{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,8]],"date-time":"2026-06-08T13:59:55Z","timestamp":1780927195322,"version":"3.54.1"},"reference-count":28,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2020,11,13]],"date-time":"2020-11-13T00:00:00Z","timestamp":1605225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["MAKE"],"abstract":"<jats:p>Neural network classifiers (NNCs) are known to be vulnerable to malicious adversarial perturbations of inputs including those modifying a small fraction of the input features named sparse or L0 attacks. Effective and fast L0 attacks, such as the widely used Jacobian-based Saliency Map Attack (JSMA) are practical to fool NNCs but also to improve their robustness. In this paper, we show that penalising saliency maps of JSMA by the output probabilities and the input features of the NNC leads to more powerful attack algorithms that better take into account each input\u2019s characteristics. This leads us to introduce improved versions of JSMA, named Weighted JSMA (WJSMA) and Taylor JSMA (TJSMA), and demonstrate through a variety of white-box and black-box experiments on three different datasets (MNIST, CIFAR-10 and GTSRB), that they are both significantly faster and more efficient than the original targeted and non-targeted versions of JSMA. Experiments also demonstrate, in some cases, very competitive results of our attacks in comparison with the Carlini-Wagner (CW) L0 attack, while remaining, like JSMA, significantly faster (WJSMA and TJSMA are more than 50 times faster than CW L0 on CIFAR-10). Therefore, our new attacks provide good trade-offs between JSMA and CW for L0 real-time adversarial testing on datasets such as the ones previously cited.<\/jats:p>","DOI":"10.3390\/make2040030","type":"journal-article","created":{"date-parts":[[2020,11,13]],"date-time":"2020-11-13T08:44:02Z","timestamp":1605257042000},"page":"558-578","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":24,"title":["Probabilistic Jacobian-Based Saliency Maps Attacks"],"prefix":"10.3390","volume":"2","author":[{"given":"Th\u00e9o","family":"Combey","sequence":"first","affiliation":[{"name":"CentraleSup\u00e9lec, Mathematics and Computer Science Department, 3 Rue Joliot-Curie, 91192 Gif-sur-Yvette, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ant\u00f3nio","family":"Loison","sequence":"additional","affiliation":[{"name":"CentraleSup\u00e9lec, Mathematics and Computer Science Department, 3 Rue Joliot-Curie, 91192 Gif-sur-Yvette, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Maxime","family":"Faucher","sequence":"additional","affiliation":[{"name":"CentraleSup\u00e9lec, Mathematics and Computer Science Department, 3 Rue Joliot-Curie, 91192 Gif-sur-Yvette, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hatem","family":"Hajri","sequence":"additional","affiliation":[{"name":"IRT SystemX, 8 Avenue de la Vauve, 91120 Palaiseau, France"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2020,11,13]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., and Song, D. (2018, January 18\u201322). Robust Physical-World Attacks on Deep Learning Visual Classification. Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2018, Salt Lake City, UT, USA.","DOI":"10.1109\/CVPR.2018.00175"},{"key":"ref_2","unstructured":"Sitawarin, C., Bhagoji, A.N., Mosenia, A., Chiang, M., and Mittal, P. (2018). DARTS: Deceiving Autonomous Cars with Toxic Signs. arXiv."},{"key":"ref_3","unstructured":"Papernot, N., Song, S., Mironov, I., Raghunathan, A., Talwar, K., and Erlingsson, \u00da. (2018). Scalable Private Learning with PATE. arXiv."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Song, L., Shokri, R., and Mittal, P. (2019, January 11\u201315). Privacy Risks of Securing Machine Learning Models against Adversarial Examples. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK.","DOI":"10.1145\/3319535.3354211"},{"key":"ref_5","unstructured":"Goodfellow, I.J., Shlens, J., and Szegedy, C. (2015). Explaining and harnessing adversarial examples. arXiv."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Kurabin, A., Goodfellow, I.J., and Bengio, S. (2017). Adversarial examples in the physical world. arXiv.","DOI":"10.1201\/9781351251389-8"},{"key":"ref_7","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. (2017). Towards Deep Learning Models Resistant to Adversarial Attacks. arXiv."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Berkay Celik, Z., and Swami, A. (2015). The limitations of deep learning in adversarial settings. arXiv.","DOI":"10.1109\/EuroSP.2016.36"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli, S.M., Fawzi, A., and Frossard, P. (2015). Deepfool: A simple and accurate method to fool deep neural networks. arXiv.","DOI":"10.1109\/CVPR.2016.282"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli, S., Fawzi, A., Fawzi, O., and Frossard, P. (2017, January 21\u201326). Universal Adversarial Perturbations. Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2017, Honolulu, HI, USA.","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Carlini, N., and Wagner, D. (2017). Towards evaluating the robustness of neural networks. arXiv.","DOI":"10.1109\/SP.2017.49"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Modas, A., Moosavi-Dezfooli, S., and Frossard, P. (2019, January 16\u201320). SparseFool: A Few Pixels Make a Big Difference. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2019, Long Beach, CA, USA.","DOI":"10.1109\/CVPR.2019.00930"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"828","DOI":"10.1109\/TEVC.2019.2890858","article-title":"One Pixel Attack for Fooling Deep Neural Networks","volume":"23","author":"Su","year":"2019","journal-title":"IEEE Trans. Evol. Comput."},{"key":"ref_14","unstructured":"Papernot, N., Faghri, F., Carlini, N., Goodfellow, I.J., Feinman, R., Kurakin, A., Xie, C., Sharma, Y., Brown, T.H., and Roy, A. (2016). Technical Report on the CleverHans v2.1.0 Adversarial Examples Library. arXiv."},{"key":"ref_15","unstructured":"LeCun, Y., and Cortes, C. (2020, October 10). MNIST Handwritten Digit Database. Available online: http:\/\/yann.lecun.com\/exdb\/mnist\/."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Erba, A., Taormina, R., Galelli, S., Pogliani, M., Carminati, M., Zanero, S., and Tippenhauer, N.O. (2019). Real-time Evasion Attacks with Physical Constraints on Deep Learning-based Anomaly Detectors in Industrial Control Systems. arXiv.","DOI":"10.1145\/3427228.3427660"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Gong, Y., Li, B., Poellabauer, C., and Shi, Y. (2019). Real-Time Adversarial Attacks. arXiv.","DOI":"10.24963\/ijcai.2019\/649"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Lin, J., Dzeparoska, K., Zhang, S.Q., Leon-Garcia, A., and Papernot, N. (2020). On the Robustness of Cooperative Multi-Agent Reinforcement Learning. arXiv.","DOI":"10.1109\/SPW50608.2020.00027"},{"key":"ref_19","unstructured":"Parisi, A. (2019). Hands-On Artificial Intelligence for Cybersecurity, Packt Publishing."},{"key":"ref_20","unstructured":"Chio, C., and Freeman, D. (2018). Machine Learning and Security, Oreilly."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"657","DOI":"10.1007\/s10207-019-00482-7","article-title":"A context-aware robust intrusion detection system: A reinforcement learning-based approach","volume":"19","author":"Sethi","year":"2019","journal-title":"Int. J. Inf. Secur."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Deng, J., Dong, W., Socher, R., Li, L., Li, K., and Fei-Fei, L. (2009, January 20\u201325). ImageNet: A large-scale hierarchical image database. Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition, Miami, FL, USA.","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"ref_23","unstructured":"Krizhevsky, A., Nair, V., and Hinton, G. (2020, October 10). CIFAR-10 (Canadian Institute for Advanced Research). Available online: http:\/\/www.cs.toronto.edu\/~kriz\/cifar.html."},{"key":"ref_24","unstructured":"Wiyatno, R., and Xu, A. (2018). Maximal Jacobian-based Saliency Map Attack. arXiv."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"323","DOI":"10.1016\/j.neunet.2012.02.016","article-title":"Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition","volume":"32","author":"Stallkamp","year":"2012","journal-title":"Neural Netw."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"2278","DOI":"10.1109\/5.726791","article-title":"Gradient-based learning applied to document recognition","volume":"86","author":"Lecun","year":"1998","journal-title":"Proc. IEEE"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P.D., Goodfellow, I.J., Jha, S., Celik, Z.B., and Swami, A. (2016). Practical Black-Box Attacks against Deep Learning Systems using Adversarial Examples. arXiv.","DOI":"10.1145\/3052973.3053009"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"84","DOI":"10.1145\/3065386","article-title":"Imagenet classification with deep convolutional neural networks","volume":"60","author":"Krizhevsky","year":"2017","journal-title":"Commun. Acm"}],"container-title":["Machine Learning and Knowledge Extraction"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2504-4990\/2\/4\/30\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T10:33:05Z","timestamp":1760178785000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2504-4990\/2\/4\/30"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,11,13]]},"references-count":28,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2020,12]]}},"alternative-id":["make2040030"],"URL":"https:\/\/doi.org\/10.3390\/make2040030","relation":{},"ISSN":["2504-4990"],"issn-type":[{"value":"2504-4990","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,11,13]]}}}