{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T12:32:50Z","timestamp":1770726770521,"version":"3.49.0"},"reference-count":38,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2026,2,9]],"date-time":"2026-02-09T00:00:00Z","timestamp":1770595200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Jilin Province Budgetary Capital Construction Fund Project","award":["2024C008-4"],"award-info":[{"award-number":["2024C008-4"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"As deep learning models are increasingly embedded as critical components within complex socio-technical systems, understanding and evaluating their systemic robustness against adversarial perturbations has become a fundamental concern for system safety and reliability. Deep neural networks (DNNs) are highly effective in visual recognition tasks but remain vulnerable to adversarial perturbations, which can compromise their reliability in safety-critical applications. Existing attack methods often distribute perturbations uniformly across the input, ignoring the spatial heterogeneity of model sensitivity. In this work, we propose the Spatially Distributed Perturbation Strategy with Smoothed Gradient Sign Method (SD-SGSM), a adversarial attack framework that exploits decision-dependent regions to maximize attack effectiveness while minimizing perceptual distortion. SD-SGSM integrates three key components: (i) decision-dependent domain identification to localize critical features using a deterministic zero-out operator; (ii) spatially adaptive perturbation allocation to concentrate attack energy on sensitive regions while constraining background disturbance; and (iii) gradient smoothing via a hyperbolic tangent transformation to enable fine-grained and continuous perturbation updates. Extensive experiments on CIFAR-10 demonstrate that SD-SGSM achieves near-perfect attack success rates (ASR 99.9%) while substantially reducing \u21132 distortion and preserving high structural similarity (SSIM 0.947), outperforming both single-step and momentum-based iterative attacks. Ablation studies further confirm that spatial distribution and gradient smoothing act as complementary mechanisms, jointly enhancing attack potency and visual fidelity. These findings underscore the importance of spatially aware, decision-dependent adversarial strategies for system-level robustness assessment and the secure design of AI-enabled systems.<\/jats:p>","DOI":"10.3390\/e28020193","type":"journal-article","created":{"date-parts":[[2026,2,9]],"date-time":"2026-02-09T16:13:32Z","timestamp":1770653612000},"page":"193","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["A Spatially Distributed Perturbation Strategy with Smoothed Gradient Sign Method for Adversarial Analysis of Image Classification Systems"],"prefix":"10.3390","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-0724-1900","authenticated-orcid":false,"given":"Yanwei","family":"Xu","sequence":"first","affiliation":[{"name":"School of Management Science and Information Engineering, Jilin University of Finance and Economics, Changchun 130117, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3387-695X","authenticated-orcid":false,"given":"Jun","family":"Li","sequence":"additional","affiliation":[{"name":"School of Management Science and Information Engineering, Jilin University of Finance and Economics, Changchun 130117, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-1034-2671","authenticated-orcid":false,"given":"Dajun","family":"Chang","sequence":"additional","affiliation":[{"name":"School of Railway Locomotives and Rolling Stock, Jilin Tiedao University, Jilin 132299, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8203-8309","authenticated-orcid":false,"given":"Yuanfang","family":"Dong","sequence":"additional","affiliation":[{"name":"School of Economics and Management, Changchun University of Science and Technology, Changchun 130022, China"}]}],"member":"1968","published-online":{"date-parts":[[2026,2,9]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"e1567","DOI":"10.1002\/widm.1567","article-title":"Adversarial attacks in explainable machine learning: A survey of threats against models and humans","volume":"15","author":"Vadillo","year":"2025","journal-title":"Wiley Interdiscip. Rev. Data Min. Knowl. Discov."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"226","DOI":"10.1007\/s10462-025-11147-4","article-title":"Adversarial machine learning: A review of methods, tools, and critical industry sectors","volume":"58","author":"Pelekis","year":"2025","journal-title":"Artif. Intell. Rev."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Jumaatuden, D.M.H., Ali, M.A.M., and Isa, H.N. (2024). Balancing Efficiency and Effectiveness: Adversarial Example Generation in Pneumonia Detection. 2024 IEEE Symposium on Wireless Technology & Applications (ISWTA), IEEE.","DOI":"10.1109\/ISWTA62130.2024.10651652"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"e1868","DOI":"10.7717\/peerj-cs.1868","article-title":"Designing defensive techniques to handle adversarial attack on deep learning based model","volume":"10","author":"Vyas","year":"2024","journal-title":"PeerJ Comput. Sci."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"7867","DOI":"10.1109\/TPAMI.2025.3574432","article-title":"Blackboxbench: A comprehensive benchmark of black-box adversarial attacks","volume":"47","author":"Zheng","year":"2025","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Ma, J., Li, Y., Xiao, Z., Cao, A., Zhang, J., Ye, C., and Zhao, J. (2025). Jailbreaking prompt attack: A controllable adversarial attack against diffusion models. Findings of the Association for Computational Linguistics: NAACL 2025, Association for Computational Linguistics.","DOI":"10.18653\/v1\/2025.findings-naacl.172"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"124615","DOI":"10.1016\/j.apenergy.2024.124615","article-title":"Adversarial attacks in demand-side electricity markets","volume":"377","author":"Melendez","year":"2025","journal-title":"Appl. Energy"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Zeiler, M.D., and Fergus, R. (2014). Visualizing and understanding convolutional networks. European Conference on Computer Vision, Springer.","DOI":"10.1007\/978-3-319-10590-1_53"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1049\/cit2.12028","article-title":"A survey on adversarial attacks and defences","volume":"6","author":"Chakraborty","year":"2021","journal-title":"CAAI Trans. Intell. Technol."},{"key":"ref_10","first-page":"103227","article-title":"AB-FGSM: AdaBelief optimizer and FGSM-based approach to generate adversarial examples","volume":"68","author":"Wang","year":"2022","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Sen, J., and Dasgupta, S. (2023). Adversarial attacks on image classification models: FGSM and patch attacks and their impact. arXiv.","DOI":"10.5772\/intechopen.112442"},{"key":"ref_12","unstructured":"Nanda, U., Tripathy, A.K., Sahoo, J.P., Sarkar, M., and Li, K.C. (2024). The FGSM Attack on Image Classification Models and Distillation as Its Defense. Advances in Distributed Computing and Machine Learning, Springer."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Lupart, S., and Clinchant, S. (2023). A study on FGSM adversarial training for neural retrieval. European Conference on Information Retrieval, Springer.","DOI":"10.1007\/978-3-031-28238-6_39"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"You, H., Lu, Y., and Tang, H. (2023). Plant Disease Classification and Adversarial Attack Using SimAM-EfficientNet and GP-MI-FGSM. Sustainability, 15.","DOI":"10.3390\/su15021233"},{"key":"ref_15","unstructured":"Goodfellow, I.J., Shlens, J., and Szegedy, C. (2015). Explaining and harnessing adversarial examples. arXiv."},{"key":"ref_16","unstructured":"Sriram Shankar, V., H., A.G., Li, G., and Pokhrel, S.R. (2025). Enhancing FGSM Attacks with Genetic Algorithms for Robust Adversarial Examples in Remote Sensing Image Classification Systems. Applications and Techniques in Information Security, Springer."},{"key":"ref_17","unstructured":"Kurakin, A., Goodfellow, I., and Bengio, S. (2017). Adversarial machine learning at scale. arXiv."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"72279","DOI":"10.1007\/s11042-024-18475-7","article-title":"Trans-IFFT-FGSM: A novel fast gradient sign method for adversarial attacks","volume":"83","author":"Naseem","year":"2024","journal-title":"Multimed. Tools Appl."},{"key":"ref_19","first-page":"4469","article-title":"SAMI-FGSM: Towards Transferable Attacks with Stochastic Gradient Accumulation","volume":"84","author":"Feng","year":"2025","journal-title":"Comput. Mater. Contin."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"61113","DOI":"10.1109\/ACCESS.2024.3395118","article-title":"How deep learning sees the world: A survey on adversarial attacks & defenses","volume":"12","author":"Costa","year":"2024","journal-title":"IEEE Access"},{"key":"ref_21","unstructured":"Deng, Y., and Mu, T. (2024). Understanding and Improving Ensemble Adversarial Defense. Adv. Neural Inf. Process. Syst., 36, Available online: https:\/\/proceedings.neurips.cc\/paper_files\/paper\/2023\/file\/b589d92785e39486e978fa273d0dc343-Paper-Conference.pdf."},{"key":"ref_22","unstructured":"Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. (2014). Intriguing properties of neural networks. arXiv."},{"key":"ref_23","unstructured":"Qin, C., Martens, J., Gowal, S., Krishnan, D., Dvijotham, K., Fawzi, A., De, S., Stanforth, R., and Kohli, P. (2019). Adversarial robustness through local linearization. Adv. Neural Inf. Process. Syst., 32, Available online: https:\/\/proceedings.neurips.cc\/paper_files\/paper\/2019\/file\/0defd533d51ed0a10c5c9dbf93ee78a5-Paper.pdf."},{"key":"ref_24","unstructured":"Najafi, A., Maeda, S.i., Koyama, M., and Miyato, T. (2019). Robustness to adversarial perturbations in learning from incomplete data. Adv. Neural Inf. Process. Syst., 32, Available online: https:\/\/proceedings.neurips.cc\/paper_files\/paper\/2019\/file\/60ad83801910ec976590f69f638e0d6d-Paper.pdf."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"3659","DOI":"10.1109\/TIFS.2024.3359820","article-title":"Defense against adversarial attacks using topology aligning adversarial training","volume":"19","author":"Kuang","year":"2024","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"109955","DOI":"10.1016\/j.patcog.2023.109955","article-title":"Attack-invariant attention feature for adversarial defense in hyperspectral image classification","volume":"145","author":"Shi","year":"2024","journal-title":"Pattern Recognit."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"128351","DOI":"10.1016\/j.neucom.2024.128351","article-title":"Adversarial example denoising and detection based on the consistency between Fourier-transformed layers","volume":"606","author":"Jung","year":"2024","journal-title":"Neurocomputing"},{"key":"ref_28","unstructured":"Shi, L., and Liu, W. (2024). Adversarial Self-Training Improves Robustness and Generalization for Gradual Domain Adaptation. Adv. Neural Inf. Process. Syst., 36, Available online: https:\/\/proceedings.neurips.cc\/paper_files\/paper\/2023\/file\/75b0edb869e2cd509d64d0e8ff446bc1-Paper-Conference.pdf."},{"key":"ref_29","unstructured":"Krizhevsky, A. (2026, January 03). Learning Multiple Layers of Features from Tiny Images. Available online: https:\/\/api.semanticscholar.org\/CorpusID:18268744."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., and Li, J. (2018). Boosting adversarial attacks with momentum. 2018 IEEE Conference on Computer Vision and Pattern Recognition, IEEE.","DOI":"10.1109\/CVPR.2018.00957"},{"key":"ref_31","unstructured":"Lin, J., Song, C., He, K., Wang, L., and Hopcroft, J.E. (2019). Nesterov accelerated gradient and scale invariance for adversarial attacks. arXiv."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Dong, Y., Pang, T., Su, H., and Zhu, J. (2019). Evading defenses to transferable adversarial examples by translation-invariant attacks. 2019 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), IEEE.","DOI":"10.1109\/CVPR.2019.00444"},{"key":"ref_33","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. (2017). Towards deep learning models resistant to adversarial attacks. arXiv."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"19843","DOI":"10.1007\/s10489-023-04532-5","article-title":"Exploring misclassifications of robust neural networks to enhance adversarial attacks","volume":"53","author":"Schwinn","year":"2023","journal-title":"Appl. Intell."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Carlini, N., and Wagner, D. (2017). Towards evaluating the robustness of neural networks. 2017 IEEE Symposium on Security and Privacy (SP), IEEE.","DOI":"10.1109\/SP.2017.49"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli, S.M., Fawzi, A., and Frossard, P. (2016). Deepfool: A simple and accurate method to fool deep neural networks. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), IEEE.","DOI":"10.1109\/CVPR.2016.282"},{"key":"ref_37","unstructured":"Croce, F., and Hein, M. Minimally distorted adversarial examples with a fast adaptive boundary attack. Proceedings of the International Conference on Machine Learning."},{"key":"ref_38","unstructured":"Croce, F., and Hein, M. (2020). Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. Proceedings of the International Conference on Machine Learning, PMLR. Available online: https:\/\/proceedings.mlr.press\/v119\/croce20b.html."}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/28\/2\/193\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,9]],"date-time":"2026-02-09T16:16:06Z","timestamp":1770653766000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/28\/2\/193"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,9]]},"references-count":38,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,2]]}},"alternative-id":["e28020193"],"URL":"https:\/\/doi.org\/10.3390\/e28020193","relation":{},"ISSN":["1099-4300"],"issn-type":[{"value":"1099-4300","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,9]]}}}