关键词: 图像分类, 对抗攻击, 加权最大化激活, 迁移性

Abstract: Adversarial examples generated from adversarial attacks can seriously influence the prediction of convolutional neural networks in image classification tasks.Due to the difficult detection of adversarial samples and their transferability (an adversarial sample can undermine the prediction of models with different architectures),crafting adversarial perturbations and generating adversarial samples are of great importance in detecting model defects.However,existing data-free universal adversarial attacks only maximize the activation values of all the convolutional layers to craft adversarial perturbations without any data,which is practical in real-world applications,but adversarial examples are poor in transferability since the difference of features extracted by different convolutional layers is rarely considered.In this paper,a data-free universal adversarial attack method with Weighted Maximization Activation (WAM) is proposed,which assigns the corresponding weight to each convolution layer and increases the weight of activation value from the shallow convolutional layer that can extract generalized features.Experiments on the ImageNet validation set show that the weighted maximization activation attack performs better than other data-free universal methods.Additionally,the ablation experiment verifies that the universal adversarial perturbation can learn generic features from shallow convolutional layers and achieve better transferability.