Attacking Frequency Information with Enhanced Adversarial Networks to Generate Adversarial Samples

Abstract

In recent years, convolutional neural networks (CNNs) are widely used in various computer vision tasks with advanced performance. However, adversarial samples which add small-magnitude perturbation to images or videos are seriously threatening the application of CNNs. Some existing attack methods pay attention to the time domain information of the inputs, while the information in frequency domain is usually ignored. Others attack frequency domain by massive queries or significantly perceivable perturbation. In this paper, we propose a new method to attack the frequency information. The frequency information is combined with the Generative Adversarial Network (GAN) to design a novel algorithm called Frequency Attack Framework (FAF), which can attack the high-frequency information and the low-frequency information. Double discriminators are constructed on the GAN architecture to make attack more efficient in different frequency bands. The proposed algorithm generates optimal perturbation, resulting in adversarial samples with high attack transferability and quality. Several well-trained CNNs are fooled by FAF, and all of them have high error rates. Even when CNNs add defenses, our algorithm has a good performance.