Non-norm-bounded Attack for Generating Adversarial Examples

Recent studies have demonstrated that neural networks are vulnerable to adversarial examples. Numerous attacks have been proposed for crafting various types of adversarial examples. However, almost all the existing attacks adopt the \(L_p\)-norm or another distance metric to bound the adversarial perturbations, which inadvertently facilitates the implementation of some defenses. We present a novel non-norm-bounded attack (NNBA) for generating adversarial examples. We formulate the process of generating adversarial examples as an optimization problem, which has just the objective of misclassifying the perturbed examples and does not use the \(L_p\)-norm as the perturbation constraint. The examples generated in this way naturally satisfy the requirements of adversarial examples. Experimental results on the MNIST, CIFAR-10 and ImageNet datasets show that NNBA can successfully generate adversarial examples with small perturbations and high misclassification performance. Moreover, adversarial examples crafted by NNBA achieve high confidence, good robustness and low computational cost. Our work sheds light on a new type of adversarial attack, and we hope it will prompt research on secure and robust machine learning models.