Boosting Imperceptibility of Stable Diffusion-based Adversarial Examples Generation with Momentum

TL;DR

This paper introduces SD-MIAE, a novel framework that uses stable diffusion and momentum optimization to generate highly effective, visually imperceptible adversarial examples that can fool classifiers while maintaining semantic similarity.

Contribution

The paper presents a new method combining stable diffusion and momentum to improve the quality and effectiveness of adversarial examples in neural network testing.

Findings

Achieves a 79% misclassification rate, 35% higher than previous methods.

Maintains high visual fidelity and semantic similarity in adversarial images.

Enhances the stability and robustness of adversarial perturbations.

Abstract

We propose a novel framework, Stable Diffusion-based Momentum Integrated Adversarial Examples (SD-MIAE), for generating adversarial examples that can effectively mislead neural network classifiers while maintaining visual imperceptibility and preserving the semantic similarity to the original class label. Our method leverages the text-to-image generation capabilities of the Stable Diffusion model by manipulating token embeddings corresponding to the specified class in its latent space. These token embeddings guide the generation of adversarial images that maintain high visual fidelity. The SD-MIAE framework consists of two phases: (1) an initial adversarial optimization phase that modifies token embeddings to produce misclassified yet natural-looking images and (2) a momentum-based optimization phase that refines the adversarial perturbations. By introducing momentum, our approach stabilizes the optimization of perturbations across iterations, enhancing both the misclassification rate and visual fidelity of the generated adversarial examples. Experimental results demonstrate that SD-MIAE achieves a high misclassification rate of 79%, improving by 35% over the state-of-the-art method while preserving the imperceptibility of adversarial perturbations and the semantic similarity to the original class label, making it a practical method for robust adversarial evaluation.