3️⃣ FGSM Attack Concept

• FGSM (Fast Gradient Sign Method): An attack method that generates adversarial samples by using the gradient of the loss function with respect to the input.

  • Formula: 𝑥′ = 𝑥 + 𝜖 · sign(∇ₓ J(𝜃, 𝑥, 𝑦))

  • A larger 𝜖 increases the attack intensity, allowing the model to be misled with minimal perturbations.

4️⃣ Experimental Setup & Methodology

• Dataset: CIFAR-10, consisting of 60,000 32×32 color images categorized into 10 classes (50,000 for training, 10,000 for testing).

• Neural Network Models:

  1. CNN: A simple architecture using convolutional and pooling layers to capture local features.

  2. ResNet-18: Utilizes residual connections to facilitate training in deeper networks and mitigate the vanishing gradient problem.

  3. AlexNet: A relatively shallow network with large filters for feature extraction.

• Experimental Environment & Hyperparameters:

  1. Implemented using the PyTorch framework on an Nvidia RTX 4060 GPU.

  2. Learning Rate: 0.01, Batch Size: 64, Optimizer: Adam, Epochs: 50.

  3. FGSM attack intensity (𝜖 values) ranging from 0 to 1.0.

• Attack Types:

  1. Full Attack: FGSM applied to all pixels of the image to generate adversarial examples.

  2. Partial Attack: FGSM applied only to specific regions (e.g., top, center, border) to examine localized vulnerabilities.

  3. Cross-model Evaluation: Evaluates whether adversarial examples generated from one model remain effective when used against other models.

5️⃣ Experimental Results

• Full Attack Findings:

  • At 𝜖 = 0.01, most samples are still correctly classified.

  • At 𝜖 = 0.1, there is a sharp decline in classification accuracy across all models.

  • For 𝜖 ≥ 0.3, nearly all samples are misclassified.

• Partial Attack Findings:

  • CNN shows significant performance degradation even when attacks target only specific regions.

  • ResNet-18 demonstrates relative robustness due to its residual architecture.

  • AlexNet is the most vulnerable under full attacks, although CNN is particularly sensitive to partial attacks.

• Cross-model Evaluation:

  • Adversarial examples generated by one model often lead to high misclassification rates in other models, with AlexNet-derived examples being especially aggressive.

6️⃣ Research Contributions & Expected Impact

• Architectural Vulnerability Analysis: The study experimentally confirms that different network architectures exhibit varying degrees of vulnerability to FGSM attacks.

• Generalization of Adversarial Examples: It demonstrates that adversarial samples are not model-specific; examples crafted from one architecture can deceive others, highlighting a widespread threat.

• Guidance for Robust Model Design: The experimental findings provide valuable data for designing more resilient AI systems in applications such as autonomous driving, medical diagnostics, and financial forecasting.