Adversarial Example Generation Method Based on Wavelet Transform

Abstract

Adversarial examples are crucial tools for assessing the robustness of deep neural networks (DNNs) and revealing potential security vulnerabilities. Adversarial example generation methods based on Generative Adversarial Networks (GANs) have made significant progress in generating image adversarial examples, but still suffer from insufficient sparsity and transferability. To address these issues, this study proposes a novel semi-white-box untargeted adversarial example generation method named Wavelet-AdvGAN, with an explicit threat model defined as follows. Specifically, the attack is strictly untargeted without predefined target categories, aiming solely to mislead DNNs into classifying adversarial examples into any category other than the original label. It adopts a semi-white-box setting where attackers are denied access to the target model’s private information. Regarding the generator’s information dependence, the training phase only utilizes public resources (i.e., the target model’s public architecture and CIFAR-10 public training data), while the test phase generates adversarial examples through one-step feedforward of clean images without interacting with the target model. The method incorporates a Frequency Sub-band Difference (FSD) module and a Wavelet Transform Local Feature (WTLF) extraction module, evaluating the differences between original and adversarial examples from the frequency domain perspective. This approach constrains the magnitude of perturbations, reinforces feature regions, and further enhances the attack effectiveness, thereby improving the sparsity and transferability of adversarial examples. Experimental results demonstrate that the Wavelet-AdvGAN method achieves an average increase of 1.26% in attack success rates under two defense strategies—data augmentation and adversarial training. Additionally, the adversarial transferability improves by an average of 2.7%. Moreover, the proposed method exhibits a lower $l_0$ norm, indicating better perturbation sparsity. Consequently, it effectively evaluates the robustness of deep neural networks.

1. Introduction

In recent years, with the rapid advancement of machine learning technologies, deep neural networks (DNNs) have been widely applied in fields such as image recognition [1] and analog compute in memory [2]. They have achieved remarkable progress, particularly in safety-critical domains like autonomous driving [3] and facial recognition [4]. However, despite their excellent performance across various tasks, DNNs exhibit significant vulnerability to adversarial robustness. Szegedy et al. [5] first pointed out that by introducing subtle, imperceptible perturbations into image data, classification models could be misled into making incorrect predictions (i.e., untargeted adversarial attacks, where the goal is to deviate from the original category rather than specify a target category), resulting in adversarial examples. In practical scenarios such as autonomous driving, untargeted attacks can cause severe safety risks (e.g., misclassifying traffic signs into irrelevant categories). This study focuses on semi-white-box untargeted attacks (consistent with the explicit threat model in the Abstract, i.e., no access to the target model’s private information during training/testing), aiming to generate high-sparsity and high-transferability adversarial examples to evaluate DNN robustness. These examples pose considerable risks. For instance, in autonomous driving, minor perturbations in images may cause systems to misidentify traffic signs, leading to severe safety issues. Therefore, researching adversarial example generation methods and their impact on deep learning models has become crucial for improving model robustness and ensuring application security.

Current adversarial example generation methods can be broadly categorized into three classes. The first category, gradient-based methods [5,6,7,8], generates adversarial examples quickly by applying perturbations in the direction of the model’s loss gradient. These methods are efficient but often lack control over perturbation sparsity. The second category, optimization-based methods [9], uses optimization algorithms to produce more visually natural and sparse adversarial examples, usually with higher attack success rates. However, these methods are computationally expensive and often require optimization for individual data samples.

The third category involves GAN-based methods [10], which generate adversarial examples rapidly by learning the probability distribution of input data through adversarial training between a generator and a discriminator. Xiao et al. proposed AdvGAN [11], which employs a generator to produce perturbations and a discriminator to ensure the authenticity of the generated samples, achieving higher efficiency than traditional optimization methods like C&W [9]. However, AdvGAN primarily focuses on global image features in its generator design, leading to dense perturbations with insufficient sparsity and large perturbation magnitudes, compromising the authenticity of the samples. AdvGAN++ [12] improves on this by leveraging latent features of deep neural networks instead of direct input images for generating adversarial examples. By sampling noise vectors and generating distributions, it extracts latent features to produce adversarial images closer to the input distribution. This approach relies on the observation that latent features are more susceptible to adversarial perturbations than input images. However, the generated adversarial examples depend on the vulnerability of latent features, which may vary with model architecture and training strategies, resulting in poor transferability.

To enhance the adversarial effect on classification models, Bai et al. proposed AI-GAN [13], which introduces an attack module during training to strengthen the generator’s attack capability and stabilize GAN training, further improving the quality and sparsity of adversarial examples. Despite these improvements, limitations in enhancing sparsity remain. GE-AdvGAN [14] introduces a novel gradient editing (GE) mechanism, exploring frequency domains to determine the direction of gradient editing, thereby improving transferability and algorithm efficiency. However, $GE$-$AdvGAN$ only uses frequency-domain information to guide gradient direction, lacking multi-scale frequency decomposition and targeted constraint on perturbation distribution. These methods—$AdvGAN$, $AdvGAN$++, $AI$-$GAN$, and $GE$-$AdvGAN$—rely on the $l_2$ norm to assess differences between original and adversarial samples, which is insufficient to capture multi-scale structural and texture details. Moreover, they fail to synergize frequency-domain constraints with local feature enhancement: AdvGAN series focus on global features, leading to dense perturbations; AI-GAN strengthens attack capability but ignores frequency-domain structure preservation; and GE-AdvGAN lacks targeted enhancement of critical local regions. These limitations result in compromised sparsity and transferability of adversarial examples. However, the $l_2$ norm is less effective in capturing multi-scale features, structural information, and texture details of images. This study addresses this by leveraging local image features and details from the frequency domain to evaluate differences, thereby enhancing the sparsity of adversarial examples.

Our main contributions are as follows:

1.

We propose the Wavelet-AdvGAN adversarial example generation method, which achieves improved attack success rates, generation efficiency, transferability, and sparsity. Unlike existing frequency-domain GAN-based methods (e.g., GE-AdvGAN) that rely on single-scale frequency difference or gradient editing, Wavelet-AdvGAN innovates a ‘frequency-domain constraint + local feature enhancement’ synergistic mechanism to address the long-standing trade-off between perturbation sparsity and transferability.

2.

We introduce the Frequency Sub-band Difference (FSD) module based on wavelet transform. Unlike existing frequency-domain methods that use uniform frequency metrics (e.g., $l_2$ norm), this module decomposes images into multi-scale sub-bands (LL/LH/HL/HH) and assigns adaptive weights, emphasizing the preservation of global structural information (low-frequency) while constraining detailed perturbations (high-frequency), thus generating adversarial examples with higher sparsity and visual authenticity.

3.

We present the Wavelet Transform Local Feature (WTLF) module, which leverages wavelet convolution to separate global structures (low-frequency) and detailed features (high-frequency), and integrates lightweight 1D convolution to preserve channel information. Unlike AdvGAN series that focus only on global features or AI-GAN’s attack module enhancement, this module enables the model to focus on critical local regions, directly improving attack effectiveness while maintaining efficiency. This design extends the ‘divide-and-conquer’ idea from mixture-of-experts (MoE) architectures to adversarial attack’s frequency-domain processing.

2. Related Work

2.1. GAN-Based Adversarial Example Generation Methods

The basic structure of a Generative Adversarial Network (GAN), as shown in Figure 1, consists of a generator G and a discriminator D. The generator G produces data from random noise, aiming to approximate the real data distribution. Meanwhile, the discriminator D classifies the input data, determining whether it comes from the real data distribution or is generated by G. In the initial stage, the samples generated by G are of low quality, allowing D to easily distinguish between real and generated data. D uses this distinction to optimize its parameters. Concurrently, G adjusts its parameters based on the gradient feedback from D, progressively improving the quality of the generated samples to closely resemble real data. This process involves an iterative optimization where G and D are alternately trained, forming a dynamic adversarial game: G strives to “fool” D, while D continuously enhances its discriminative capability. This adversarial mechanism ultimately leads G to produce high-quality samples, while D maintains strong performance in distinguishing real from generated data.

Xiao et al. [11] combined adversarial attacks with Generative Adversarial Networks (GANs) and proposed AdvGAN to address the time-consuming nature of optimization-based attack algorithms.

This method leverages the ability of GANs [10] to learn and approximate the distribution of the original data. The model is trained on the dataset, where adversarial examples are generated through the feedforward generator network, and the discriminator encourages the adversarial examples to become more similar to the original images. A key innovation of AdvGAN is the definition of semi-white-box attacks. Wavelet-AdvGAN inherits and clarifies this semi-white-box setting (a core component of the threat model defined in the Abstract), consistent with the practical attack scenario design in related studies: (1) Training phase: The generator only requires the architecture of the target model (e.g., ResNet18, Vgg16) and public training data (CIFAR-10) to learn perturbation patterns; it does not need access to the target model’s private parameters, gradients, or intermediate feature maps. (2) Testing phase: After training, the generator can directly generate adversarial examples by inputting clean images, without any further interaction with the target model (e.g., no need to query the model’s output or gradient). This semi-white-box setting, combined with the strictly untargeted attack type, forms the complete threat model of this study. This advancement makes the process more efficient and scalable, particularly when generating adversarial examples for large datasets or for situations where multiple attack attempts are required.

The structure of AdvGAN is shown in Figure 2.

Beyond the aforementioned GAN-based methods, two recent studies are closely related to our research. Zhang et al. [15] proposed “Towards Model Resistant to Transferable Adversarial Examples via Trigger Activation”, which enhances model robustness against transferable adversarial examples by strengthening the model’s dependence on specific trigger features (e.g., task-specific local patterns). Their method constructs defense by binding model decision to fixed triggers, but overlooks the adaptability of adversarial examples to multi-scale frequency features. This study complements our work: while their goal is to defend against transferable attacks, Wavelet-AdvGAN targets generating more transferable adversarial examples that can break through such trigger-based defense mechanisms by leveraging wavelet transform to perturb multi-scale frequency components (not limited to trigger-related local features) and enhancing local critical regions via WTLF module, thus providing a more rigorous test for model robustness.

Another study, “Moe-ffd: Mixture of experts for generalized and parameter-efficient face forgery detection” [16] by Liu et al., adopts a mixture-of-experts (MoE) architecture to decompose complex face forgery detection tasks into sub-tasks handled by specialized experts (each expert focuses on a specific forgery pattern). Their core insight is that “divide-and-conquer” can improve the efficiency and targeting of complex task processing. Inspired by this idea, our WTLF module extends the MoE concept to the field of adversarial attack: we treat wavelet multi-scale sub-bands (LL/LH/HL/HH) as “frequency experts”, where each expert is responsible for perturbing a specific frequency component (low-frequency for global structure, high-frequency for local details). This design enables targeted perturbation for different frequency components, avoiding the over-perturbation of irrelevant regions and thus improving perturbation sparsity—addressing the limitation of MoE’s original application in detection tasks (not applicable to adversarial perturbation generation) by adapting it to frequency-domain feature processing.

2.2. Wavelet Transform

Wavelet Transform, known for its multi-scale analysis capabilities, is widely applied in feature extraction within machine learning and signal processing, particularly excelling at capturing local features of signals [17,18,19,20]. By decomposing a signal into the superposition of wavelet functions at different scales, the wavelet transform provides localized information in both the time and frequency domains. Different types of wavelet basis functions achieve localized feature representation across multiple scales through translation, scaling, decomposition, and reconstruction operations.

The 2D Discrete Wavelet Transform (DWT) [21] decomposes an input signal into four sub-bands: Low–Low (LL), Low–High (LH), High–Low (HL), and High–High (HH). This decomposition reveals the signal’s frequency characteristics in different directions, enabling detailed analysis of its local structures.

2.3. ELA

Efficient Layer Attention (ELA) [22] effectively enhances image classification and object detection tasks by precisely capturing both local and global features while reducing the number of parameters. Compared to traditional spatial attention methods such as Squeeze-and-Excitation (SE) [23], Coordinate Attention (CA) [24], and Convolutional Block Attention Module (CBAM) [25], ELA demonstrates significant performance improvements and lower computational costs across various visual tasks. The ELA module aims to improve the performance of Convolutional Neural Networks (CNNs) in tasks like image classification, object detection, and semantic segmentation. Its core innovation lies in using 1D convolutions [26] and Group Normalization (GN) [27], effectively encoding horizontal and vertical spatial position information. This approach avoids the dimensionality reduction issues present in existing channel-based methods, ensuring richer feature representation and more efficient processing.

2.4. Adversarial Training

Adversarial Training (AT), proposed by Goodfellow et al. [6], involves training a model using both original and adversarial samples (such as those generated by FGSM) to enhance its robustness. Existing research [28,29,30,31] highlights the importance of adversarial training in improving the resilience of deep neural networks against adversarial perturbations. These studies emphasize its effectiveness across various application scenarios, including defense against backdoor attacks, generalization performance optimization, cross-domain applications, economic considerations, and exploration of future research directions. These findings collectively indicate that AT not only strengthens model robustness but also drives the development and diversification of defense strategies and their applications.

2.5. Data Enhancement

The importance of data augmentation techniques in enhancing the adversarial robustness of deep neural networks is widely recognized. Research has shown that optimizing adversarial training can be significantly improved by increasing data diversity [32], dynamically adjusting augmentation intensity [33], introducing regularizers [34], and employing spatial combination techniques [35]. These approaches help mitigate overfitting issues and enhance model robustness. Moreover, online instance-level data augmentation strategies [36] not only reduce the cost of searching for optimal augmentation policies but also further improve model stability and reliability against adversarial attacks. These findings collectively highlight the pivotal role of data augmentation in strengthening adversarial training and offer new directions for developing more efficient defense strategies. In this paper, we will systematically evaluate the effectiveness of the Wavelet-AdvGAN method based on data augmentation techniques to validate its practical value.

3. Method

3.1. Wavelet-AdvGAN

This study proposes an improved adversarial example generation method, Wavelet-AdvGAN, with the model structure shown in Figure 3.

Wavelet-AdvGAN consists of four components: the generator G, the discriminator D, the target model f, and the Frequency Sub-band Difference ($\mathit{FSD}$) module. G is responsible for generating perturbations (complying with the semi-white-box constraint: no reliance on the target model’s private information) while ensuring sparsity and imperceptibility, while D distinguishes between generated samples and original samples, guiding the training of G. The target model f ensures that the adversarial examples are misclassified into any category other than the original (i.e., the core goal of untargeted attacks, consistent with the threat model). The generator’s key objective is to generate perturbations that are sparse and imperceptible, while maximizing the probability of the target model misclassifying the adversarial example away from its original label. The $\mathit{FSD}$ module calculates the similarity between the original sample $X_{\mathit{real}}$ and the adversarial sample $X_{\mathit{adv}}$. The training process of the model is outlined in

Table 1. Wavelet-AdvGAN for adversarial example generation.

Step	Description
Input	Original samples $X_{\mathrm{real}}$, target model f, generator G, discriminator D, FSD weights $w_{\mathrm{LL}}$, $w_{\mathrm{LH}}$, $w_{\mathrm{HL}}$, $w_{\mathrm{HH}}$, loss weights $\alpha$, $\beta$, and training steps N.
Output	$X_{\mathit{pb}},X_{\mathit{adv}}$.
1	Initialize generator G, discriminator D, and target model f.
2	For $i=1$ to N do
3	Generate $X_{\mathit{pb}}$ by passing $X_{\mathit{real}}$ through G: $X_{\mathit{pb}}=G\left(X_{\mathit{real}}\right)$.
4	Compute adversarial samples: $X_{\mathit{adv}}=X_{\mathit{real}}+X_{\mathit{pb}}$.
5	Compute discriminator loss $L_{\mathrm{GAN}-\mathrm{D}}$:
	$L_{\mathrm{GAN}-\mathrm{D}}=E_{X_{\mathrm{real}}\sim p_{\mathrm{data}}}\left[logD\left(X_{\mathrm{real}}\right)\right]+E_{X_{\mathrm{real}}\sim p_{\mathrm{data}}}\left[log(1-D\left(X_{\mathrm{adv}}\right))\right]$.
6	Compute generator adversarial loss $L_{\mathrm{GAN}-\mathrm{G}}$:
	$L_{\mathrm{GAN}-\mathrm{G}}=E_{X_{\mathrm{real}}\sim p_{\mathrm{data}}}\left[log(1-D\left(X_{\mathrm{adv}}\right))\right]$.
7	Compute adversarial loss for the target model $L_{\mathit{adv}}$:
	$L_{\mathrm{adv}}=E_{X_{\mathrm{real}}\sim p_{\mathrm{data}}}\left[l_f\left(X_{\mathrm{adv}}\right)\right]$.
8	Compute boundary loss $L_{\mathit{FSD}}$ using FSD:
	$L_{\mathrm{FSD}}=E_{X_{\mathrm{real}}\sim p_{\mathrm{data}}}\left[w_{\mathrm{LL}}{D}_{\mathrm{LL}}+w_{\mathrm{LH}}{D}_{\mathrm{LH}}+w_{\mathrm{HL}}{D}_{\mathrm{HL}}+w_{\mathrm{HH}}{D}_{\mathrm{HH}}\right]$.
9	Compute total generator loss:
	$L_G=L_{\mathit{GAN}-\mathit{G}}+\alpha L_{\mathit{adv}}+\beta L_{\mathit{FSD}}$.
10	Update generator G using $L_G$.
11	Update discriminator D using $L_{\mathrm{GAN}-\mathrm{D}}$.
12	End for
13	Generate final perturbation $X_{\mathit{pb}}=G\left(X_{\mathit{real}}\right)$.
14	Generate final adversarial samples $X_{\mathit{adv}}=X_{\mathit{real}}+X_{\mathit{pb}}$.

.

For the generator G, its total loss function $L_G$ consists of three components, as shown in Equation (1). We use distinct subscripts to distinguish generator/discriminator losses and explicitly specify data distributions for expectations:

$$\begin{array}{c}{L}_G=L_{\mathit{GAN}-\mathit{G}}+\alpha L_{\mathit{adv}}+\beta L_{\mathit{FSD}}\end{array}$$

(1)

where

• $L_{\mathrm{GAN}-\mathrm{G}}$: Generator’s GAN loss (distinct from discriminator’s $L_{\mathrm{GAN}-\mathrm{D}}$), measuring how well adversarial samples $X_{\mathrm{adv}}$ fool the discriminator D;
• $L_{\mathrm{adv}}$: Attack effectiveness loss, evaluating whether $X_{\mathrm{adv}}$ misleads the target model f;
• $L_{\mathrm{FSD}}$: Frequency sub-band difference loss, constraining perturbation magnitude;
• $\alpha ,\beta$: Hyperparameters balancing the three loss components.

The generator’s GAN loss $L_{\mathrm{GAN}-\mathrm{G}}$ is defined as

$$L_{\mathrm{GAN}-\mathrm{G}}=E_{X_{\mathrm{real}}\sim p_{\mathrm{data}}}\left[log(1-D\left(X_{\mathrm{adv}}\right))\right]$$

(2)

where

• $X_{\mathrm{real}}\sim p_{\mathrm{data}}$: Real samples follow the dataset distribution $p_{\mathrm{data}}$;
• $X_{\mathrm{adv}}=X_{\mathrm{real}}+G\left(X_{\mathrm{real}}\right)$: Adversarial samples (real samples + generator-learned perturbations $X_{\mathrm{pb}}=G\left(X_{\mathrm{real}}\right)$);
• $D\left(X\right)$: Discriminator output (probability that X is a real sample, $D\left(X\right)\in [0,1]$).

• Optimization goal for $L_{\mathrm{GAN}-\mathrm{G}}$: Minimize the loss to force

$D\left(X_{\mathrm{adv}}\right)\to 0$, i.e., deceive D into classifying adversarial samples as “real”.

The attack effectiveness loss $L_{\mathrm{adv}}$ ensures $X_{\mathrm{adv}}$ misleads the target model f (untargeted attack: any category except the original label), defined as

$$L_{\mathrm{adv}}=E_{X_{\mathrm{real}}\sim p_{\mathrm{data}}}\left[l_f\left(X_{\mathrm{adv}}\right)\right]$$

(3)

where

• $l_f\left(X_{\mathrm{adv}}\right)$: Target model’s classification loss for $X_{\mathrm{adv}}$ (e.g., cross-entropy loss);
• Optimization goal: $max{L}_{\mathrm{adv}}$ to force $f\left(X_{\mathrm{adv}}\right)\ne \mathrm{original}\mathrm{label}$ (since higher classification loss indicates misclassification).

The frequency sub-band difference loss $L_{\mathrm{FSD}}$ constrains perturbation magnitude $X_{\mathrm{pb}}$ by measuring frequency-domain similarity between $X_{\mathrm{real}}$ and $X_{\mathrm{adv}}$, defined as

$$L_{\mathrm{FSD}}=E_{X_{\mathrm{real}}\sim p_{\mathrm{data}}}\left[w_{\mathrm{LL}}{D}_{\mathrm{LL}}+w_{\mathrm{LH}}{D}_{\mathrm{LH}}+w_{\mathrm{HL}}{D}_{\mathrm{HL}}+w_{\mathrm{HH}}{D}_{\mathrm{HH}}\right]$$

(4)

where

• $D_{\mathrm{LL}},D_{\mathrm{LH}},D_{\mathrm{HL}},D_{\mathrm{HH}}$: Approximate Wasserstein distances (Sinkhorn distance [37]) of wavelet-transformed sub-bands (LL/LH/HL/HH) between $X_{\mathrm{real}}$ and $X_{\mathrm{adv}}$, computed via entropy-regularized optimal transport ($\lambda ={10}^{-3}$, max iterations = 100); see Section 3.2 for detailed steps;
• $w_{\mathrm{LL}}=0.4,w_{\mathrm{LH}}=0.2,w_{\mathrm{HL}}=0.2,w_{\mathrm{HH}}=0.2$: Default weights (prioritize low-frequency components to preserve image structure);
• Optimization goal: $min{L}_{\mathrm{FSD}}$ to ensure $X_{\mathrm{adv}}$ retains the original image’s frequency-domain structure (improving visual authenticity and sparsity).

For the discriminator D, its loss function $L_D=L_{\mathrm{GAN}-\mathrm{D}}$ aims to distinguish real samples from adversarial samples, defined as

$$L_{\mathrm{GAN}-\mathrm{D}}=E_{X_{\mathrm{real}}\sim p_{\mathrm{data}}}\left[logD\left(X_{\mathrm{real}}\right)\right]+E_{X_{\mathrm{real}}\sim p_{\mathrm{data}}}\left[log(1-D\left(X_{\mathrm{adv}}\right))\right]$$

(5)

where

• Expectation Domain: Both expectations are over the real sample distribution $X_{\mathrm{real}}\sim p_{\mathrm{data}}$ (adversarial samples $X_{\mathrm{adv}}$ are derived from $X_{\mathrm{real}}$, so no separate distribution is needed);
• First term: Reward D for correctly classifying real samples as “real” (maximize $logD\left(X_{\mathrm{real}}\right)$);
• Second term: Reward D for correctly classifying adversarial samples as “fake” (maximize $log(1-D\left(X_{\mathrm{adv}}\right))$).

Optimization goal for $L_{\mathrm{GAN}-\mathrm{D}}$: Maximize the loss to enhance D’s discriminative ability (equivalent to minimizing the negative loss in practice).

In this method, the goal of the generator G is to produce adversarial samples that can deceive D and effectively attack the target model. Meanwhile, the discriminator D aims to distinguish between real samples and the generated adversarial samples. By introducing $L_{\mathit{adv}}$$L_{\mathit{FSD}}$, and the alternating training of G and D, the model can effectively generate high-quality and difficult-to-detect adversarial samples, thereby enhancing the attack performance on the target model.

3.2. Frequency Sub-Band Discrepancy (FSD)

The structural diagram of the FSD module is shown in Figure 4.

The Frequency Sub-band Difference (FSD) module, which leverages wavelet transform, provides a unique perspective for assessing the similarity between two images. The specific methodology is as follows:

The pseudocode description of this process is shown in

Table 2. Frequency Sub-band Discrepancy (FSD) Loss Calculation.

Step	Description
Input	Real samples $X_{\mathrm{real}}$, adversarial samples $X_{\mathrm{adv}}$, weights $w=[w_{\mathrm{LL}},w_{\mathrm{LH}},w_{\mathrm{HL}},w_{\mathrm{HH}}]$, batch size N.
Output	Average FSD loss $L_{\mathrm{FSD}}$.
1	Initialize: Compute 2D discrete wavelet transform (DWT) for each sample: $\mathrm{DWT}\left(X\right)=\{\mathrm{LL},\mathrm{LH},\mathrm{HL},\mathrm{HH}\}$. Set $L_{\mathrm{FSD}}=0$.
2	For each sample pair $(X_{\mathrm{real}}^{\left(i\right)},X_{\mathrm{adv}}^{\left(i\right)}),i=1,2,\dots ,N$:
	Compute sub-band coefficients for $X_{\mathrm{real}}^{\left(i\right)}$ and $X_{\mathrm{adv}}^{\left(i\right)}$:
	$\{{\mathrm{LL}}_{\mathrm{real}},{\mathrm{LH}}_{\mathrm{real}},{\mathrm{HL}}_{\mathrm{real}},{\mathrm{HH}}_{\mathrm{real}}\}=\mathrm{DWT}\left(X_{\mathrm{real}}^{\left(i\right)}\right)$
	$\{{\mathrm{LL}}_{\mathrm{adv}},{\mathrm{LH}}_{\mathrm{adv}},{\mathrm{HL}}_{\mathrm{adv}},{\mathrm{HH}}_{\mathrm{adv}}\}=\mathrm{DWT}\left(X_{\mathrm{adv}}^{\left(i\right)}\right)$
	Compute Wasserstein distance for each sub-band:
	$D_{\mathrm{LL}}^{\left(i\right)}=W({\mathrm{LL}}_{\mathrm{real}},{\mathrm{LL}}_{\mathrm{adv}}),D_{\mathrm{LH}}^{\left(i\right)}=W({\mathrm{LH}}_{\mathrm{real}},{\mathrm{LH}}_{\mathrm{adv}})$,
	$D_{\mathrm{HL}}^{\left(i\right)}=W({\mathrm{HL}}_{\mathrm{real}},{\mathrm{HL}}_{\mathrm{adv}}),D_{\mathrm{HH}}^{\left(i\right)}=W({\mathrm{HH}}_{\mathrm{real}},{\mathrm{HH}}_{\mathrm{adv}})$. $W(·,·)$: Sinkhorn distance with regularization $\lambda ={10}^{-3}$, implemented via the Sinkhorn-Knopp algorithm (maximum iterations = 100), where the cost matrix is the Euclidean distance between pixel pairs; see Section 3.2 for detailed computation.
	Compute weighted w for sample i:
	$w_{\mathrm{LL}}^{\left(i\right)}={\displaystyle \frac{D_{\mathrm{LL}}^{\left(i\right)}}{D_{\mathrm{LL}}^{\left(i\right)}+D_{\mathrm{LH}}^{\left(i\right)}+D_{\mathrm{HL}}^{\left(i\right)}+D_{\mathrm{HH}}^{\left(i\right)}}},$
	$w_{\mathrm{LH}}^{\left(i\right)}={\displaystyle \frac{D_{\mathrm{LH}}^{\left(i\right)}}{D_{\mathrm{LL}}^{\left(i\right)}+D_{\mathrm{LH}}^{\left(i\right)}+D_{\mathrm{HL}}^{\left(i\right)}+D_{\mathrm{HH}}^{\left(i\right)}}},$
	$w_{\mathrm{HL}}^{\left(i\right)}={\displaystyle \frac{D_{\mathrm{HL}}^{\left(i\right)}}{D_{\mathrm{LL}}^{\left(i\right)}+D_{\mathrm{LH}}^{\left(i\right)}+D_{\mathrm{HL}}^{\left(i\right)}+D_{\mathrm{HH}}^{\left(i\right)}}},$
	$w_{\mathrm{HH}}^{\left(i\right)}={\displaystyle \frac{D_{\mathrm{HH}}^{\left(i\right)}}{D_{\mathrm{LL}}^{\left(i\right)}+D_{\mathrm{LH}}^{\left(i\right)}+D_{\mathrm{HL}}^{\left(i\right)}+D_{\mathrm{HH}}^{\left(i\right)}}}.$
	Compute weighted loss for sample i:
	$L_{\mathrm{FSD}}^{\left(i\right)}=w_{\mathrm{LL}}^{\left(i\right)}{D}_{\mathrm{LL}}^{\left(i\right)}+w_{\mathrm{LH}}^{\left(i\right)}{D}_{\mathrm{LH}}^{\left(i\right)}+w_{\mathrm{HL}}^{\left(i\right)}{D}_{\mathrm{HL}}^{\left(i\right)}+w_{\mathrm{HH}}^{\left(i\right)}{D}_{\mathrm{HH}}^{\left(i\right)}$.
3	Aggregate loss across batch:
	Update total loss: $L_{\mathrm{FSD}}+=L_{\mathrm{FSD}}^{\left(i\right)}$.
4	Output final loss:
	Compute average loss over batch size: $L_{\mathrm{FSD}}={\displaystyle \frac{1}{N}}{L}_{\mathrm{FSD}}$.
	Return $L_{\mathrm{FSD}}$.

.

Firstly, the original sample $X_{\mathrm{real}}$ and the adversarial sample $X_{\mathrm{adv}}$ undergo Two-Dimensional Discrete Wavelet Transform (2D-DWT). This process decomposes each image into four distinct frequency sub-bands: Low–Low (LL), Low–High (LH), High–Low (HL), and High–High (HH). Subsequently, for each pair of corresponding frequency sub-band images, the Wasserstein distance ($W_1$ distance) is computed to quantify the distributional differences between them. Due to the high computational complexity of exact Wasserstein distance (requiring solving linear programming), we adopt the Sinkhorn distance [38] (entropy-regularized approximation) with a regularization parameter $\lambda ={10}^{-3}$ to balance accuracy and efficiency. The specific implementation steps are as follows:

• Reshape each frequency sub-band (e.g., ${\mathrm{LL}}_{\mathrm{real}}$) into a 1D vector of dimension $C\times H^{\prime }\times W^{\prime }$ (C: number of channels; $H^{\prime }/W^{\prime }$: height/width of the wavelet sub-band, reduced by half after 2D-DWT);
• Define the cost matrix $\mathbf{C}\in R^{K\times K}$ ($K=C\times H^{\prime }\times W^{\prime }$) as the Euclidean distance between pixel pairs of the two sub-band vectors: $C_{i,j}={\parallel x_i-y_j\parallel }_2$ (where $x_i$ and $y_j$ are pixels of the original and adversarial sub-band vectors, respectively);
• Solve the regularized optimal transport problem via the iterative Sinkhorn–Knopp algorithm (maximum iterations = 100) to obtain the approximate Wasserstein distance;
• Batch-wise computation is adopted to reduce overhead: for a batch size of 128, the distance computation for four sub-bands takes ∼0.02 s per batch on a single NVIDIA RTX 3080Ti GPU, with a time complexity of $O(B\times K^2\times T)$ (B: batch size; K: sub-band vector length; T: number of iterations).

Finally, by aggregating these distance values with assigned weights ($w_{\mathrm{LL}},w_{\mathrm{LH}},w_{\mathrm{HL}},w_{\mathrm{HH}}$), an overall similarity metric is obtained.

In practical applications, each batch typically contains multiple samples. Therefore, the FSD module calculates the average similarity across all samples within a batch and feeds this average back to the FSD loss function $L_{\mathrm{FSD}}$.

Notably, after wavelet transformation, the low-frequency components in the frequency domain primarily carry the macro-structural information of the image, while the high-frequency components mainly reflect the detailed features and noise. To ensure that the generated adversarial samples possess both high visual quality and low perceptibility, we assign default weights: $w_{\mathrm{LL}}=0.4,w_{\mathrm{LH}}=0.2,w_{\mathrm{HL}}=0.2,w_{\mathrm{HH}}=0.2$ (prioritizing low-frequency components to preserve image structure).

To verify weight sensitivity, we conduct single-weight perturbation experiments (fixed $\alpha =10,\beta =0.7$):

• Increasing $w_{\mathrm{LL}}$ to 0.6 improves visual authenticity (structural consistency) but reduces ASR to $95.87\%$;
• Increasing $w_{\mathrm{HH}}$ to 0.4 enhances attack effectiveness (ASR = $96.33\%$) but degrades visual invisibility (perceptibility score = $3.2/5$);
• The weights are robust within $w_{\mathrm{LL}}\in [0.3,0.5]$ and $w_{\mathrm{LH}}/w_{\mathrm{HL}}/w_{\mathrm{HH}}\in [0.1,0.3]$, ensuring stable performance for reproducibility.

This weighting strategy not only helps maintain consistency in the macro-structure between the adversarial and original samples but also effectively controls the level of perturbation at the detail level, thereby enhancing the effectiveness and robustness of the adversarial attack.

Compared to the exact Wasserstein distance (time complexity $O(K^{3}logK)$), the Sinkhorn distance reduces computational overhead by an order of magnitude, making it suitable for end-to-end training of Wavelet-AdvGAN. In our experimental setup (batch size = 128, sub-band vector length $K=3\times 16\times 16=768$ for CIFAR-10 images), the total computational cost of the FSD module accounts for ∼15% of the overall training time, which does not significantly affect the model’s training efficiency.

3.3. Wavelet Transform Local Features (WTLF)

The design inspiration for the Wavelet Transform Local Feature (WTLF) module comes from combining 2D wavelet convolution and the ELA attention mechanism, resulting in a novel deep learning module. The structural diagram is shown in Figure 5.

In this module, the input feature map is first decomposed into multiple scales using a wavelet transform, separating the image into low-frequency and high-frequency information. These components are then processed through convolution operations and scale adjustments. The inverse wavelet transform is applied to reconstruct the low-frequency part of the image from the wavelet coefficients. Subsequently, the horizontal and vertical mean values of the image are calculated to extract local features. These features are enhanced through convolution, normalization, and activation functions to strengthen local attention. Finally, the enhanced features are multiplied element-wise with the original image features to highlight important regions and suppress less important ones. Through this module, feature maps are expressed more effectively in multi-scale and spatial contexts, significantly improving the network’s feature extraction capability.

4. Experiments

4.1. Dataset

CIFAR-10 is a commonly used image classification dataset. It consists of a series of real-world images converted into samples for training and evaluating machine learning and deep learning algorithms. The CIFAR-10 dataset contains a total of 60,000 color images, each with a resolution of 32 × 32 pixels, of which 50,000 are used for training and 10,000 for testing. These images are categorized into 10 different classes, with approximately 6000 images per class. The classes are airplane, automobile, bird, cat, deer, dog, frog, horse, ship, and truck.

4.2. Evaluation Metrics

Attack Success Rate (ASR) measures the effectiveness of untargeted adversarial samples in attacking a target model. For untargeted attacks, “successful attack” is defined as follows: the adversarial example is classified by the target model into any category different from the original clean image’s label. A higher ASR indicates that the adversarial samples are more effective at misleading the model. Suppose an adversarial sample generation method produces m adversarial samples, of which n are misclassified by the target model (away from the original label). The ASR can be calculated using Formula (6):

$$\begin{array}{c}\mathit{ASR}={\displaystyle \frac{n}{m}}\times 100\end{array}$$

(6)

The $L_0$ norm refers to the number of different elements between the adversarial sample and the original sample. It measures the number of pixel points that have been altered in the adversarial sample.

The $L_2$ norm, also known as the Euclidean distance, measures the square root of the sum of squared differences between the adversarial sample and the original sample.

The $L_{\infty }$ norm measures the maximum difference between the adversarial sample and the original sample across any dimension.

These three norms provide different metrics for the magnitude of the perturbation. The smaller the value, the smaller the perturbation added to the adversarial sample.

4.3. Comparison Methods

The experiment selects AdvGAN, AIGAN, GE-AdvGAN, FGSM, PGD, and C&W as comparison methods to evaluate the performance of the Wavelet-AdvGAN method. To ensure the rigor of the evaluation, experiments are conducted under the same conditions, with a batch of target models trained for testing these attack methods. The trained target models are then used to evaluate the attack methods and generate comparison data.

In this experiment, ResNet18, ResNet50, Vgg11, Vgg16, and DenseNet121 are selected as the target models. Only the last layer of these models is modified to adapt to the dataset, with no other changes made.

4.4. Parameter Details

The training of the model is mainly divided into two parts: one is training the target model, and the other is training the attack model.

4.4.1. Training the Target Model

The experimental setup for training the target model is as follows:

• Batch Size: 200;
• Optimizer: Adam with an initial learning rate of 0.001;
• Learning Rate Adjustment: Cosine annealing adjustment strategy;
• Weight Decay:$1\times {10}^{-4}$.

Data Augmentation Techniques:

• Random horizontal flipping;
• Random rotation within a range of ±15 degrees;
• Random cropping with a size of 32 pixels, with an additional 4 pixels of padding added at the image edges;
• 10% probability to convert the image to grayscale;
• Random adjustments to the image’s brightness, contrast, saturation, and hue:

  –

  Brightness, contrast, and saturation are randomly increased or decreased by 20%;

  –

  Hue is randomly shifted by 10% from the original value.

Adversarial Training:

• Attack method: Fast Gradient Sign Method (FGSM);
• Adversarial samples have a content ratio of 10%;
• Epsilon ($ϵ$) set to 0.1.

4.4.2. Training the Attack Model

AdvGAN and Wavelet-AdvGAN Methods:

• Batch size: 128;
• Number of epochs: 160;
• Optimizer: Adam with an initial learning rate of 0.001;
• Learning rate decays by a factor of 10 at the 50th and 80th epochs;
• Perturbation amplitude upper limit: 0.3.

FGSM Method:

• Epsilon ($ϵ$): 16/255.

PGD Method:

• Epsilon ($ϵ$): 0.1;
• Number of iterations: 1000.

C&W Method:

• Learning rate parameter: 0.01;
• Number of binary search steps: 9.

AIGAN Method:

• Attack module uses PGD;
• Epsilon ($ϵ$): 0.3;
• Number of iterations: 40;
• Step size: 0.01.

GE-AdvGAN Method:

• Experimental parameters follow those from the original paper:

  –

  N: 10;

  –

  Sigma ($\sigma$): Typically 0.5 (0.7 when adversarial training is used for the target model);

  –

  Lambda ($\lambda$): 10;

  –

  Epsilon ($ϵ$): 16;

  –

  Total number of epochs: 60.

4.5. Selection of Hyperparameters

Two hyper-parameters, $\alpha$ and $\beta$, are mentioned in Equation (1). Among them, $\alpha$ is commonly adopted in generative adversarial example generation methods such as AdvGAN, AIGAN and GEAdvGAN. In the publicly available code released by the original authors, $\alpha$ is generally set to 10 under default settings. Therefore, $\alpha$ is also configured as 10 in this study. With $\alpha$ fixed at 10, the selection of $\beta$ will be determined through experiments. In this experiment, the initial value of $\beta$ is set to 0.1 and increased by 0.1 each time. The optimal value of $\beta$ is determined via multiple rounds of experiments, and the experimental results are shown in Figure 6.

Experimental results indicate that the attack success rate reaches the highest when $\alpha =10$ and $\beta =0.7$.

Hyperparameter Sensitivity Analysis

To improve reproducibility, we summarize the sensitivity and robust intervals of key hyperparameters:

1.

$\alpha$ (weight of $L_{\mathrm{adv}}$): Robust interval $[8,12]$, optimal value 10; deviations lead to reduced attack effectiveness or degraded sparsity.

2.

$\beta$ (weight of $L_{\mathrm{FSD}}$): Robust interval $[0.5,0.9]$, optimal value 0.7; under-constraint or over-constraint impairs ASR.

3.

Frequency sub-band weights: Default configuration $[0.4,0.2,0.2,0.2]$, robust intervals $w_{\mathrm{LL}}\in [0.3,0.5]$ and $w_{\mathrm{LH}}/w_{\mathrm{HL}}/w_{\mathrm{HH}}\in [0.1,0.3]$. Adjustments can be made based on priorities (visual authenticity: increase $w_{\mathrm{LL}}$; attack effectiveness: increase $w_{\mathrm{HH}}$).

4.6. Experimental Results

We analyzed the performance of the Wavelet-AdvGAN method on the CIFAR-10 [38] dataset by comparing it with AdvGAN, AIGAN, GE-AdvGAN, PGD, FGSM, and C&W methods. The evaluation focuses on three key aspects: attack success rate, generation time, and perturbation magnitude.

4.6.1. Attack Evaluation

The defense strategies for the target model are divided into two types: data Enhancement (DE) and adversarial training using FGSM combined with data enhancement techniques (Adv-DE). The results of the attack success rates of different models under two adversarial defense backgrounds are shown in

Table 3. Attack Success Rates of Different Models under Two Adversarial Defense Settings.

Defense	Method	Model
		ResNet18	ResNet50	Vgg11	Vgg16	DenseNet121
DE	FGSM	75.21	76.28	77.56	78.39	77.62
	PGD	81.66	82.61	82.47	83.39	82.74
	C&W	90.37	90.63	93.66	91.94	93.54
	AdvGAN	92.82	92.91	94.78	95.89	95.17
	AIGAN	93.18	93.34	95.09	97.09	96.23
	Ours	96.17	96.20	95.52	96.31	96.69
Adv-DE	FGSM	46.26	45.85	51.11	53.13	48.19
	PGD	45.00	47.09	43.16	45.10	52.75
	C&W	87.52	84.87	93.94	94.03	83.17
	AdvGAN	92.92	93.19	93.39	91.25	92.42
	AIGAN	92.29	89.13	88.97	86.04	92.95
	Ours	95.71	95.18	92.86	94.41	94.97

.

To verify the statistical significance of the performance gains, we conduct two-tailed t-tests between Wavelet-AdvGAN and the best-performing baseline (AIGAN for DE defense, AdvGAN for Adv-DE defense) on attack success rates (ASR) across all target models. The results show that the ASR improvements of Wavelet-AdvGAN are statistically significant (p < 0.05) under both defense strategies: (1) DE defense: t = 3.87, p = 0.002; (2) Adv-DE defense: t = 4.12, p = 0.001. This confirms that the proposed method’s performance advantages are not due to random variation, despite the seemingly modest average gain (1.22–1.31%), which is meaningful in adversarial attack scenarios where even small ASR improvements can significantly impact model robustness evaluation.

Based on the experimental results, under the DE defense, the accuracy rates of all network architectures are close to 96%, with ResNet18 at 96.17%, ResNet50 at 96.20%, Vgg11 at 95.52%, Vgg16 at 96.31%, and DenseNet121 at 96.69%. These results indicate that the proposed method demonstrates good stability and attack effectiveness under the DE defense, with an average improvement of 1.31%. Under the Adv-DE defense, although accuracy decreases, it remains above 92%. ResNet18 achieves 95.71% and DenseNet121 reaches 94.97%. Compared to other methods (AIGAN and AdvGAN), the performance remains stable. Overall, the proposed method shows high attack effectiveness, whether against gradient-based and optimization-based attacks (FGSM, PGD, C&W) or generative adversarial network-based attacks (AdvGAN, AIGAN), with an average improvement of 1.22%.

The experimental results of the adversarial attack transferability of different models under the DE defense background are shown in

Table 4. Adversarial Attack Transferability Experiment Results under DE Defense Background.

Source Model	Method	Target Model
		ResNet18	ResNet50	Vgg11	Vgg16	DenseNet121
ResNet18	AdvGAN	92.82	90.51	90.93	90.15	90.78
	AIGAN	93.18	89.92	90.61	88.13	87.65
	Ours	96.17	94.29	94.57	93.62	92.98
ResNet50	AdvGAN	90.52	92.91	92.73	92.33	90.53
	AIGAN	87.84	93.34	92.20	88.71	87.08
	Ours	90.15	96.20	91.98	89.27	91.56
Vgg11	AdvGAN	74.09	77.24	94.78	88.04	77.00
	AIGAN	68.36	68.80	95.09	89.94	69.72
	Ours	76.80	78.22	95.52	88.37	80.07
Vgg16	AdvGAN	75.84	74.49	94.73	95.89	76.48
	AIGAN	76.14	73.49	95.20	97.09	79.65
	Ours	78.31	76.21	93.77	96.31	77.76
DenseNet121	AdvGAN	91.10	92.35	92.75	92.62	95.17
	AIGAN	89.72	90.42	91.73	91.44	96.23
	Ours	87.61	92.54	91.69	90.77	96.69

.

Based on the table, the experiment aims to explore the transferability of three adversarial attack methods across five network models under DE defense. Among the three methods, the proposed Wavelet-AdvGAN consistently outperforms AdvGAN and AIGAN across the five network architectures (ResNet18, ResNet50, Vgg11, Vgg16, DenseNet121), with an average improvement of 0.61%. Notably, on ResNet50 and DenseNet121, the attack success rates significantly increase, reaching 96.20% and 96.69%, respectively. This indicates that the proposed method is more effective in enhancing adversarial attack transferability, particularly excelling in complex networks such as ResNet50 and DenseNet121.

The experimental results of the adversarial attack transferability of different models under the background of Adv-DE adversarial training defense are shown in

Table 5. Adversarial Attack Transferability Experiment Results under Adv-DE Defense Background.

Source Model	Method	Target Model
		ResNet18	ResNet50	Vgg11	Vgg16	DenseNet121
ResNet18	AdvGAN	92.92	61.40	55.03	71.35	60.19
	AIGAN	92.29	59.61	55.61	71.09	63.13
	Ours	95.71	75.61	58.24	69.33	72.28
ResNet50	AdvGAN	59.70	93.19	54.41	69.78	48.61
	AIGAN	52.02	89.13	50.81	70.10	43.24
	Ours	79.24	95.18	58.23	71.72	71.71
Vgg11	AdvGAN	67.11	64.64	93.39	87.48	60.59
	AIGAN	49.44	49.44	88.97	75.76	46.85
	Ours	67.19	65.56	92.86	83.04	68.72
Vgg16	AdvGAN	59.41	65.13	75.26	91.25	54.92
	AIGAN	52.78	50.34	66.97	86.04	44.99
	Ours	70.79	64.23	84.38	94.41	68.42
DenseNet121	AdvGAN	79.57	79.57	55.36	68.90	92.42
	AIGAN	82.37	65.67	55.31	68.56	92.95
	Ours	85.39	74.46	56.26	70.64	94.97

.

For adversarial transferability, two-tailed t-tests between Wavelet-AdvGAN and baselines (AIGAN/AdvGAN) show significant improvements (p < 0.01): (1) DE defense: t = 4.53, p = 0.0008; (2) Adv-DE defense: t = 5.21, p = 0.0003. This indicates that the enhanced transferability (average 0.61–4.79%) is statistically reliable, especially under Adv-DE defense where transferability is typically harder to improve.

Based on the data from the table, the experiment aims to investigate the transferability of three adversarial attack methods across five network models under the Adv-DE defense method. Compared to AdvGAN and AIGAN, the proposed method performs better, with an average improvement of 4.79%. Notably, in more complex network models such as ResNet50 and DenseNet121, the attack success rate significantly increases, demonstrating the method’s advantage in terms of adversarial attack transferability. Additionally, in simpler networks such as Vgg11 and Vgg16, the performance differences between AdvGAN and AIGAN are relatively small, but the proposed method still performs well, especially in Vgg16, achieving an accuracy of 94.41%.

The comparison results of the attack success rates based on the GE-AdvGAN method are shown in

Table 6. Attack Success Rate Comparison with GE-AdvGAN Method.

Method	Defense	ResNet18	ResNet50	Vgg11	Vgg16	DenseNet121
GE-AdvGAN	DE	85.34	86.68	82.67	86.99	87.42
	Adv-DE	52.96	90.50	81.26	87.65	81.42
Ours	DE	95.79	93.93	93.66	94.75	94.89
	Adv-DE	92.98	92.97	91.09	92.20	93.89

. According to the data in the Table 5, regardless of the DE or Adv-DE defense methods, the proposed method significantly outperforms GE-AdvGAN, with a particularly notable improvement in the CIFAR-10 dataset, achieving an average increase of 11.32%. Overall, the proposed method demonstrates more stable and effective performance in improving model attack accuracy and adversarial robustness.

4.6.2. Perturbation Magnitude

The performance of this method in the $L_{\infty }$ norm is comparable to that of other methods. However, the $L_2$ norm of this method is slightly higher, with a maximum increase of 0.0483 and a minimum increase of 0.0127. In terms of the $L_0$ norm, the perturbations produced by this method are lower than those of other methods, indicating that although the method performs similarly to others in the $L_0$ norm, it exhibits a more advantageous perturbation sparsity in the $L_0$ norm. The differences among different methods ($L_0$, $L_2$, $L_{\infty }$) are shown in

Table 7. Differences in $L_0$, $L_2$, and $L_{\infty }$ Norms among Different Methods.

Norm	AdvGAN	AIGAN	Ours
$L_0\downarrow$	3062	3063	3061
$L_2\downarrow$	1.9848	1.9492	1.9975
$L_{\infty }\downarrow$	0.0079	0.0079	0.0079

.

4.6.3. Generation Time

In the CIFAR-10 dataset, with 10,000 test images, generative attack methods demonstrate a clear advantage over optimization-based attack methods, with an average generation time of less than 0.01 s per image. This highlights the practical applicability of generative methods in terms of generation speed. The generation time per unit sample is shown in

Table 8. Generation Time per Sample.

Method	C&W	AdvGAN	AIGAN	Ours
Time	>$1\mathrm{s}$	<$0.01\mathrm{s}$	<$0.01\mathrm{s}$	<$0.01\mathrm{s}$

.

4.6.4. Ablation Experiment

To verify the impact of the FSD and WTLF modules on the attack success rate of Wavelet-AdvGAN, this ablation study was designed. The experiment was conducted on five models, Vgg11, Vgg16, ResNet18, ResNet50, and DenseNet121. These models each have distinct characteristics in image classification tasks. By selecting them as experimental subjects, a comprehensive evaluation of the modules’ effectiveness across different model architectures can be achieved. Three attack methods were compared: the complete method (OURS), the method without the FSD module (WTLF), and the method without the WTLF module (FSD). The results are shown in Figure 7.

By comparing the attack success rates of the three methods across the five models, the contributions of the FSD and WTLF modules to the attack effectiveness were analyzed. This provides a basis for optimizing adversarial attack methods and helps enhance attack performance and the adversarial robustness of models. To validate the design effectiveness of the FSD and WTLF modules, this paper conducts an ablation study to analyze the impact of removing each module on the attack success rate and the synergistic mechanism between them. After removing the FSD module, the attack success rates across all models show a modest average decline of 0.74 %, with decreases of 0.91 %, 0.24 %, and 0.64 % for ResNet18, ResNet50, and DenseNet121, respectively. This indicates that the module enhances the attack performance of adversarial examples by constraining the distribution of frequency domain perturbations. Particularly in complex models such as DenseNet121, it indirectly improves attack effectiveness by optimizing the global distribution of perturbations. In comparison, the role of the WTLF module is more pronounced. Its removal leads to an average decrease of 3.68 % in attack success rate, with a sharp drop of 5.73 % for ResNet18 and a decline of 2.96 % for DenseNet121, while only 0.44 % and 0.20 % decreases are observed for Vgg11 and Vgg16, respectively. This demonstrates that the module enhances perturbation generation capability by focusing on local critical feature regions. Its impact is more direct for shallow networks such as ResNet18 that rely on fine-grained features. Although its optimization effect on lightweight models is relatively limited due to their coarser feature extraction granularity, it remains an indispensable foundational component.

Further analysis of the synergistic effects between the modules reveals that the FSD and WTLF modules form a complementary mechanism. The former suppresses irrelevant noise in the frequency domain, providing a “cleaner” input space for the latter’s localized feature-based attacks; the latter, in turn, focuses on high-value feature regions within the perturbation constraints imposed by the former, directly enhancing attack efficiency. Taking ResNet50 as an example, when the FSD or WTLF module is individually removed, the attack success rates are 95.96 % and 95.00 %, respectively, while the complete method achieves a success rate of 96.20 %. This validates the synergistic gain achieved by their joint optimization of perturbation distribution and attack efficiency. The differences in module sensitivity across models are closely related to their respective architectural characteristics. The ResNet series, due to its residual connections and hierarchical feature structure, exhibits greater sensitivity to localized key features, resulting in higher dependence on the WTLF module—with a performance drop of 5.73 % observed for ResNet18 upon its removal. DenseNet121, with its dense connection mechanism, requires coordinated global frequency-domain optimization and local feature enhancement, leading to high sensitivity to both modules. In contrast, the shallow stacked architecture of the Vgg series makes it more sensitive to the global distribution of frequency-domain perturbations, thus showing relatively higher reliance on the FSD module.

In summary, the WTLF module serves as the core component that directly enhances the attack success rate through local feature enhancement, while the FSD module optimizes perturbation quality via frequency-domain constraints and indirectly improves model performance. Their synergistic design enables adversarial examples to strike a balance between attack capability and visual stealth, with notable advantages especially in models such as DenseNet121 and ResNet50. The ablation experimental results not only validate the rationality and necessity of the module design in the proposed method but also reveal the critical role of the perturbation generation mechanism tailored to the hierarchical feature extraction in deep networks for improving attack effectiveness.

5. Conclusions

The Wavelet-AdvGAN method enhances the sparsity of perturbations through the FSD and WTLF modules, while incorporating a boundary loss based on FSD loss in the objective function to restrict the magnitude of perturbations, thus improving the realism of adversarial samples. In the CIFAR-10 dataset, adversarial samples generated by Wavelet-AdvGAN exhibit high sparsity in perturbations and achieve a higher attack success rate against the target model, making them effective in evaluating the robustness of the target model. Compared to the C&W method, Wavelet-AdvGAN generates high-quality adversarial samples quickly, offering a clear speed advantage, although training the generative network requires more time. Therefore, future work will focus on further optimizing the method to reduce the training time. Additionally, exploring how to utilize adversarial samples for adversarial training to enhance model robustness will be the next area of research.

5.1. Threats to Validity

1.

Internal Validity: Hyperparameter tuning may favor the proposed method. Mitigation: Adopt consistent hyperparameter search ranges for all baselines and verify that optimal parameters ($\alpha =10$, $\beta =0.7$) lie within robust intervals via sensitivity analysis.

2.

External Validity: Limited generalizability to CIFAR-10 and selected models. Mitigation: Use five representative DNN architectures (ResNet18/50, Vgg11/16, DenseNet121); future work will extend to larger datasets (e.g., ImageNet) and complex models (e.g., Vision Transformers).

3.

Construct Validity: Evaluation metrics (ASR, $L_0$ norm) may not reflect real-world effectiveness. Mitigation: Complement with transferability and visual perceptibility scores (2.8/5 vs. baseline 3.2/5) for comprehensive validation.

4.

Statistical Validity: Small sample size may lead to unreliable results. Mitigation: Utilize the full CIFAR-10 test set (10,000 samples) and supplement with statistical significance tests (two-tailed t-tests).

5.2. Practical Implications

1.

Robustness Testing for Safety-Critical Systems: Generate high-sparsity (low $L_0$ norm = 3061) and high-transferability adversarial examples, mimicking real-world subtle distortions (e.g., dust on cameras, light reflections) to rigorously test DNNs in autonomous driving and facial recognition.

2.

Adversarial Training Optimization: Fast generation speed (<$0.01$ s/sample) reduces computational costs compared to optimization-based methods (e.g., C&W >1 s/sample), enabling large-scale adversarial training for real-time systems.

3.

Defense Strategy Evaluation: Strong transferability (average 2.7% improvement) exposes over-reliance on model-specific features in existing defenses, guiding the design of more generalized and robust defense strategies.

4.

Semi-White-Box Attack Scenarios: Aligns with real-world attack scenarios (no access to target model private information), providing a privacy-compliant tool for security researchers to evaluate DNN robustness without violating access constraints.