3.3 Common Terms
In this section, we first introduce the characteristics and classification of evasion attacks. The adversarial attack is to attack the divine neural network through the adversarial example. According to the characteristics and attack effect of the adversarial attack, the adversarial attack can be divided into black-box attack and white-box attack, one-shot attack and iterative attack, targeted attack and non-targeted attack, specific perturbation and universal perturbation, etc., the terms are introduced as follows:
Targeted Attack
The adversarial example forces the model to misclassify an input as a specific target class. Also known as error-specific attacks.
Non-Targeted Attack
The adversarial example only needs to be misclassified, regardless of the incorrect class. Also known as error-generic attacks or indiscriminate attacks.
Black-box Attack
The attacker does not have access to the model’s structure or parameters and relies only on input-output observations.
White-box Attack
The attacker has full knowledge of the model, including its architecture, parameters, and training data.
One-step Attack
The adversarial example is generated in a single step using minimal computation.
Iterative Attack
Multiple iterations refine the adversarial example for a more effective attack, at the cost of increased computation time.
Specific Perturbation
Each input is modified with a unique perturbation pattern.
Universal Perturbation
The same perturbation is applied to all inputs.
Digital Attack
Manipulating input data, such as uploading a crafted PNG file to bypass detection.
Physical Attack
Altering the environment to influence sensor data, such as obstructing a camera’s view.
“Adversarial Attack and Defense: A Survey” by Liang, H.; He, E.; Zhao, Y.; Jia, Z.; Li, H, licensed under a Creative Commons Attribution 4.0 International License.
