculation of the initial dynamic step size is specifically as follows: ; in, This indicates the upper limit of the disturbance budget. Indicates the initial dynamic step size. This represents the disturbance intensity factor. Indicates the total number of iterations; The specific method for generating the exponentially decaying dynamic step size sequence is as follows: ; in, Indicates the first The actual step size used during round iteration. Indicates the initial dynamic step size. This represents the disturbance intensity factor. Indicates the current iteration step; The sum of all iteration steps equals the upper limit of the perturbation budget.

5. The adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size according to claim 1, characterized in that, The steps for calculating the gradient of the loss function corresponding to the current adversarial example and updating the cumulative momentum in each round are as follows: The initial momentum obtained from initialization is used as the starting point for formal iteration. In each round of attack iteration, the gradient of the loss function corresponding to the current adversarial sample is calculated. Combining the momentum decay factor, historical cumulative momentum and the current gradient, a new round of cumulative momentum is updated.

6. The adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size according to claim 1, characterized in that, The steps for updating the adversarial examples are as follows: The current round's decay dynamic step size is called, and the adversarial sample is updated by combining the sign function of the accumulated momentum; the updated adversarial sample is constrained within the perturbation budget of the original image to complete a single attack iteration.

7. The adversarial attack method based on sampling-enhanced momentum initialization and decay dynamic step size according to claim 1, characterized in that, The execution steps of sampling to enhance momentum initialization and generating a decay dynamic step sequence in exponential decay form can be embedded into momentum iteration-based adversarial attack methods without modifying the target model or introducing additional computational overhead. They can also be used in conjunction with input transformation and model ensemble attack methods.

8. An adversarial attack system based on sampling-enhanced momentum initialization and decay dynamic step size for implementing the method of any one of claims 1-7, characterized in that, include: The sampling enhancement momentum initialization module is used to construct multiple sets of neighborhood sampling samples by applying random masking to the original image in the initial momentum stage, and update the accumulated momentum and image based on the gradient mean of the loss function corresponding to the multiple sets of neighborhood sampling samples, repeating until the initial momentum is obtained. The decay dynamic step size sequence module is used to calculate the initial dynamic step size based on the upper limit of the perturbation budget, the total number of attack iterations, and the perturbation intensity factor, and generate a decay dynamic step size sequence in the form of exponential decay according to the iteration rounds. The adversarial example iterative generation module is used to iteratively generate adversarial examples based on initial momentum and decay dynamic step size; The output module is used to iterate until the total number of iterations is completed, and then output the final adversarial sample.

9. An electronic device, comprising: The processor, communication interface, memory, and communication bus are connected, with the processor, communication interface, and memory communicating with each other via the communication bus. The feature is that the memory stores a computer program, which, when executed by the processor, causes the processor to perform the adversarial attack method based on sampling-enhanced momentum initialization and decaying dynamic step size as described in any one of claims 1-7.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed, it implements the adversarial attack method based on sampling-enhanced momentum initialization and decaying dynamic step size as described in any one of claims 1-7.