An enhanced neuron attribution-based attack via pixel dropping

Convolutional neural networks (CNNs) are vulnerable to adversarial examples (AEs). Existing feature-level attacks explore the neuron importance to distort the intrinsic objectaware features which are shareable among different CNNs, thus achieving great performance in transferability. In this work, we propose an enhanced neuron attribution-based attack via pixel dropping (ENAA) and try to increase the number of positive neurons to distort the object-aware features more fully than NAA. Specifically, when computing neuron attribution, we use a pixel dropping scheme to expand the regions where the source model pays attention to the image. Our ENAA can make the target model shift the attention regions of AEs far away from those of clean images. Experimental results validate that the proposed method outperforms the state-of-the-art feature-level attacks both in white-box and black-box settings.