Generalized Method for Universal Adversarial Perturbations Using Joint Optimization in Spatial-Frequency Domains

The spatial information of a Universal Adversarial Perturbation (UAP) intuitively represents the visual characteristics of perturbations, whereas the frequency domain information includes the structure and texture of perturbations. Joint analysis of the spatial and frequency domain information of perturbations helps understand the generation mechanism of UAP and its impact on the robustness of image classification models. Most existing studies have focused on the distribution and changes in perturbed spatial information, neglecting the role of frequency components and limiting the generalization ability of the UAP. To address this issue, a joint optimization method for image UAP generation in the spatial and frequency domains is proposed. This method utilizes the adversarial sample confidence loss, perturbation spatial distance loss, and perturbation frequency guidance loss to train the model from both spatial and frequency perspectives, generating a UAP with high attack and transferability. The adversarial sample confidence loss is used to enhance the aggressiveness of disturbances, disturbance spatial distance loss optimizes the spatial size of disturbances, and disturbance frequency guided loss controls the proportion of the frequency components in disturbances. The experimental results indicate that the low-frequency components of the UAP have a significant impact on attack effectiveness. Within the same perturbation space, the more low-frequency components, the higher the success rate of perturbation attacks. Compared with the baseline method, the UAP generated by jointly optimizing the spatial and frequency domains has strong aggressiveness and transferability. Moreover, it has significant advantages in terms of generation speed.