# A Spatially Distributed Perturbation Strategy with Smoothed Gradient Sign Method for Adversarial Analysis of Image Classification Systems

**Authors:** Yanwei Xu, Jun Li, Dajun Chang, Yuanfang Dong

PMC · DOI: 10.3390/e28020193 · 2026-02-09

## TL;DR

This paper introduces a new adversarial attack method that improves effectiveness while minimizing visual distortion in image classification systems.

## Contribution

The novel SD-SGSM framework uses spatially distributed perturbations and gradient smoothing for more effective and visually coherent adversarial attacks.

## Key findings

- SD-SGSM achieves 99.9% attack success rate on CIFAR-10 with minimal distortion.
- The method preserves high structural similarity (SSIM 0.947) compared to other attacks.
- Spatial distribution and gradient smoothing work together to enhance attack potency and fidelity.

## Abstract

As deep learning models are increasingly embedded as critical components within complex socio-technical systems, understanding and evaluating their systemic robustness against adversarial perturbations has become a fundamental concern for system safety and reliability. Deep neural networks (DNNs) are highly effective in visual recognition tasks but remain vulnerable to adversarial perturbations, which can compromise their reliability in safety-critical applications. Existing attack methods often distribute perturbations uniformly across the input, ignoring the spatial heterogeneity of model sensitivity. In this work, we propose the Spatially Distributed Perturbation Strategy with Smoothed Gradient Sign Method (SD-SGSM), a adversarial attack framework that exploits decision-dependent regions to maximize attack effectiveness while minimizing perceptual distortion. SD-SGSM integrates three key components: (i) decision-dependent domain identification to localize critical features using a deterministic zero-out operator; (ii) spatially adaptive perturbation allocation to concentrate attack energy on sensitive regions while constraining background disturbance; and (iii) gradient smoothing via a hyperbolic tangent transformation to enable fine-grained and continuous perturbation updates. Extensive experiments on CIFAR-10 demonstrate that SD-SGSM achieves near-perfect attack success rates (ASR 99.9%) while substantially reducing ℓ2 distortion and preserving high structural similarity (SSIM 0.947), outperforming both single-step and momentum-based iterative attacks. Ablation studies further confirm that spatial distribution and gradient smoothing act as complementary mechanisms, jointly enhancing attack potency and visual fidelity. These findings underscore the importance of spatially aware, decision-dependent adversarial strategies for system-level robustness assessment and the secure design of AI-enabled systems.

## Full-text entities

- **Diseases:** SGSM (MESH:D000141), FGSM (MESH:D007003), aggression (MESH:D010554), plant disease (MESH:D010939), injury to (MESH:D014947), black-box attacks (MESH:D007898)
- **Species:** Homo sapiens (human, species) [taxon 9606], Canis lupus familiaris (dog, subspecies) [taxon 9615]

## Figures

7 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12939856/full.md

---
Source: https://tomesphere.com/paper/PMC12939856