Targeted Black-Box Adversarial Example Generation Method Using Multi-Layer Heatmap Mapping for Industrial IoT

Abstract

Deep learning-based image classification models have been widely applied in the Industrial Internet of Things (IIoT), but studies have shown that adversarial attacks can cause misclassification of these models, affecting the reliability and security of IIoT systems. Aiming at the low transferability of adversarial examples caused by non-targeted perturbation locations in existing black-box adversarial attack methods for image classification models, this paper presents an adversarial example generation method with multi-layer mapping of heatmaps based on encoder-decoder structure. The encoder is constructed based on local mappings, where the gradient-based class activation mapping method generates a feature heatmap of the original image. This heatmap guides the target label mapping to the salient regions, producing a local label feature map, which is then embedded into different encoding layers. The heatmap is integrated to optimize the decoder, restricting the perturbations generated by the output layer to remain within the salient regions, thereby enhancing the location specificity of the perturbations. An adversarial transformation module is designed to apply random affine transformations to the adversarial examples generated by the encoder-decoder, increasing the diversity of the adversarial examples while enhancing their transferability and robustness. The proposed method is evaluated through experiments conducted on ImageNet and MSCOCO datasets. Compared with mainstream methods, the results show that the proposed method improves the average attack success rates on six different black-box models for eight target categories by 6.5% and 7.5%, respectively. Additionally, the perturbation regions of the generated adversarial examples are reduced by 30% and 18%, and the overall perturbation magnitudes are decreased by 18% and 11%, respectively. The proposed method effectively enhances the transferability of adversarial examples while reducing the perturbation regions.