Spatial-frequency collaborative adversarial example generation method based on class activation mapping

doi:10.11772/j.issn.1001-9081.2025060701

Journal of Computer Applications ›› 2026, Vol. 46 ›› Issue (6): 1881-1892.DOI: 10.11772/j.issn.1001-9081.2025060701

• Cyber security • Previous Articles

Spatial-frequency collaborative adversarial example generation method based on class activation mapping

Erhao SHU, Guoqing TU(), Shubo LIU

Key Laboratory of Aerospace Information Security and Trusted Computing，Ministry of Education，School of Cyber Science and Engineering，Wuhan University，Wuhan Hubei 430072，China

Received:2025-06-23 Revised:2025-09-09 Accepted:2025-09-15 Online:2025-10-09 Published:2026-06-10
Contact: Guoqing TU
About author:SHU Erhao， born in 2002， M. S. candidate. His research interests include adversarial attacks， artificial intelligence security.
LIU Shubo， born in 1970， Ph. D.， professor. His research interests include embedded systems， differential privacy， time series.
First author contact:TU Guoqing， born in 1974， Ph. D.， associate professor. His research interests include embedded systems， internet of things， information security， water resources informatization.
Supported by:
National Natural Science Foundation of China(62472325)

基于类激活映射的空频协同对抗样本生成方法

舒尔豪, 涂国庆(), 刘树波

空天信息安全与可信计算教育部重点实验室，武汉大学国家网络安全学院，武汉 430072

通讯作者: 涂国庆
作者简介:舒尔豪（2002—），男，江西宜春人，硕士研究生，主要研究方向：对抗性攻击、人工智能安全
刘树波（1970—），男，黑龙江泰来人，教授，博士，主要研究方向：嵌入式系统、差分隐私、时间序列。
第一联系人：涂国庆（1974—），男，湖北罗田人，副教授，博士，主要研究方向：嵌入式系统、物联网、信息安全、水利信息化
基金资助:
国家自然科学基金资助项目(62472325)

Abstract

Abstract:

To address the limitations of the existing image adversarial example generation methods that only applying global and uniform transformations within a single domain and thereby restricting the attack success rates and the transferability of adversarial examples， a Spatial-Frequency Collaborative adversarial example generation method based on Class Activation Mapping （CAM）（SFC-CAM） was proposed. Firstly， region sensitivity was quantified using CAM， and the input image was divided into high-sensitivity target region and low-sensitivity background region by Adaptive Partitioning （AP） according to the threshold of activation value. Then， for high-sensitivity region， Channel Resampling-Block-wise Random Scaling （CR-BRS） was applied in the spatial domain， while Discrete Cosine Transform （DCT） with Spectral Random Masking （DCT-SRM） was conducted in the frequency domain for low-sensitivity region. Finally， adversarial examples were generated on the basis of the average gradient of the co-transformed image iteratively. Experimental results on the ImageNet dataset show that with Inception-v3 as the source model， SFC-CAM improves the average attack success rate by 3.4 and 10.4 percentage points compared with the baseline methods — Channel Augmented Attack Method （CAAM） and Spectrum Simulation Attack （SSA）， respectively； compared with the proposed single-domain adversarial attack methods CR-BRS and DCT-SRM， SFC-CAM improves the average attack success rate by 15.9 and 19.7 percentage points， respectively. These verify that SFC-CAM enhances the diversity of surrogate model decision boundaries， thereby achieving model augmentation and improving the black-box attack success rate and transferability of adversarial examples.

Key words: adversarial example, black-box attack, transferability, Class Activation Mapping (CAM), spatial-frequency collaboration, model augmentation

摘要：

针对现有图像对抗样本生成方法仅在单一域执行全局无差别变换，导致攻击成功率和对抗样本可迁移性受限的问题，提出一种基于类激活映射（CAM）的空频协同对抗样本生成方法（SFC-CAM）。首先，通过CAM量化图像区域的敏感度，依据热力阈值将图像划分为高敏感目标区域与低敏感背景区域，实现输入图像自适应分区（AP）；其次，分别基于高敏感目标区域和低敏感背景区域实施空间域的通道重采样与逐块随机缩放（CR-BRS）和频率域的基于离散余弦变换（DCT）的频谱随机掩蔽（DCT-SRM）；最后，以协同变换后图像的平均梯度迭代生成对抗样本。在ImageNet数据集上的实验结果表明，以Inception-v3为源模型时，相较于基准方法图像通道增强攻击方法（CAAM）和频谱模拟攻击（SSA），SFC-CAM的平均攻击成功率分别提升3.4和10.4个百分点；相较于所提出的单域对抗攻击方法CR-BRS和DCT-SRM，SFC-CAM的平均攻击成功率分别提升15.9和19.7个百分点。以上验证了SFC-CAM能够增强模拟模型决策边界的多样性，从而实现模型增强，并提高对抗样本的黑盒攻击成功率和可迁移性。

关键词: 对抗样本, 黑盒攻击, 可迁移性, 类激活映射, 空频域协同, 模型增强

CLC Number:

TP391.41

Erhao SHU, Guoqing TU, Shubo LIU. Spatial-frequency collaborative adversarial example generation method based on class activation mapping[J]. Journal of Computer Applications, 2026, 46(6): 1881-1892.

舒尔豪, 涂国庆, 刘树波. 基于类激活映射的空频协同对抗样本生成方法[J]. 《计算机应用》唯一官方网站, 2026, 46(6): 1881-1892.

Figures/Tables 16

References 52

[1]	SHI S， JIANG L， DENG J， et al. PV-RCNN++： point-voxel feature set abstraction with local vector representation for 3D object detection［J］. International Journal of Computer Vision， 2023， 131（2）： 531-551.
[2]	CHEN Y， ZHANG P， KONG T， et al. Scale-aware automatic augmentations for object detection with dynamic training［J］. IEEE Transactions on Pattern Analysis and Machine Intelligence， 2023， 45（2）： 2367-2383.
[3]	ZANG Y， ZHOU K， HUANG C， et al. Semi-supervised and long-tailed object detection with CascadeMatch［J］. International Journal of Computer Vision， 2023， 131（4）： 987-1001.
[4]	SHARIF M， BHAGAVATULA S， BAUER L， et al. Accessorize to a crime： real and stealthy attacks on state-of-the-art face recognition［C］// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York： ACM， 2016： 1528-1540.
[5]	KRIZHEVSKY A， SUTSKEVER I， HINTON G E. ImageNet classification with deep convolutional neural networks［J］. Communications of the ACM， 2017， 60（6）： 84-90.
[6]	TOUVRON H， BOJANOWSKI P， CARON M， et al. ResMLP： feedforward networks for image classification with data-efficient training［J］. IEEE Transactions on Pattern Analysis and Machine Intelligence， 2023， 45（4）： 5314-5321.
[7]	SIMONYAN K， ZISSERMAN A. Very deep convolutional networks for large-scale image recognition［EB/OL］. ［2024-05-26］..
[8]	MAQUEDA A I， LOQUERCIO A， GALLEGO G， et al. Event-based vision meets deep learning on steering prediction for self-driving cars［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 5419-5427.
[9]	WU W， XU H， ZHONG S， et al. Deep validation： toward detecting real-world corner cases for deep neural networks［C］// Proceedings of the 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Piscataway： IEEE， 2019： 125-137.
[10]	WANG H， LIANG H， LI Z， et al. A fast coarse-to-fine point cloud registration based on optical flow for autonomous vehicles［J］. Applied Intelligence， 2023， 53（16）： 19143-19160.
[11]	WANG Y， MAO Q， ZHU H， et al. Multi-modal 3D object detection in autonomous driving： a survey［J］. International Journal of Computer Vision， 2023， 131（8）： 2122-2152.
[12]	DONG Y， LIAO F， PANG T， et al. Boosting adversarial attacks with momentum［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 9185-9193.
[13]	魏佳璇，杜世康，于志轩，等. 图像分类中的白盒对抗攻击技术综述［J］. 计算机应用， 2022， 42（9）： 2732-2741.
	WEI J X， DU S K， YU Z X， et al. Review of white-box adversarial attack technologies in image classification［J］. Journal of Computer Applications， 2022， 42（9）： 2732-2741.
[14]	YUE J， LI H， WEI P， et al. Robust real-world image super-resolution against adversarial attacks［C］// Proceedings of the 29th ACM International Conference on Multimedia. New York： ACM， 2021： 5148-5157.
[15]	GOODFELLOW I J， SHLENS J， SZEGEDY C. Explaining and harnessing adversarial examples［EB/OL］. ［2024-05-26］..
[16]	MADRY A， MAKELOV A， SCHMIDT L， et al. Towards deep learning models resistant to adversarial attacks［EB/OL］. ［2024-05-26］..
[17]	KURAKIN A， GOODFELLOW I J， BENGIO S. Adversarial examples in the physical world［EB/OL］. ［2024-05-26］..
[18]	BRENDEL W， RAUBER J， BETHGE M. Decision-based adversarial attacks： reliable attacks against black-box machine learning models［EB/OL］. ［2024-05-26］..
[19]	DONG Y， CHENG S， PANG T， et al. Query-efficient black-box adversarial attacks guided by a transfer-based prior［J］. IEEE Transactions on Pattern Analysis and Machine Intelligence， 2022， 44（12）： 9536-9548.
[20]	LI H， XU X， ZHANG X， et al. QEBA： query-efficient boundary-based blackbox attack［C］// Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2020： 1218-1227.
[21]	ILYAS A， ENGSTROM L， ATHALYE A， et al. Black-box adversarial attacks with limited queries and information［C］// Proceedings of the 35th International Conference on Machine Learning. New York： JMLR.org， 2018： 2137-2146.
[22]	WANG X， HE K. Enhancing the transferability of adversarial attacks through variance tuning［C］// Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2021： 1924-1933.
[23]	XIE C， ZHANG Z， ZHOU Y， et al. Improving transferability of adversarial examples with input diversity［C］// Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2019： 2725-2734.
[24]	ZHANG J， HUANG J T， WANG W， et al. Improving the transferability of adversarial samples by path-augmented method［C］// Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2023： 8173-8182.
[25]	DONG Y， PANG T， SU H， et al. Evading defenses to transferable adversarial examples by translation-invariant attacks［C］// Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2019： 4307-4316.
[26]	LIN J， SONG C， HE K， et al. Nesterov accelerated gradient and scale invariance for adversarial attacks［EB/OL］. ［2024-05-26］..
[27]	LONG Y， ZHANG Q， ZENG B， et al. Frequency domain model augmentation for adversarial attack［C］// Proceedings of the 2022 European Conference on Computer Version， LNCS 13664. Cham： Springer， 2022： 549-566.
[28]	WANG X， HE X， WANG J， et al. Admix： enhancing the transferability of adversarial attacks［C］// Proceedings of the 2021 IEEE/CVF International Conference on Computer Vision. Piscataway： IEEE， 2021： 16138-16147.
[29]	WANG X， ZHANG Z， ZHANG J. Structure invariant transformation for better adversarial transferability［C］// Proceedings of the 2023 IEEE/CVF International Conference on Computer Vision. Piscataway： IEEE， 2023： 4584-4596.
[30]	ZHU P， FAN Z， GUO S， et al. Improving adversarial transferability through hybrid augmentation［J］. Computers and Security， 2024， 139： No.103674.
[31]	CHEN P， FENG Z， XING M， et al. Improving adversarial transferability through channel-wise scaling and frequency-random dropping［C］// Proceedings of the 2025 IEEE International Conference on Acoustics， Speech and Signal Processing. Piscataway： IEEE， 2025： 1-5.
[32]	LIU Y， CHEN X， LIU C， et al. Delving into transferable adversarial examples and black-box attacks［EB/OL］. ［2024-05-26］..
[33]	LI Y， BAI S， ZHOU Y， et al. Learning transferable adversarial examples via ghost networks［C］// Proceedings of the 34th AAAI Conference on Artificial Intelligence. Palo Alto： AAAI Press， 2020： 11458-11465.
[34]	HAO L， HAO K， WEI B， et al. Boosting the transferability of adversarial examples via stochastic serial attack［J］. Neural Networks， 2022， 150： 58-67.
[35]	HANG J， HAN K， CHEN H， et al. Ensemble adversarial black-box attacks against deep learning systems［J］. Pattern Recognition， 2020， 101： No.107184.
[36]	TRAMER F， KURAKIN A， PAPERNOT N， et al. Ensemble adversarial training： attacks and defenses［EB/OL］. ［2024-05-26］..
[37]	ATHALYE A， CARLINI N， WAGNER D. Obfuscated gradients give a false sense of security： circumventing defenses to adversarial examples［C］// Proceedings of the 35th International Conference on Machine Learning. New York： JMLR.org， 2018： 274-283.
[38]	WONG E， RICE L， KOLTER J Z. Fast is better than free： revisiting adversarial training［EB/OL］. ［2024-05-26］..
[39]	LIAO F， LIANG M， DONG Y， et al. Defense against adversarial attacks using high-level representation guided denoiser［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 1778-1787.
[40]	NASEER M， KHAN S H， HAYAT M， et al. A self-supervised approach for adversarial robustness［C］// Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2020： 259-268.
[41]	XIE C， WANG J， ZHANG Z， et al. Mitigating adversarial effects through randomization［EB/OL］. ［2024-05-26］..
[42]	ZHANG H， CHEN H， XIAO C， et al. Towards stable and efficient training of verifiably robust neural networks［EB/OL］. ［2024-05-26］..
[43]	GOWAL S， DVIJOTHAM K， STANFORTH R， et al. Scalable verified training for provably robust image classification［C］// Proceedings of the 2019 IEEE/CVF International Conference on Computer Vision. Piscataway： IEEE， 2019： 4841-4850.
[44]	FU Y， LIU Z， LYU J. Transferable adversarial attacks for remote sensing object recognition via spatial-frequency co-transformation［J］. IEEE Transactions on Geoscience and Remote Sensing， 2024， 62： No.5636812.
[45]	ZHENG D， KE W， LI X， et al. Channel-augmented joint transformation for transferable adversarial attacks［J］. Applied Intelligence， 2024， 54（1）： 428-442.
[46]	SZEGEDY C， VANHOUCKE V， IOFFE S， et al. Rethinking the inception architecture for computer vision［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2016： 2818-2826.
[47]	SZEGEDY C， IOFFE S， VANHOUCKE V， et al. Inception-v4， inception-ResNet and the impact of residual connections on learning［C］// Proceedings of the 31st AAAI Conference on Artificial Intelligence. Palo Alto： AAAI Press， 2017： 4278-4284.
[48]	HE K， ZHANG X， REN S， et al. Deep residual learning for image recognition［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2016： 770-778.
[49]	LING J， CHEN X， LUO Y. Improving the transferability of adversarial samples with channel switching［J］. Applied Intelligence， 2023， 53（24）： 30580-30592.
[50]	QIAN Y， CHEN K， WANG B， et al. Enhancing transferability of adversarial examples through mixed-frequency inputs［J］. IEEE Transactions on Information Forensics and Security， 2024， 19： 7633-7645.
[51]	COHEN J， ROSENFELD E， KOLTER Z. Certified adversarial robustness via randomized smoothing［C］// Proceedings of the 36th International Conference on Machine Learning. New York： JMLR.org， 2019： 1310-1320.
[52]	NIE W， GUO B， HUANG Y， et al. Diffusion models for adversarial purification［C］// Proceedings of the 39th International Conference on Machine Learning. New York： JMLR.org， 2022： 16805-16827.

对抗样本生成模型	对抗样本生成方法	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3_ens3	Inc-v3_ens4	IncRes-v2_ens	平均值
Inc-v3	DIM	99.9	73.3	67.6	63.7	31.2	31.2	18.1	55.0
	TIM	100.0	51.6	46.3	48.5	31.8	30.3	21.2	47.1
	SIM	100.0	69.9	67.5	63.3	38.5	37.6	22.2	57.0
	Admix	100.0	81.1	78.6	71.8	44.6	42.2	25.0	63.3
	SSA	99.7	86.9	86.5	77.5	56.5	55.5	35.6	71.2
	PAM	100.0	83.7	81.2	77.5	44.8	43.4	22.4	64.7
	CAAM	99.8	86.2	87.3	86.9	66.7	63.2	57.1	78.2
	CS	97.6	87.0	86.3	82.5	59.2	55.1	32.8	71.5
	HMFI	98.6	84.8	84.6	79.1	63.5	62.0	40.5	73.3
	SFC-CAM	100.0	94.1	92.6	89.0	71.5	72.2	51.6	81.6
Inc-v4	DIM	74.5	99.4	66.5	63.0	27.2	26.8	16.0	53.3
	TIM	59.1	99.9	47.8	50.2	28.6	28.6	21.5	48.0
	SIM	82.8	99.9	73.7	69.5	47.4	45.1	30.2	64.1
	Admix	89.1	99.7	83.3	76.9	52.9	50.1	32.7	69.2
	SSA	90.8	99.4	86.1	80.7	58.2	56.9	37.0	72.7
	PAM	89.5	100.0	84.5	80.5	57.3	54.5	34.7	71.6
	CAAM	89.2	99.6	88.0	87.2	72.4	70.0	66.9	81.9
	CS	92.0	98.4	89.4	86.4	66.6	65.0	48.5	78.0
	HMFI	87.4	97.5	83.2	79.3	70.5	68.8	52.6	77.0
	SFC-CAM	94.1	99.4	92.5	88.0	74.1	69.4	54.7	81.7
IncRes-v2	DIM	72.5	69.2	97.4	61.6	33.4	31.3	22.3	55.4
	TIM	62.1	58.0	98.9	54.3	33.9	31.5	26.9	52.2
	SIM	86.0	82.0	99.2	73.0	61.1	52.7	45.4	71.4
	Admix	90.0	87.6	99.4	77.5	65.7	57.8	48.8	75.3
	SSA	89.3	89.2	98.4	80.7	68.1	62.5	55.4	77.7
	PAM	91.8	89.4	99.6	84.8	69.8	62.7	55.2	79.0
	CAAM	90.8	90.1	98.6	89.4	74.1	71.9	73.0	84.0
	CS	95.3	93.8	100.0	90.2	76.3	70.9	63.4	84.3
	HMFI	89.5	86.8	97.1	84.1	77.0	73.1	66.7	82.0
	SFC-CAM	93.3	93.2	98.8	88.6	79.3	75.7	70.8	85.7
Res-101	DIM	78.0	77.0	68.6	100.0	31.6	30.1	18.0	57.6
	TIM	62.5	54.1	43.9	100.0	30.6	30.8	22.6	49.2
	SIM	70.7	60.0	53.9	100.0	27.4	27.4	15.3	50.7
	Admix	76.5	68.3	60.1	99.9	29.6	28.9	16.1	54.2
	SSA	90.1	88.1	83.7	99.9	54.9	52.2	37.8	72.4
	PAM	81.8	77.4	76.9	100.0	53.1	47.0	33.2	67.1
	CAAM	89.7	86.1	88.2	99.8	70.1	67.9	66.0	81.1
	CS	79.0	75.5	74.6	96.8	52.8	50.9	35.2	66.4
	HMFI	85.2	79.5	79.8	98.1	71.7	67.2	56.2	76.8
	SFC-CAM	94.0	93.2	90.7	99.9	70.6	68.1	55.2	81.7

对抗样本生成模型	对抗样本生成方法	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3_ens3	Inc-v3_ens4	IncRes-v2_ens	平均值
Inc-v3	DIM	99.9	73.3	67.6	63.7	31.2	31.2	18.1	55.0
	TIM	100.0	51.6	46.3	48.5	31.8	30.3	21.2	47.1
	SIM	100.0	69.9	67.5	63.3	38.5	37.6	22.2	57.0
	Admix	100.0	81.1	78.6	71.8	44.6	42.2	25.0	63.3
	SSA	99.7	86.9	86.5	77.5	56.5	55.5	35.6	71.2
	PAM	100.0	83.7	81.2	77.5	44.8	43.4	22.4	64.7
	CAAM	99.8	86.2	87.3	86.9	66.7	63.2	57.1	78.2
	CS	97.6	87.0	86.3	82.5	59.2	55.1	32.8	71.5
	HMFI	98.6	84.8	84.6	79.1	63.5	62.0	40.5	73.3
	SFC-CAM	100.0	94.1	92.6	89.0	71.5	72.2	51.6	81.6
Inc-v4	DIM	74.5	99.4	66.5	63.0	27.2	26.8	16.0	53.3
	TIM	59.1	99.9	47.8	50.2	28.6	28.6	21.5	48.0
	SIM	82.8	99.9	73.7	69.5	47.4	45.1	30.2	64.1
	Admix	89.1	99.7	83.3	76.9	52.9	50.1	32.7	69.2
	SSA	90.8	99.4	86.1	80.7	58.2	56.9	37.0	72.7
	PAM	89.5	100.0	84.5	80.5	57.3	54.5	34.7	71.6
	CAAM	89.2	99.6	88.0	87.2	72.4	70.0	66.9	81.9
	CS	92.0	98.4	89.4	86.4	66.6	65.0	48.5	78.0
	HMFI	87.4	97.5	83.2	79.3	70.5	68.8	52.6	77.0
	SFC-CAM	94.1	99.4	92.5	88.0	74.1	69.4	54.7	81.7
IncRes-v2	DIM	72.5	69.2	97.4	61.6	33.4	31.3	22.3	55.4
	TIM	62.1	58.0	98.9	54.3	33.9	31.5	26.9	52.2
	SIM	86.0	82.0	99.2	73.0	61.1	52.7	45.4	71.4
	Admix	90.0	87.6	99.4	77.5	65.7	57.8	48.8	75.3
	SSA	89.3	89.2	98.4	80.7	68.1	62.5	55.4	77.7
	PAM	91.8	89.4	99.6	84.8	69.8	62.7	55.2	79.0
	CAAM	90.8	90.1	98.6	89.4	74.1	71.9	73.0	84.0
	CS	95.3	93.8	100.0	90.2	76.3	70.9	63.4	84.3
	HMFI	89.5	86.8	97.1	84.1	77.0	73.1	66.7	82.0
	SFC-CAM	93.3	93.2	98.8	88.6	79.3	75.7	70.8	85.7
Res-101	DIM	78.0	77.0	68.6	100.0	31.6	30.1	18.0	57.6
	TIM	62.5	54.1	43.9	100.0	30.6	30.8	22.6	49.2
	SIM	70.7	60.0	53.9	100.0	27.4	27.4	15.3	50.7
	Admix	76.5	68.3	60.1	99.9	29.6	28.9	16.1	54.2
	SSA	90.1	88.1	83.7	99.9	54.9	52.2	37.8	72.4
	PAM	81.8	77.4	76.9	100.0	53.1	47.0	33.2	67.1
	CAAM	89.7	86.1	88.2	99.8	70.1	67.9	66.0	81.1
	CS	79.0	75.5	74.6	96.8	52.8	50.9	35.2	66.4
	HMFI	85.2	79.5	79.8	98.1	71.7	67.2	56.2	76.8
	SFC-CAM	94.0	93.2	90.7	99.9	70.6	68.1	55.2	81.7

对抗样本生成模型	对抗样本生成方法	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3_ens3	Inc-v3_ens4	IncRes-v2_ens	平均值
Inc-v3	SIM-DT	100.0	91.8	89.3	83.4	78.8	77.9	63.8	83.6
	Admix-DT	99.9	92.9	89.9	85.3	80.5	76.7	64.2	84.2
	SSA-DT	99.2	91.9	91.1	82.0	80.9	80.4	69.1	84.9
	PAM-DT	99.4	93.4	91.5	88.4	80.5	78.6	59.8	84.5
	CAAM-DT	99.7	92.2	92.5	92.3	86.8	83.8	82.0	89.9
	SFC-CAM-DT	99.8	95.5	94.4	90.9	90.2	88.4	82.1	91.6
Inc-v4	SIM-DT	94.6	99.9	93.2	87.0	83.3	79.7	72.1	87.1
	Admix-DT	94.9	99.8	91.5	87.5	81.8	78.7	70.5	86.4
	SSA-DT	92.3	98.5	89.5	83.1	79.0	76.3	70.2	84.1
	PAM-DT	93.9	99.7	91.5	87.2	80.1	78.1	65.2	85.1
	CAAM-DT	92.1	99.4	90.8	90.0	87.0	83.4	82.4	89.3
	SFC-CAM-DT	96.5	99.2	95.0	91.1	89.7	86.7	83.4	91.7
IncRes-v2	SIM-DT	95.0	94.1	99.5	89.5	90.0	86.5	85.0	91.3
	Admix-DT	95.0	93.9	99.2	89.6	88.3	85.9	84.3	90.9
	SSA-DT	89.8	88.3	95.6	81.5	82.1	79.5	77.9	85.0
	PAM-DT	95.3	93.2	99.3	90.8	88.8	85.4	81.8	90.7
	CAAM-DT	92.9	91.7	98.5	91.4	88.6	87.1	88.2	91.2
	SFC-CAM-DT	94.0	94.0	97.1	90.6	89.2	87.4	87.5	91.4
Res-101	SIM-DT	94.2	93.0	89.2	99.9	80.9	78.8	67.0	86.3
	Admix-DT	94.6	93.2	90.9	99.9	79.9	78.8	67.0	86.1
	SSA-DT	94.1	93.3	91.6	99.9	83.5	82.8	76.2	88.8
	PAM-DT	90.0	86.8	88.0	99.5	84.4	80.6	71.8	85.9
	CAAM-DT	93.5	89.8	92.7	99.8	89.5	86.9	85.0	91.0
	SFC-CAM-DT	96.1	96.6	94.5	99.8	91.7	90.8	87.4	93.8

对抗样本生成模型	对抗样本生成方法	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3_ens3	Inc-v3_ens4	IncRes-v2_ens	平均值
Inc-v3	SIM-DT	100.0	91.8	89.3	83.4	78.8	77.9	63.8	83.6
	Admix-DT	99.9	92.9	89.9	85.3	80.5	76.7	64.2	84.2
	SSA-DT	99.2	91.9	91.1	82.0	80.9	80.4	69.1	84.9
	PAM-DT	99.4	93.4	91.5	88.4	80.5	78.6	59.8	84.5
	CAAM-DT	99.7	92.2	92.5	92.3	86.8	83.8	82.0	89.9
	SFC-CAM-DT	99.8	95.5	94.4	90.9	90.2	88.4	82.1	91.6
Inc-v4	SIM-DT	94.6	99.9	93.2	87.0	83.3	79.7	72.1	87.1
	Admix-DT	94.9	99.8	91.5	87.5	81.8	78.7	70.5	86.4
	SSA-DT	92.3	98.5	89.5	83.1	79.0	76.3	70.2	84.1
	PAM-DT	93.9	99.7	91.5	87.2	80.1	78.1	65.2	85.1
	CAAM-DT	92.1	99.4	90.8	90.0	87.0	83.4	82.4	89.3
	SFC-CAM-DT	96.5	99.2	95.0	91.1	89.7	86.7	83.4	91.7
IncRes-v2	SIM-DT	95.0	94.1	99.5	89.5	90.0	86.5	85.0	91.3
	Admix-DT	95.0	93.9	99.2	89.6	88.3	85.9	84.3	90.9
	SSA-DT	89.8	88.3	95.6	81.5	82.1	79.5	77.9	85.0
	PAM-DT	95.3	93.2	99.3	90.8	88.8	85.4	81.8	90.7
	CAAM-DT	92.9	91.7	98.5	91.4	88.6	87.1	88.2	91.2
	SFC-CAM-DT	94.0	94.0	97.1	90.6	89.2	87.4	87.5	91.4
Res-101	SIM-DT	94.2	93.0	89.2	99.9	80.9	78.8	67.0	86.3
	Admix-DT	94.6	93.2	90.9	99.9	79.9	78.8	67.0	86.1
	SSA-DT	94.1	93.3	91.6	99.9	83.5	82.8	76.2	88.8
	PAM-DT	90.0	86.8	88.0	99.5	84.4	80.6	71.8	85.9
	CAAM-DT	93.5	89.8	92.7	99.8	89.5	86.9	85.0	91.0
	SFC-CAM-DT	96.1	96.6	94.5	99.8	91.7	90.8	87.4	93.8

对抗样本生成方法	Inc-v3^*	Inc-v4^*	IncRes-v2^*	Res-101^*	Inc-v3_ens3	Inc-v3_ens4	IncRes-v2_ens	平均值
DIM	98.6	97.9	96.6	99.6	66.8	61.2	42.7	80.5
TIM	98.6	96.3	94.7	99.6	71.7	66.9	57.0	83.5
SIM	99.4	99.1	98.5	99.9	82.4	77.7	63.0	88.6
SSA	97.8	97.9	96.4	99.6	85.2	85.4	73.0	90.8
SFC-CAM	98.1	97.6	96.7	99.3	86.9	85.5	75.1	91.3

Spatial-frequency collaborative adversarial example generation method based on class activation mapping

基于类激活映射的空频协同对抗样本生成方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 16

References 52

Related Articles 12

Recommended Articles

Metrics

[1]	Huahua WANG, Zijian FAN, Ze LIU. Image adversarial example generation method based on multi-space probability enhancement [J]. Journal of Computer Applications, 2025, 45(3): 883-890.
[2]	Yu WANG, Xianjin FANG, Gaoming YANG, Yifeng DING, Xinlu YANG. Active defense against face forgery based on attention mask and feature extraction [J]. Journal of Computer Applications, 2025, 45(3): 904-910.
[3]	Yongping WANG, Yao LIU, Xiaolin ZHANG, Jingyu WANG, Lixin LIU. Multimodal adversarial example generation method for Chinese text classification [J]. Journal of Computer Applications, 2025, 45(10): 3074-3082.
[4]	Lu WANG, Dong LIU, Weiguang LIU. Interpretability study on deformable convolutional network and its application in butterfly species recognition models [J]. Journal of Computer Applications, 2025, 45(1): 261-274.
[5]	Jinfu WU, Yi LIU. Fast adversarial training method based on random noise and adaptive step size [J]. Journal of Computer Applications, 2024, 44(6): 1807-1815.
[6]	Yu ZHANG, Yan CHANG, Shibin ZHANG. Adversarial example detection algorithm based on quantum local intrinsic dimensionality [J]. Journal of Computer Applications, 2024, 44(2): 490-495.
[7]	Yifei SONG, Yi LIU. Fast adversarial training method based on data augmentation and label noise [J]. Journal of Computer Applications, 2024, 44(12): 3798-3807.
[8]	Tong CHEN, Jiwei WEI, Shiyuan HE, Jingkuan SONG, Yang YANG. Adversarial training method with adaptive attack strength [J]. Journal of Computer Applications, 2024, 44(1): 94-100.
[9]	Yuhang LI, Yuli YANG, Yao MA, Dan YU, Yongle CHEN. Text adversarial example generation method based on BERT model [J]. Journal of Computer Applications, 2023, 43(10): 3093-3098.
[10]	Jiaxuan WEI, Shikang DU, Zhixuan YU, Ruisheng ZHANG. Review of white-box adversarial attack technologies in image classification [J]. Journal of Computer Applications, 2022, 42(9): 2732-2741.
[11]	Bo YANG, Hengwei ZHANG, Zheming LI, Kaiyong XU. Adversarial example generation method based on image flipping transform [J]. Journal of Computer Applications, 2022, 42(8): 2319-2325.
[12]	Lingmin LI, Mengran HOU, Kun CHEN, Junmin LIU. Survey on interpretability research of deep learning [J]. Journal of Computer Applications, 2022, 42(12): 3639-3650.