Digital Watermark Perturbation for Adversarial Examples to Fool Deep Neural Networks

In this paper we propose an attack method to embed digital watermarking invisibly into a clean example to generate an adversarial example to interfere with the classification of deep learning models. Specifically, we propose an optimization algorithm called Non-Dominated Sorting Genetic Algorithm with Particle Swarm Optimization (NSGA-PSO) to generate adversarial digital watermarking in the black-box attack mode with a few queries from the models to be attacked. Extensive experiments on ImageNet and CIFAR-10 datasets demonstrate that our method can efficiently generate adversarial examples with higher attack success rates than existing black-box attack methods. Furthermore, showing satisfactory transferability across different network models and greater robustness against image transformation defense methods.