ULAN: A Universal Local Adversarial Network for SAR Target Recognition Based on Layer-Wise Relevance Propagation

Abstract

Recent studies have proven that synthetic aperture radar (SAR) automatic target recognition (ATR) models based on deep neural networks (DNN) are vulnerable to adversarial examples. However, existing attacks easily fail in the case where adversarial perturbations cannot be fully fed to victim models. We call this situation perturbation offset. Moreover, since background clutter takes up most of the area in SAR images and has low relevance to recognition results, fooling models with global perturbations is quite inefficient. This paper proposes a semi-white-box attack network called Universal Local Adversarial Network (ULAN) to generate universal adversarial perturbations (UAP) for the target regions of SAR images. In the proposed method, we calculate the model’s attention heatmaps through layer-wise relevance propagation (LRP), which is used to locate the target regions of SAR images that have high relevance to recognition results. In particular, we utilize a generator based on U-Net to learn the mapping from noise to UAPs and craft adversarial examples by adding the generated local perturbations to target regions. Experiments indicate that the proposed method effectively prevents perturbation offset and achieves comparable attack performance to conventional global UAPs by perturbing only a quarter or less of SAR image areas.

1. Introduction

Synthetic aperture radar (SAR) is widely used in military and civilian fields for its ability to image targets with high resolution under all-time and all-weather conditions [1,2,3]. However, unlike natural images, it is difficult for humans to intuitively understand SAR images without resorting to interpretation techniques. The most popular interpretation method at present is the SAR automatic target recognition (SAR-ATR) technology based on deep neural networks (DNNs) [4,5,6,7,8]. With their powerful representation capabilities, DNNs outperform traditional supervised methods in image classification tasks. Yet, some researchers have proved that DNN-based SAR target recognition models are vulnerable to adversarial examples [9].

Szegedy et al. [10] first proposed the concept of adversarial examples, that is, a well-designed tiny perturbation can lead to the misclassification of a well-trained recognition model. This discovery makes adversarial attacks become one of the biggest threats to artificial intelligence (AI) security. Thus far, researchers have proposed a series of adversarial attack methods, which can be divided into two categories from the perspective of prior knowledge: white-box attacks and black-box attacks. In white-box conditions, the attacker has high access to the victim model, which means that the attacker can utilize lots of prior information to craft adversarial examples. The typical white-box methods are gradient-based attacks [11,12], boundary-based attacks [13], saliency map-based attacks [14], etc. Conversely, in black-box conditions, the biggest challenge for attackers is that they can only access the output information of the victim model or even less. The representative black-box methods are probability label-based attacks [15,16], decision-based attacks [17], and transferability-based attacks [18]. While the above methods achieve fantastic attack performance, they all fool DNNs with data-dependent perturbations, i.e., each input corresponds to a different adversarial perturbation, which is hard to satisfy in real-world deployments. Moosavi et al. [19] first proposed a universal adversarial perturbation (UAP) that can deceive DNNs independently of the input data. Subsequently, the work in [20] designed a universal adversarial network to learn the mapping from noise to UAPs and demonstrated the transferability of UAPs across different network structures. Mopuri et al. [21] argue that it is difficult for attackers to obtain the training dataset of the victim model, so to reduce the dependence on the dataset, they proposed a data-free method to generate UAPs by destroying the features extracted by convolutional layers. Another data-free work [22] used class impressions to simulate a real data distribution, generating UAPs with high transferability. In the field of remote sensing, Xu et al. [23] were the first to investigate the adversarial attack and defense in safety-critical remote sensing tasks. Meanwhile, they also proposed the mixup attack [24] to craft universal adversarial examples for remote sensing data. Furthermore, researchers [25] have successfully attacked an advanced YOLOv2 detector in the real world with just a printed patch. Thus, a further study on adversarial examples, especially UAPs, is necessary for both attackers and defenders.

With the wide application of DNNs in the field of SAR-ATR, researchers have embarked on investigating the adversarial examples of SAR images. In terms of data-dependent perturbations, Li et al. [26] used the FGSM and BIM algorithms to produce abundant adversarial examples for a CNN-based SAR image classification model and comprehensively analyzed various factors affecting the attack success rate. The work in [27] presented a Fast C&W algorithm for real-time attacks that introduces an encoder network to generate adversarial examples through the one-step forward mapping of SAR images. To enhance the universality of adversarial perturbations, Wang et al. [28] utilized the method proposed in [19] to craft UAPs for SAR images and achieved high attack success rates. In addition, the latest research [29] has broken through the limitations of the digital domain and implemented the UAP of SAR images in the signal domain by transmitting a two-dimensional jamming signal.

Although the above methods perform well in fooling SAR target recognition models, they are vulnerable and inefficient in practical applications. Specifically, existing attack methods work on the assumption that the adversarial perturbations can be fully fed to the victim model, while this is not always true in practice, i.e., in many cases the perturbations fed to the model are incomplete, resulting in the failure of the adversarial attacks. We attribute the failure to the vulnerability of adversarial attacks and call this situation perturbation offset. For ease of understanding, we detail a specific example in Figure 1. On the other hand, we calculate the model’s attention heatmaps [30] through layer-wise relevance propagation (LRP) [31], which is used to analyze the relevance of each pixel in the SAR image to the recognition results. The pixel-wise attention heatmaps can be found in Section 4.3. The fact is that the background regions of SAR images have little relevance to the model’s outputs, and the features that greatly impact the recognition results are mainly concentrated in the target regions. However, existing attack methods fool DNN models by global perturbations so that massive time and computing resources are allocated to design perturbations for low-relevance background regions, which is undoubtedly inefficient. Therefore, the vulnerability and inefficiency of adversarial attacks are pending to be solved in real-world implementations.

In this paper, we propose a semi-whitebox [32] attack network called Universal Local Adversarial Network (ULAN) to generate UAPs for target regions of SAR images. Specifically, we first calculate the model’s attention heatmaps through LRP to locate the target regions in SAR images that have high relevance to the recognition results. Then, we utilize U-Net [33] to learn the mapping from noise to UAPs and craft the adversarial examples by adding the generated local perturbations to the target regions. In this way, attackers can focus perturbations on the high-relevance target regions, which significantly improves the efficiency of adversarial attacks. Meanwhile, the proposed method also can make the adversarial perturbations be fed to the victim model as completely as possible, preventing perturbation offset to the greatest extent.

The main contributions of this paper are summarized as follows.

(1)

We are the first to evaluate the adversarial attacks against DNN-based SAR-ATR models in the case of perturbation offset and analyze the relevance of each pixel in SAR images to the recognition results. Our research reveals the vulnerability and inefficiency of existing adversarial attacks in SAR target recognition tasks.

(2)

This paper designs a generative network to craft UAPs for the target regions of SAR images under semi-white-box conditions. The proposed method requires model information only during the training phase. Once the network is trained and given inputs, it can generate adversarial examples in real time for the victim model through one-step forward mapping without requiring access to the model itself anymore. Thus, our method possesses higher application potential than traditional iterative methods.

(3)

Experiments indicate that the proposed method not only prevents perturbation offset effectively but also achieves comparable attack performance to the conventional global UAPs by perturbing only a quarter or less of the SAR image area. Furthermore, we evaluate the attack performance of ULAN under small sample conditions. The results show that given five images per class, our method can cause a misclassification rate of over 70% in non-targeted attacks and make the probability of victim models outputting specified results in targeted attacks close to 80%.

The rest of this paper is organized as follows. Section 2 introduces the relevant preparation knowledge. In Section 3, we describe the proposed method in detail. The experimental results are shown in Section 4. The discussions and conclusions are given in Section 5 and Section 6, respectively.

2. Preliminary

2.1. Universal Adversarial Perturbations for SAR Target Recognition

Suppose $x_n\in {[0,255]}^{W\times H}$ is an 8-bit gray-scale image from the SAR image dataset $\mathcal{X}$ and $f(·)$ is a DNN-based k-class SAR target recognition model without a softmax output layer. Given a sample $x_n$ as input to $f(·)$, the output is a k-dimensional logits vector $f\left(x_n\right)=[f{\left(x_n\right)}_1,f{\left(x_n\right)}_2,\dots ,f{\left(x_n\right)}_k]$, where $f{\left(x_n\right)}_i\in \mathbb{R}$ denotes the score of $x_n$ belonging to class i. Let $C_p={\arg \max }_i\left(f{\left(x_n\right)}_i\right)$ represent the predicted class of the model for $x_n$. The universal adversarial perturbation (UAP) is a single perturbation that attacks the model independently of the input data. In brief, for most of the samples in the dataset plus the UAP, the generated adversarial examples can easily fool the model as follows:

$$\mathrm{for}“\mathrm{most}”x_n\in \mathcal{X}\mathrm{s}.\mathrm{t}.\left\{\begin{array}{c}\underset{i}{\arg \max }\left(f{(x_n+\delta )}_i\right)\ne C_p\\ {∥\delta ∥}_p\le \xi \end{array}\right.$$

(1)

where $\delta$ is a UAP, the $L_p$-norm is defined as ${∥\delta ∥}_p={\left({\sum }_i{\left|{\delta }_i\right|}^p\right)}^{\frac{1}{p}}$, and $\xi$ controls the magnitude of $\delta$.

Meanwhile, adversarial attacks can be divided into non-targeted and targeted attacks in terms of attack modes. As the name suggests, the former makes DNN models misclassify, while the latter induces models to output specified results. From a military perspective, targeted attacks are more challenging and threatening than non-targeted attacks. In other words, UAPs can reduce the probability that DNN models correctly recognize samples in non-targeted attack scenarios; conversely, they increase the probability of models identifying samples as target classes in targeted attack scenarios. Therefore, we transform (1) into the following optimization problems:

• For non-targeted attacks:

  $$minimize(\frac{{\sum }_{n=1}^{N}D(\underset{i}{\arg \max }\left(f{(x_n+\delta )}_i\right)==C_{tr})}{N}),\mathrm{s}.\mathrm{t}.{∥\delta ∥}_p\le \xi$$

  (2)
• For targeted attacks:

  $$maximize(\frac{{\sum }_{n=1}^{N}D(\underset{i}{\arg \max }\left(f{(x_n+\delta )}_i\right)==C_{ta})}{N}),\mathrm{s}.\mathrm{t}.{∥\delta ∥}_p\le \xi$$

  (3)

where the discriminant function $D(·)$ equals one if the equation holds; otherwise, it equals zero. $C_{tr}$ and $C_{ta}$ represent the true and target classes of the input data. N is the total number of images in the dataset. By traversing all the samples in the dataset, (2) can design a minor $\delta$ to minimize the probability that DNN models correctly recognize samples in non-targeted attacks. In contrast, $\delta$, designed by (3), is used to maximize the probability of models identifying samples as target classes in targeted attacks. Obviously, the above optimization problems are exactly the opposite of a DNN’s training process, and the corresponding loss functions will be given in the next chapter.

2.2. Attention Heatmaps

When humans make judgments, they can reasonably allocate their attention to different features of an object and obtain the desired semantic information efficiently. Coincidentally, recent studies have shown that DNNs have similar characteristics when making decisions [30]. For example, in image classification tasks, the pixels surrounding target regions tend to have a much greater impact on the classification results than others. Researchers typically utilize attention heatmaps to visualize the contribution of each pixel to the network output.

Nowadays, many algorithms have been proposed to calculate DNNs’ attention heatmaps. In this paper, we employ layer-wise relevance propagation (LRP) [31] to obtain the pixel-wise attention heatmaps, which is actually a backward visualization method [34,35,36] that obtains a heatmap by calculating the relevance between adjacent layers from outputs to inputs. Figure A1 displays the heatmaps of six DNNs calculated by LRP. The results indicate that the hotspots are mainly concentrated in the target regions, and the heatmaps of different DNNs have similar structures, i.e., attention heatmaps may be the semantic features shared by DNNs. Destroying the common semantic feature of DNNs is a promising idea to enhance the transferability of adversarial examples. We will detail the principle of LRP in Section 3.2.

3. The Proposed Universal Local Adversarial Network (ULAN)

The framework of the Universal Local Adversarial Network (ULAN) is shown in Figure 2. To describe the training process of ULAN more clearly, we divide it into four steps. The first step uses a generator to learn the mapping from normal distribution noise into universal adversarial perturbations (UAPs). Next, the second step calculates the pixel-wise attention heatmaps of the surrogate model through layer-wise relevance propagation (LRP). Then, the third step utilizes UAPs and attention heatmaps to craft adversarial examples of SAR images. Finally, the fourth step computes the training loss and updates the generator’s parameters through backward propagation. Note that the victim model is a white box in the training phase, but in the testing phase it is a black box, and thus, we calculate the heatmap of the surrogate model as an alternative to the victim network’s heatmap. This chapter will introduce each of the above steps in detail.

3.1. Structure of Generative Network

In order to craft UAPs independently of the input data, this paper trains a generative network $G(·)$ to transform the normal distribution noise $\mathcal{Z}$ into a UAP $\delta$ as follows:

$$\delta =G\left(\mathcal{Z}\right),\mathcal{Z}\sim \mathcal{N}(0,1)$$

(4)

where $\mathcal{Z}$ and $\delta$ have the same size, denoted as $w\times h$. Meanwhile, we set the size of SAR images to $W\times H$. Since the generated $\delta$ is a local perturbation, the relationship between $w\times h$ and $W\times H$ is $w\times h\ll W\times H$.

The characteristics of SAR images should be taken into account when choosing the generative network. First of all, a SAR image mainly consists of the target and background clutter. Yet, the features that have great impact on the recognition results are mainly concentrated in the target region, which only occupies a tiny part of the SAR image. Second, compared to natural images, the professionalism and confidentiality of SAR images make them challenging to access. This means that we need to consider adversarial attacks under small sample conditions, so a lightweight generator is necessary to prevent network overfitting. In summary, this paper takes U-Net as the generator to craft UAPs.

Figure 3 shows the detailed U-Net structure. It was first proposed to segment biomedical images [33] and mainly consists of an encoder and a decoder. The encoder extracts features by down-sampling the input data, while the decoder recovers the data by up-sampling feature maps. The biggest difference between the U-Net and other common encoder-decoder models is that the former introduces a skip connection operation to fuse features from different layers. Specifically, both the encoder and the decoder consist of four sub-blocks. The encoder block contains two $3\times 3$ convolutional layers and a $2\times 2$ max-pooling layer, while the decoder block contains a $2\times 2$ transposed convolutional layer and two $3\times 3$ convolutional layers. Note that the last layer of the decoder utilizes a $1\times 1$ convolutional layer to make the number of input and output channels identical. The network parameters are given in

Table 1. The network parameters. Here, we set $w\times h$ to $32\times 32$ and abbreviate the combination of two convolutional layers as DoubleConv. The parameters of the convolutional layer represent the number of input and output channels and the kernel size, respectively. The parameter of the max-pooling layer represents the kernel size.

Layer	Shape
Input	$1\times 32\times 32$
DoubleConv($1,64,3$) + Max pool(2)	$64\times 16\times 16$
DoubleConv($64,128,3$) + Max pool(2)	$128\times 8\times 8$
DoubleConv($128,256,3$) + Max pool(2)	$256\times 4\times 4$
DoubleConv($256,512,3$) + Max pool(2)	$512\times 2\times 2$
DoubleConv($512,1024,3$)	$1024\times 2\times 2$
ConvTrans($1024,512,2$) + DoubleConv($1024,512,3$)	$512\times 4\times 4$
ConvTrans($512,256,2$) + DoubleConv($512,256,3$)	$256\times 8\times 8$
ConvTrans($256,128,2$) + DoubleConv($256,128,3$)	$128\times 16\times 16$
ConvTrans($128,64,2$) + DoubleConv($128,64,3$)	$64\times 32\times 32$
Conv($64,1,1$)	$1\times 32\times 32$

.

3.2. Layer-Wise Relevance Propagation (LRP)

To analyze the relevance of each pixel in SAR images to the recognition results, we must obtain the DNN model’s attention heatmaps first. In this paper, we apply layer-wise relevance propagation (LRP) [31], which takes as input the model’s logits outputs and outputs the pixel-wise attention heatmaps of the surrogate model $f_s(·)$. For an easy explanation, we suppose $f_s(·)$ is an l-layer DNN without the softmax output layer. Figure 4 illustrates the network’s forward propagation and LRP.

The left of Figure 4 shows a standard forward propagation, which takes a SAR image x as input and outputs a logits vector $f_s\left(x\right)$. A common mapping from one layer to the next one can be expressed as follows:

$$x_i^{(l-1)}=\sigma (z_i^{(l-1)})$$

(5)

$$z_{ij}^{(l-1)}=w_{ij}^{(l-1)}{x}_i^{(l-1)}$$

(6)

$$z_j^{\left(l\right)}=\sum _i{z}_{ij}^{(l-1)}+b_j^{\left(l\right)}$$

(7)

where $z_i^{(l-1)}$ and $x_i^{(l-1)}$ denote the pre-activation and post-activation of the corresponding node (the superscript and subscript denote layer and node indices, respectively), $\sigma (·)$ is an activation function, $w_{ij}^{(l-1)}$ and $z_{ij}^{(l-1)}$ can be understood as the weight and local pre-activation between nodes $x_i^{(l-1)}$ and $z_j^{\left(l\right)}$, and $b_j^{\left(l\right)}$ is a bias term. The activation function $\sigma (·)$ is usually nonlinear, such as the hyperbolic tangent $tanh$ or the rectification function $ReLU$, which can enhance the network’s representation capacity. Note that the input and output layers typically do not include activation functions, and the output $f_s\left(x\right)=[f_s{\left(x\right)}_1,f_s{\left(x\right)}_2,\dots ,f_s{\left(x\right)}_{N_l}]$ is a logits vector without softmax operations.

As for LRP, given a target class output $f_s{\left(x\right)}_j$ as input, its output is a pixel-wise attention heatmap reflecting the image regions most relevant to $f_s{\left(x\right)}_j$. Specifically, we sequentially decompose the relevance of each node for the target class output $f_s{\left(x\right)}_j$ from the neural network’s output layer to the input layer. Meanwhile, the backward propagation of the relevance must satisfy the following conservation property:

$$f_s{\left(x\right)}_j=R_j^{\left(l\right)}=\sum _i{R}_i^{(l-1)}=\dots =\sum _n{R}_n^{\left(1\right)}$$

(8)

A common decomposition is to allocate the relevance according to the ratio of local to global pre-activations in the forward propagation, as follows:

$$R_{i\leftarrow j}^{(l-1,l)}=\frac{z_{ij}^{(l-1)}}{z_j^{\left(l\right)}}·R_j^{\left(l\right)}$$

(9)

where $R_{i\leftarrow j}^{(l-1,l)}$ denotes the relevance assigned from node $R_j^{\left(l\right)}$ to node $R_i^{(l-1)}$. This decomposition can approximately satisfy the conservation property in (8):

$$\begin{array}{cc}\hfill \sum _i{R}_{i\leftarrow j}^{(l-1,l)}& =R_j^{\left(l\right)}·(1-\frac{b_j^{\left(l\right)}}{z_j^{\left(l\right)}})\hfill \\ \hfill & \approx R_j^{\left(l\right)}\hfill \end{array}$$

(10)

Additionally, considering that if $z_j^{\left(l\right)}$ goes to zero, then $R_{i\leftarrow j}^{(l-1,l)}$ will close to infinity, so (9) can be modified by introducing a stable term $ϵ\ge 0$ as follows:

$$R_{i\leftarrow j}^{(l-1,l)}=\frac{z_{ij}^{(l-1)}}{z_j^{\left(l\right)}+ϵ·sign(z_j^{\left(l\right)})}·R_j^{\left(l\right)}$$

(11)

In summary, we can calculate the relevance of each node for the target class output through the following recursion formula and backward-pass the relevance until reaching the input layer.

$$R_i^{(l-1)}=\sum _j\frac{z_{ij}^{(l-1)}}{z_j^{\left(l\right)}+ϵ·sign(z_j^{\left(l\right)})}·R_j^{\left(l\right)}$$

(12)

3.3. Adversarial Examples of SAR Images

To add the local perturbations generated in Section 3.1 to the target regions of SAR images, we determine the perturbation location through the attention heatmaps calculated by Section 3.2. Therefore, we take the attention heatmap centroid as the perturbation center and design a perturbation function to craft the adversarial examples.

First of all, the coordinates of the image centroid can be calculated by the following formula [37]:

$$(u_c,v_c)=(\frac{M_{10}}{M_{00}},\frac{M_{01}}{M_{00}})$$

(13)

where $M_{00}$ is the zero-order moment of the image, and $M_{10}$ and $M_{01}$ are the first-order moments of the image. This involves the calculation of higher-order moments, which are generally defined as:

$$M_{\alpha \beta }=\int \int u^{\alpha }{v}^{\beta }f(u,v)dudv$$

(14)

For a digital image, we regard the coordinates of the pixel as a two-dimensional random variable $(u,v)$, and the value of each pixel is regarded as the density of the point. Thus, a gray-scale image can be represented by a two-dimensional gray-scale density function $V(u,v)$, and its higher-order moments can be expressed as:

$$M_{\alpha \beta }=\sum _u\sum _{v}V(u,v)·u^{\alpha }·v^{\beta }$$

(15)

Note that the premise here is a two-dimensional gray-scale image, so we convert the attention heatmap $hmap$ to a single-channel gray-scale image first and then preprocess it with Gaussian blur and binarization algorithms [38].

Then, we take the attention heatmap centroid as the perturbation center, so the pixel coordinates corresponding to $\delta (0,0)$, i.e., the perturbation origin, can be derived as:

$$(u_o,v_o)=(u_c+\Delta u-⌊\frac{w}{2}⌋,v_c+\Delta v-⌊\frac{h}{2}⌋)$$

(16)

where w and h are the width and height of $\delta$, $⌊\frac{w}{2}⌋$ and $⌊\frac{h}{2}⌋$ represent the displacement difference between the perturbation center and the perturbation origin in the horizontal and vertical directions, and $⌊·⌋$ means rounding down. Meanwhile, this paper adds a two-dimensional random noise $(\Delta u,\Delta v)\sim \mathcal{U}(-5,5)$ on the centroid coordinates to improve the generalization of our attack.

Next, we add the UAP $\delta$ to the perturbed region through the following perturbation function. Let $Pert(u_o,v_o,\delta ,W,H)$ be a function that takes as input the perturbation origin coordinates $(u_o,v_o)$, a UAP $\delta$, and the size of SAR images $W\times H$ and outputs an adversarial perturbation ${\delta }^{\ast }\in {\mathbb{R}}^{W\times H}$ of the same size as SAR images, defined as:

$$\underset{0\le v\le H-1}{\underset{0\le u\le W-1}{{\delta }^{\ast }(u,v)}}=\left\{\begin{array}{cc}\delta (u-u_o,v-v_o)\hfill & ,\mathrm{if}\left\{\begin{array}{c}{u}_o\le u\le u_o+w-1\\ v_o\le v\le v_o+h-1\end{array}\right.\hfill \\ 0\hfill & ,\mathrm{otherwise}\hfill \end{array}\right.$$

(17)

In brief, the adversarial perturbation ${\delta }^{\ast }=Pert(u_o,v_o,\delta ,W,H)$ equals zero at all pixels except the pixels in the perturbed region.

Finally, the adversarial example $x^{\ast }$ can be expressed as:

$$x^{\ast }=Cli{p}_{[0,255]}(x+{\delta }^{\ast })$$

(18)

The clipping operation restricts the pixel values of $x^{\ast }$ to the interval of $[0,255]$, ensuring that $x^{\ast }$ is still an 8-bit gray-scale image.

3.4. Design of Loss Functions

To effectively fool the DNN model with a minor perturbation, we design a loss function ${\mathcal{L}}_t$ consisting of an attack loss ${\mathcal{L}}_a$ and a norm loss ${\mathcal{L}}_n$. This section will introduce them in detail.

For the non-targeted attack: In this paper, we design an attack loss ${\mathcal{L}}_a$ on the basis of the following standard cross-entropy loss.

$$\mathrm{loss}(f_v\left(x\right),C_{tr})=-\log \left(\frac{\exp \left(f_v{\left(x\right)}_{C_{tr}}\right)}{{\sum }_j\exp \left(f_v{\left(x\right)}_j\right)}\right)$$

(19)

where $f_v\left(x\right)$ is the logits output of the victim model. The above formula actually contains the following softmax operation:

$$\mathrm{softmax}\left(f_v{\left(x\right)}_i\right)=\left(\frac{\exp \left(f_v{\left(x\right)}_i\right)}{{\sum }_j\exp \left(f_v{\left(x\right)}_j\right)}\right)\in [0,1]$$

(20)

Obviously, the cross-entropy loss in (19) has been widely used in network training to improve the DNN model’s classification accuracy by increasing the confidence of true classes. Instead, according to (2), the non-targeted attack can minimize the classification accuracy by decreasing the confidence of true classes, i.e., increasing the confidence of others, and thus, the attack loss ${\mathcal{L}}_a$ can be expressed as:

$$\begin{array}{cc}\hfill {\mathcal{L}}_a(f_v\left(x^{\ast }\right),C_{tr})& =-\log \left(\frac{{\sum }_{j\ne C_{tr}}\exp \left(f_v{\left(x^{\ast }\right)}_j\right)}{{\sum }_j\exp \left(f_v{\left(x^{\ast }\right)}_j\right)}\right)\hfill \\ \hfill & =-\log \left(1-\frac{\exp \left(f_v{\left(x^{\ast }\right)}_{C_{tr}}\right)}{{\sum }_j\exp \left(f_v{\left(x^{\ast }\right)}_j\right)}\right)\hfill \end{array}$$

(21)

Meanwhile, a norm loss ${\mathcal{L}}_n$ is introduced to limit the perturbation magnitude. We use the traditional $L_p$-norm to measure the degree of image distortion as follows:

$$\begin{array}{cc}\hfill {\mathcal{L}}_n(x,x^{\ast })& ={∥x^{\ast }-x∥}_p\hfill \\ \hfill & ={(\sum _i{\left|\Delta x_i\right|}^p)}^{\frac{1}{p}}\hfill \end{array}$$

(22)

Then, we apply the linear weighted sum method to balance the relationship between ${\mathcal{L}}_a$ and ${\mathcal{L}}_n$, so the total loss ${\mathcal{L}}_t$ can be represented as:

$$\begin{array}{cc}\hfill {\mathcal{L}}_t& ={\mathcal{L}}_a(f_v\left(x^{\ast }\right),C_{tr})+\omega ·{\mathcal{L}}_n(x,x^{\ast })\hfill \\ \hfill & =\omega ·{∥x^{\ast }-x∥}_p-\log \left(1-\frac{\exp \left(f_v{\left(x^{\ast }\right)}_{C_{tr}}\right)}{{\sum }_j\exp \left(f_v{\left(x^{\ast }\right)}_j\right)}\right)\hfill \end{array}$$

(23)

where $\omega \ge 0$ is a constant that measures the relative importance of the attack’s effectiveness and the attack’s stealthiness.

For the targeted attack: According to (3), a targeted attack aims to maximize the probability that the victim model recognizes samples as target classes. In other words, we need to increase the confidence of target classes. Thus, the attack loss ${\mathcal{L}}_a$ of targeted attacks can be expressed as:

$${\mathcal{L}}_a(f_v\left(x^{\ast }\right),C_{ta})=-\log \left(\frac{\exp \left(f_v{\left(x^{\ast }\right)}_{C_{ta}}\right)}{{\sum }_j\exp \left(f_v{\left(x^{\ast }\right)}_j\right)}\right)$$

(24)

The norm loss ${\mathcal{L}}_n$ is the same as (22), so the total loss ${\mathcal{L}}_t$ of the targeted attack can be derived as follows:

$$\begin{array}{cc}\hfill {\mathcal{L}}_t& ={\mathcal{L}}_a(f_v\left(x^{\ast }\right),C_{ta})+\omega ·{\mathcal{L}}_n(x,x^{\ast })\hfill \\ \hfill & =\omega ·{∥x^{\ast }-x∥}_p-\log \left(\frac{\exp \left(f_v{\left(x^{\ast }\right)}_{C_{ta}}\right)}{{\sum }_j\exp \left(f_v{\left(x^{\ast }\right)}_j\right)}\right)\hfill \end{array}$$

(25)

4. Experiments

4.1. Dataset and Implementation Details

4.1.1. Dataset

The moving and stationary target acquisition and recognition (MSTAR) dataset [39] published by the U.S. Defense Advanced Research Projects Agency (DARPA) is employed in our experiments. MSTAR is collected by the high-resolution spotlight SAR and contains SAR images of Soviet military vehicle targets at different azimuth and depression angles. All the experiments were performed under standard operating conditions (SOC), which included ten ground target classes, such as self-propelled howitzers (2S1); infantry fighting vehicles (BMP2); armored reconnaissance vehicles (BRDM2); wheeled armored transport vehicles (BTR60, BTR70); bulldozers (D7); main battle tanks (T62, T72); cargo trucks (ZIL131); and self-propelled artillery (ZSU234). The training dataset contains 2747 images collected at a 17° depression angle, and the testing dataset contains 2426 images captured at a 15° depression angle. More details about the dataset are shown in

Table A1. Details of MSTAR under SOC, including target class, serial, depression angle, and sample numbers.

Target Class	Serial	Training Data		Testing Data
		Depression Angle	Number	Depression Angle	Number
2S1	b01	${17}^{°}$	299	${15}^{°}$	274
BMP2	9566	${17}^{°}$	233	${15}^{°}$	196
BRDM2	E-71	${17}^{°}$	298	${15}^{°}$	274
BTR60	k10yt7532	${17}^{°}$	256	${15}^{°}$	195
BTR70	c71	${17}^{°}$	233	${15}^{°}$	196
D7	92v13015	${17}^{°}$	299	${15}^{°}$	274
T62	A51	${17}^{°}$	299	${15}^{°}$	273
T72	132	${17}^{°}$	232	${15}^{°}$	196
ZIL131	E12	${17}^{°}$	299	${15}^{°}$	274
ZSU234	d08	${17}^{°}$	299	${15}^{°}$	274

, and Figure A2 shows the optical images and corresponding SAR images of ten ground target classes.

4.1.2. Implementation Details

Due to the different sizes of SAR images in MSTAR, we first center-cropped the images to $128\times 128$. In practice, however, the target is not necessarily located in the center of the SAR image. Thus, we randomly cropped the cropped images to $88\times 88$ again and finally normalized them to $\mathcal{N}(0,1)$. For the victim models, we adopted six common DNNs, A-ConvNets-BN [40], VGG16-BN [41], GoogLeNet [42], InceptionV3 [43], ResNet50 [44], and ResNeXt50 [45], which were trained on the MSTAR dataset and had a classification accuracy of over $97\%$. The surrogate model employed a well-trained VGG16-BN network to approximate the pixel-wise attention heatmap of the victim model. During the training phase, we formed the validation dataset by uniformly sampling $10\%$ of data from the training dataset and used the Adam optimizer [46] with a learning rate of $0.001$, a training epoch of 15, and a training batch size of 32. The size of UAPs defaults to $44\times 44$, the norm type defaults to the $L_2$-norm, and the weight coefficient $\omega$ defaults to $0.5$. The above parameter settings have been experimentally proven to achieve excellent attack performance. We will discuss the influence of parameters on UAPs in Section 4.7.

Considering that most of the current research aims to craft global adversarial perturbations for SAR images, few scholars have focused on universal or local perturbations. Therefore, in the comparative experiments, we took the methods proposed in [20,47] as baselines to compare with ULAN. Note that baseline methods generate global UAPs for SAR images, while our method only needs to perturb local regions. All codes were written in Pytorch, and the experimental environment consisted of Windows 10 with an NVIDIA GeForce RTX 2080 Ti GPU and a $3.6$ GHz Intel Core i9-9900K CPU).

4.2. Evaluation Metrics

This paper takes into account two factors to comprehensively evaluate the performance of adversarial attacks: the attack’s effectiveness and the attack’s stealthiness. In the experiments, we crafted adversarial examples for all samples in the SAR image dataset, so the victim model’s classification accuracy directly reflects the attack effectiveness of UAPs:

$$\mathrm{Acc}=\left\{\begin{array}{cc}\frac{{\sum }_{n=1}^{N}D\left(\underset{i}{\arg \max }\left(f{(x_n+\delta )}_i\right)==C_{tr}\right)}{N}\hfill & \text{Non-targeted}\mathrm{Attack}\hfill \\ \frac{{\sum }_{C_{ta}=1}^k{\sum }_{n=1}^{N}D\left(\underset{i}{\arg \max }\left(f{(x_n+\delta )}_i\right)==C_{ta}\right)}{k \times N}\hfill & \mathrm{Targeted}\mathrm{Attack}\hfill \end{array}\right.$$

(26)

where $C_{tr}$ and $C_{ta}$ represent the true and target classes of the input data, k is the number of target classes, and $D(·)$ is a discriminant function. In non-targeted attacks, the Acc metric reflects the probability that victim models correctly recognize adversarial examples. The lower the classification accuracy of the victim model on adversarial examples, the better the non-targeted attacks. In targeted attacks, the Acc metric represents the probability of victim models identifying adversarial examples as target classes. The higher the Acc metric, the stronger the targeted attacks. In conclusion, the non-targeted attack’s effectiveness is inversely proportional to the Acc metric, and the targeted attack’s effectiveness is proportional to this metric. Moreover, to verify the reliability of attacks, we also compared the confidence level of target classes before and after the attack.

When evaluating the attack stealthiness, in addition to using the $L_p$-norm to measure the degree of image distortion, we also introduced the structural similarity (SSIM) [48], a metric more in line with human visual perception, for a more objective evaluation, defined as:

$$\mathrm{SSIM}=\frac{1}{N}\sum _{n=1}^N\frac{(2{\mu }_{x_n}{\mu }_{x_n^{\ast }}+C_1)(2{\sigma }_{x_n{x}_n^{\ast }}+C_2)}{({\mu }_{x_n}^2+{\mu }_{x_n^{\ast }}^2+C_1)({\sigma }_{x_n}^2+{\sigma }_{x_n^{\ast }}^2+C_2)}$$

(27)

where $x_n^{\ast }=(x_n+\delta )$ is the adversarial example of $x_n$, ${\mu }_{x_n}$, ${\mu }_{x_n^{\ast }}$ and ${\sigma }_{x_n}$, ${\sigma }_{x_n^{\ast }}$ are the mean and standard deviation of the corresponding image, ${\sigma }_{x_n{x}_n^{\ast }}$ is the covariance, and $C_1$, $C_2$ are the constants used to keep the metric stable. Equation (27) calculates the mean of the SSIM value between all the samples in the dataset and the corresponding adversarial examples, which ranges from $-1$ to 1. The higher the SSIM, the more imperceptible the UAPs, and the better the attack’s stealthiness is.

4.3. Attention Heatmaps for DNN-Based SAR Target Recognition Models

For the six victim models mentioned in Section 4.1.2, given ten SAR images from different target classes as input, they all correctly classified the targets with high confidence. Then, we calculated pixel-wise attention heatmaps for the victim models by LRP, as shown in Figure A3. The results are similar to the natural image in Figure A1, i.e., the pixels that have a great impact on the SAR image classifiers are mainly concentrated in the target regions. Furthermore, we found that the attention heatmaps of different models have similar structures, which proves the feasibility of our method. Specifically, since the victim model is a black box in the testing phase, attackers are unable to directly obtain its attention heatmaps through LRP. However, due to the similarity of attention heatmaps between different DNN models, we can calculate a white-box surrogate model’s attention heatmap as an alternative. Meanwhile, since the attention heatmap of VGG16-BN best matches the target shape and has the clearest boundary, the surrogate model adopts a well-trained VGG16-BN network to approximate the attention heatmap of the victim model.

4.4. Adversarial Attacks without Perturbation Offset

In this experiment, we evaluated the non-targeted and targeted attack performance of each method without perturbation offset. Specifically, we first cropped the SAR images to $88\times 88$, as mentioned in Section 4.1.2, and then crafted adversarial examples by adding well-designed perturbations to the cropped images, which ensured that the perturbations could be fully fed to the victim model. Note that the structures and parameters of the model were known in the training phase, while these details were unavailable in the testing phase. Moreover, we emphasize that the UAPs generated by baseline methods cover the global SAR images, but our method only needs to perturb target regions. The results of the non-targeted and targeted attacks are shown in

Table 2. Non-targeted attacks of ULAN (ours), UAN [20], U-Net, and ResNet Generator [47] against DNN models on the MSTAR dataset. We report attack results on the testing dataset.

Method	Victim	Acc			Confidence			${\mathit{L}}_2$-Norm	SSIM
		Clean	Adv	Gap	Clean	Adv	Gap
	A-Conv	98.19%	31.53%	−66.66%	0.93	0.31	−0.62	2.03	0.96
	VGG16	96.17%	16.94%	−79.23%	0.95	0.17	−0.78	2.45	0.95
	GoogLeNet	97.28%	16.90%	−80.38%	0.96	0.17	−0.79	3.11	0.95
ULAN	InceptionV3	92.91%	23.00%	−69.91%	0.91	0.23	−0.68	2.30	0.96
	ResNet50	96.17%	16.08%	−80.09%	0.96	0.16	−0.80	3.65	0.94
	ResNeXt50	96.37%	17.35%	−79.02%	0.96	0.18	−0.78	3.84	0.94
	Mean	96.18%	20.30%	−75.88%	0.95	0.20	−0.74	2.90	0.95
	A-Conv	98.23%	29.06%	−69.17%	0.94	0.29	−0.65	2.54	0.93
	VGG16	95.75%	10.47%	−85.28%	0.95	0.11	−0.84	3.63	0.86
	GoogLeNet	97.11%	11.91%	−85.20%	0.96	0.12	−0.84	3.68	0.88
UAN	InceptionV3	92.87%	14.59%	−78.28%	0.92	0.15	−0.77	2.64	0.93
	ResNet50	96.21%	14.39%	−81.82%	0.96	0.14	−0.82	5.57	0.73
	ResNeXt50	96.78%	10.96%	−85.82%	0.96	0.11	−0.85	4.56	0.82
	Mean	96.16%	15.23%	−80.93%	0.95	0.15	−0.80	3.77	0.86
	A-Conv	98.52%	28.07%	−70.45%	0.94	0.28	−0.66	2.33	0.95
	VGG16	95.59%	12.94%	−82.65%	0.94	0.13	−0.81	2.68	0.93
	GoogLeNet	97.32%	15.87%	−81.45%	0.97	0.17	−0.80	2.87	0.93
U-Net	InceptionV3	93.16%	22.59%	−70.57%	0.92	0.21	−0.71	2.30	0.95
	ResNet50	95.67%	19.95%	−75.72%	0.95	0.20	−0.75	3.57	0.91
	ResNeXt50	96.58%	13.27%	−83.31%	0.96	0.14	−0.82	3.43	0.91
	Mean	96.14%	18.78%	−77.36%	0.95	0.19	−0.76	2.86	0.93
	A-Conv	98.06%	35.04%	−63.02%	0.93	0.33	−0.60	2.07	0.94
	VGG16	95.63%	18.51%	−77.12%	0.95	0.18	−0.77	4.34	0.82
	GoogLeNet	97.32%	19.62%	−77.70%	0.97	0.20	−0.77	2.67	0.94
ResG	InceptionV3	93.45%	21.48%	−71.97%	0.92	0.21	−0.71	2.66	0.93
	ResNet50	96.08%	35.00%	−61.08%	0.96	0.35	−0.61	3.70	0.91
	ResNeXt50	96.70%	17.52%	−79.18%	0.96	0.18	−0.78	3.19	0.92
	Mean	96.21%	24.53%	−71.68%	0.95	0.24	−0.71	3.11	0.91

and

Table 3. Targeted attacks of ULAN (ours), UAN [20], U-Net, and ResNet Generator [47] against DNN models on the MSTAR dataset. We report attack results on the testing dataset.

Method	Victim	Acc			Confidence			${\mathit{L}}_2$-Norm	SSIM
		Clean	Adv	Gap	Clean	Adv	Gap
	A-Conv	9.99%	85.45%	+75.46%	0.10	0.81	+0.71	4.28	0.90
	VGG16	9.98%	90.21%	+80.23%	0.10	0.89	+0.79	4.71	0.90
	GoogLeNet	10.02%	81.65%	+71.63%	0.10	0.80	+0.70	4.47	0.92
ULAN	InceptionV3	10.05%	80.06%	+70.01%	0.10	0.79	+0.69	4.08	0.93
	ResNet50	9.95%	85.31%	+75.36%	0.10	0.84	+0.74	5.54	0.90
	ResNeXt50	9.98%	86.53%	+76.55%	0.10	0.86	+0.76	5.15	0.90
	Mean	10.00%	84.87%	+74.87%	0.10	0.83	+0.73	4.71	0.91
	A-Conv	9.97%	90.73%	+80.76%	0.10	0.87	+0.77	3.56	0.88
	VGG16	10.02%	93.84%	+83.82%	0.10	0.93	+0.83	4.99	0.80
	GoogLeNet	10.03%	90.70%	+80.67%	0.10	0.90	+0.80	4.80	0.85
UAN	InceptionV3	9.98%	91.10%	+81.12%	0.10	0.90	+0.80	4.87	0.84
	ResNet50	10.09%	90.41%	+80.32%	0.10	0.90	+0.80	5.46	0.80
	ResNeXt50	9.98%	91.77%	+81.79%	0.10	0.91	+0.81	5.60	0.79
	Mean	10.01%	91.43%	+81.41%	0.10	0.90	+0.80	4.88	0.83
	A-Conv	9.99%	91.63%	+81.64%	0.10	0.88	+0.78	3.71	0.87
	VGG16	10.02%	94.15%	+84.13%	0.10	0.93	+0.83	5.09	0.82
	GoogLeNet	10.00%	91.33%	+81.33%	0.10	0.89	+0.79	4.64	0.88
U-Net	InceptionV3	9.95%	91.77%	+81.82%	0.10	0.90	+0.80	4.91	0.87
	ResNet50	10.01%	87.58%	+77.57%	0.10	0.87	+0.77	5.34	0.83
	ResNeXt50	10.00%	91.88%	+81.88%	0.10	0.91	+0.81	5.28	0.83
	Mean	10.00%	91.39%	+81.40%	0.10	0.90	+0.80	4.83	0.85
	A-Conv	9.98%	90.23%	+80.25%	0.10	0.87	+0.77	3.94	0.87
	VGG16	10.05%	88.19%	+78.14%	0.10	0.86	+0.76	7.25	0.69
	GoogLeNet	10.02%	77.74%	+67.72%	0.10	0.77	+0.67	4.99	0.83
ResG	InceptionV3	9.90%	84.27%	+74.37%	0.10	0.82	+0.72	4.99	0.84
	ResNet50	10.04%	88.08%	+78.04%	0.10	0.87	+0.77	6.70	0.75
	ResNeXt50	9.98%	83.89%	+73.91%	0.10	0.83	+0.73	6.73	0.75
	Mean	10.00%	85.40%	+75.41%	0.10	0.84	+0.74	5.77	0.79

, respectively. There are four metrics in the table to evaluate the attack performance: the classification accuracy and target class confidence before and after the attack, the $L_2$-norm of image distortion, and the SSIM between clean and adversarial examples.

In the non-targeted attack, the classification accuracy of each DNN model on the testing dataset exceeds $95\%$, and the true class confidence is over $0.9$. However, after the attack, the average decrease in the classification accuracy exceeds $70\%$, and the maximum drop in the true class confidence reaches $0.85$. From the perspective of attack effectiveness, the UAN performs the best, followed by ULAN and U-Net, and the worst is the ResNet Generator. Yet, the biggest drawback of baseline methods is that they need to perturb the global regions of size $88\times 88$, but our method perturbs the target regions of size $44\times 44$. Even though ULAN only perturbs a quarter of the SAR image area, it achieves comparable attack performance to the global UAPs. We speculate the reason is that the features within target regions have stronger relevance with the recognition results than others, so a focused perturbation on the target region is more efficient than a global perturbation. In terms of the attack’s stealthiness, Table 2 lists the $L_2$-norm value of image distortion caused by each method and the SSIM between the adversarial examples and clean SAR images. An interesting phenomenon is that sometimes ULAN causes a larger image distortion but still performs better on the SSIM metric than baseline methods. We attribute this to the fact that the human eye is more sensitive to large-range minor perturbations than small-range focused ones, resulting in the superior performance of our method on the SSIM metric. It also illustrates that local perturbations can enhance the imperceptibility of adversarial attacks.

In the targeted attack, we regard the target category as the correct class, so the classification accuracy of DNN models on the testing dataset reflects the data distribution, i.e., each category accounts for about one-tenth of the total dataset. According to Table 3, adversarial examples lead to a sharp rise in the Acc metric, the average increase reaches $75\%$, and the maximum rise of the true class confidence exceeds $0.8$. This means that the generated UAPs can induce DNN models to output specified results with high confidence. In general, ULAN is slightly inferior to UAN and U-Net regarding the attack’s effectiveness but performs much better than baseline methods on the attack’s stealthiness. Thus, we believe that given a fixed SSIM value, ULAN can achieve the best attack performance.

To visualize the adversarial examples generated by different methods, we take the VGG16-BN-based SAR-ATR model as the victim network and display the adversarial examples for the non-targeted and targeted attacks in Figure 5 and Figure 6, respectively. We list the prediction and confidence output by the victim model at the top of each adversarial example, and the bottom of each figure shows the sizes of the corresponding image and perturbation. As we can see, the UAPs generated by baseline methods fully cover the SAR images fed to the model, while ULAN can locate and perturb the target (green box) region effectively. Meanwhile, according to Figure 5 and Figure 6, there are apparent shadow and texture traces in the adversarial examples crafted by baseline methods, which also suggests that the global perturbations are more perceptible than the local ones. In summary, compared to baseline methods, our method can achieve good attack performance with smaller perturbed regions and lower perceptions.

4.5. Adversarial Attacks with Perturbation Offset

We now evaluate the adversarial attacks in the case of perturbation offset. Specifically, we first recover the adversarial examples generated in Section 4.4 to $128\times 128$ and next obtain the input data by randomly cropping the recovered images to $88\times 88$ again. In this way, we cause a mismatch between the input and perturbed regions. As shown in Figure 1, the input and perturbed regions correspond to the red and green box regions such that the adversarial perturbations cannot be fed to the victim model completely, and thus, the perturbation offset condition is constructed. The results of non-targeted and targeted attacks in the case of perturbation offset are shown in

Table 4. Non-targeted attacks of ULAN (ours), UAN [20], U-Net, and ResNet Generator [47] against DNN models on the MSTAR datset in the case of perturbation offset. We report attack results on the testing dataset.

Method	Victim	Acc			Confidence
		No-Offset	Offset	Gap	No Offset	Offset	Gap
	A-Conv	31.53%	32.09%	+0.56%	0.31	0.33	+0.02
	VGG16	16.94%	17.31%	+0.37%	0.17	0.18	+0.01
	GoogLeNet	16.90%	18.92%	+2.02%	0.17	0.19	+0.02
ULAN	InceptionV3	23.00%	23.50%	+0.50%	0.23	0.24	+0.01
	ResNet50	16.08%	16.24%	+0.16%	0.16	0.16	+0.00
	ResNeXt50	17.35%	17.44%	+0.09%	0.18	0.18	+0.00
	Mean	20.30%	20.92%	+0.62%	0.20	0.21	+0.01
	A-Conv	29.06%	59.65%	+30.59%	0.29	0.53	+0.24
	VGG16	10.47%	26.26%	+15.79%	0.11	0.26	+0.15
	GoogLeNet	11.91%	40.40%	+28.49%	0.12	0.39	+0.27
UAN	InceptionV3	14.59%	36.31%	+21.72%	0.15	0.35	+0.20
	ResNet50	14.39%	23.87%	+9.48%	0.14	0.24	+0.10
	ResNeXt50	10.96%	41.59%	+30.63%	0.11	0.41	+0.30
	Mean	15.23%	38.01%	+22.78%	0.15	0.36	+0.21
	A-Conv	28.07%	51.48%	+23.41%	0.28	0.47	+0.19
	VGG16	12.94%	46.25%	+33.31%	0.13	0.46	+0.33
	GoogLeNet	15.87%	43.57%	+27.70%	0.17	0.43	+0.26
U-Net	InceptionV3	22.59%	46.17%	+23.58%	0.21	0.44	+0.23
	ResNet50	19.95%	50.62%	+30.67%	0.20	0.50	+0.30
	ResNeXt50	13.27%	46.21%	+32.94%	0.14	0.46	+0.32
	Mean	18.78%	47.38%	+28.60%	0.19	0.46	+0.27
	A-Conv	35.04%	60.10%	+25.06%	0.33	0.55	+0.22
	VGG16	18.51%	29.39%	+10.88%	0.18	0.29	+0.11
	GoogLeNet	19.62%	48.76%	+29.14%	0.20	0.48	+0.28
ResG	InceptionV3	21.48%	39.20%	+17.72%	0.21	0.38	+0.17
	ResNet50	35.00%	51.65%	+16.65%	0.35	0.51	+0.16
	ResNeXt50	17.52%	57.05%	+39.53%	0.18	0.56	+0.38
	Mean	24.53%	47.69%	+23.16%	0.24	0.46	+0.22

and

Table 5. Targeted attacks of ULAN (ours), UAN [20], U-Net, and ResNet Generator [47] against DNN models on the MSTAR dataset in the case of perturbation offset. We report attack results on the testing dataset.

Method	Victim	Acc			Confidence
		No-Offset	Offset	Gap	No Offset	Offset	Gap
	A-Conv	85.45%	82.23%	−3.22%	0.81	0.79	−0.02
	VGG16	90.21%	86.72%	−3.49%	0.89	0.86	−0.03
	GoogLeNet	81.65%	78.71%	−2.94%	0.80	0.78	−0.02
ULAN	InceptionV3	80.06%	73.54%	−6.52%	0.79	0.72	−0.07
	ResNet50	85.31%	82.32%	−2.99%	0.84	0.81	−0.03
	ResNeXt50	86.53%	82.82%	−3.71%	0.86	0.82	−0.04
	Mean	84.87%	81.06%	−3.81%	0.83	0.80	−0.04
	A-Conv	90.73%	43.80%	−46.93%	0.87	0.42	−0.45
	VGG16	93.84%	56.72%	−37.12%	0.93	0.56	−0.37
	GoogLeNet	90.70%	49.18%	−41.52%	0.90	0.49	−0.41
UAN	InceptionV3	91.10%	41.56%	−49.54%	0.90	0.41	−0.49
	ResNet50	90.41%	43.48%	−46.93%	0.90	0.43	−0.47
	ResNeXt50	91.77%	50.22%	−41.55%	0.91	0.50	−0.41
	Mean	91.43%	47.49%	−43.93%	0.90	0.47	−0.43
	A-Conv	91.63%	45.49%	−46.14%	0.88	0.43	−0.45
	VGG16	94.15%	58.46%	−35.69%	0.93	0.58	−0.35
	GoogLeNet	91.33%	44.81%	−46.52%	0.89	0.44	−0.45
U-Net	InceptionV3	91.77%	44.46%	−47.31%	0.90	0.44	−0.46
	ResNet50	87.58%	40.07%	−47.51%	0.87	0.40	−0.47
	ResNeXt50	91.88%	50.59%	−41.29%	0.91	0.50	−0.41
	Mean	91.39%	47.31%	−44.08%	0.90	0.47	−0.43
	A-Conv	90.23%	44.28%	−45.95%	0.87	0.42	−0.45
	VGG16	88.19%	51.23%	−36.96%	0.86	0.51	−0.35
	GoogLeNet	77.74%	46.76%	−30.98%	0.77	0.46	−0.31
ResG	InceptionV3	84.27%	42.35%	−41.92%	0.82	0.41	−0.41
	ResNet50	88.08%	46.32%	−41.76%	0.87	0.46	−0.41
	ResNeXt50	83.89%	41.28%	−42.61%	0.83	0.41	−0.42
	Mean	85.40%	45.37%	−40.03%	0.84	0.45	−0.39

, respectively.

The experimental results suggest that perturbation offset severely impacts the attack performance of baseline methods. In non-targeted attacks, the Acc metric of baseline methods deteriorates rapidly, the average increase exceeds $20\%$, and the maximum increase in true class confidence reaches $0.4$. A similar situation also occurs in targeted attacks, where the UAPs generated by baseline methods are likely to be ineffective in the case of perturbation offset. The average decrease of the Acc metric exceeds $40\%$, and the maximum drop in the target class confidence reaches $0.5$. In contrast, the attack performance of our method is hardly affected under the same experiment condition. Detailed experimental data are displayed in Table 4 and Table 5.

In summary, the global UAPs generated by baseline methods are vulnerable to perturbation offset. They might be ineffective unless the victim model accurately takes the perturbed region as input. However, the local perturbations generated by ULAN only cover the target regions of SAR images so that they can be fed to the model as completely as possible regardless of the input regions, which effectively prevents perturbation offset.

4.6. Adversarial Attacks under Small Sample Conditions

Thus far, we have assumed attackers share full access to any images used to train the victim model. However, the professionalism and confidentiality of SAR images make them challenging to access in practice. In other words, it is difficult for attackers to obtain sufficient data to support the training of attack networks. Therefore, we now evaluate the adversarial attacks under stronger assumptions of attacker access to training data.

We consider an extreme situation where attack networks are trained on a subset containing only 50 samples (5 per class). Specifically, we uniformly sample 50 images from the full training dataset to form the subset and compare the attack performance of attack networks trained on the subset and full training dataset against different DNN models. The results of non-targeted and targeted attacks based on different size datasets are shown in

Table 6. Non-targeted attacks of ULAN (ours), UAN [20], U-Net, and ResNet Generator [47] against DNN models on the MSTAR dataset under small sample conditions. We report attack results on the testing dataset.

Method	Victim	Acc			SSIM
		Full Dataset	Subset	Gap	Full Dataset	Subset	Gap
	A-Conv-BN	31.53%	27.78%	−3.75%	0.96	0.94	−0.02
	VGG16-BN	16.94%	25.68%	+8.74%	0.95	0.91	−0.04
	GoogLeNet	16.90%	17.23%	+0.33%	0.95	0.95	0.00
ULAN	InceptionV3	23.00%	19.50%	−3.50%	0.96	0.95	−0.01
	ResNet50	16.08%	17.11%	+1.03%	0.94	0.93	−0.01
	ResNeXt50	17.35%	23.41%	+6.06%	0.94	0.92	−0.02
	Mean	20.30%	21.79%	+1.49%	0.95	0.93	−0.02
	A-Conv-BN	29.06%	26.67%	−2.39%	0.93	0.78	−0.15
	VGG16-BN	10.47%	20.77%	+10.30%	0.86	0.55	−0.31
	GoogLeNet	11.91%	18.63%	+6.72%	0.88	0.66	−0.22
UAN	InceptionV3	14.59%	21.52%	+6.93%	0.93	0.83	−0.10
	ResNet50	14.39%	15.38%	+0.99%	0.73	0.63	−0.10
	ResNeXt50	10.96%	14.92%	+3.96%	0.82	0.62	−0.20
	Mean	15.23%	19.65%	+4.42%	0.86	0.68	−0.18
	A-Conv-BN	28.07%	26.75%	−1.32%	0.95	0.95	0.00
	VGG16-BN	12.94%	28.40%	+15.46%	0.93	0.90	−0.03
	GoogLeNet	15.87%	12.61%	−3.26%	0.93	0.89	−0.04
U-Net	InceptionV3	22.59%	16.16%	−6.43%	0.95	0.93	−0.02
	ResNet50	19.95%	17.64%	−2.31%	0.91	0.77	−0.14
	ResNeXt50	13.27%	11.54%	−1.73%	0.91	0.89	−0.02
	Mean	18.78%	18.85%	+0.07%	0.93	0.89	−0.04
	A-Conv-BN	35.04%	42.25%	+7.21%	0.94	0.88	−0.06
	VGG16-BN	18.51%	18.01%	−0.50%	0.82	0.86	+0.04
	GoogLeNet	19.62%	10.63%	−8.99%	0.94	0.85	−0.09
ResG	InceptionV3	21.48%	59.40%	+37.92%	0.93	0.93	0.00
	ResNet50	35.00%	20.20%	−14.80%	0.91	0.86	−0.05
	ResNeXt50	17.52%	12.16%	−5.36%	0.92	0.80	−0.12
	Mean	24.53%	27.11%	+2.58%	0.91	0.86	−0.05

and

Table 7. Targeted attacks of ULAN (ours), UAN [20], U-Net, and ResNet Generator [47] against DNN models on the MSTAR dataset under small sample conditions. We report attack results on the testing dataset.

Method	Victim	Acc			SSIM
		Full Dataset	Subset	Gap	Full Dataset	Subset	Gap
	A-Conv-BN	85.45%	77.77%	−7.68%	0.90	0.90	0.00
	VGG16-BN	90.21%	80.08%	−10.13%	0.90	0.89	−0.01
	GoogLeNet	81.65%	80.75%	−0.90%	0.92	0.91	−0.01
ULAN	InceptionV3	80.06%	73.38%	−6.68%	0.93	0.92	−0.01
	ResNet50	85.31%	75.32%	−9.99%	0.90	0.90	0.00
	ResNeXt50	86.53%	80.39%	−6.14%	0.90	0.90	0.00
	Mean	84.87%	77.95%	−6.92%	0.91	0.90	−0.01
	A-Conv-BN	90.73%	86.29%	−4.44%	0.88	0.80	−0.08
	VGG16-BN	93.84%	92.56%	−1.28%	0.80	0.59	−0.21
	GoogLeNet	90.70%	89.46%	−1.24%	0.85	0.70	−0.15
UAN	InceptionV3	91.10%	89.21%	−1.89%	0.84	0.71	−0.13
	ResNet50	90.41%	88.58%	−1.83%	0.80	0.60	−0.20
	ResNeXt50	91.77%	90.11%	−1.66%	0.79	0.61	−0.18
	Mean	91.43%	89.37%	−2.06%	0.83	0.67	−0.16
	A-Conv-BN	91.63%	88.64%	−2.99%	0.87	0.86	−0.01
	VGG16-BN	94.15%	85.56%	−8.59%	0.82	0.73	−0.09
	GoogLeNet	91.33%	85.84%	−5.49%	0.88	0.81	−0.07
U-Net	InceptionV3	91.77%	89.06%	−2.71%	0.87	0.79	−0.08
	ResNet50	87.58%	82.77%	−4.81%	0.83	0.77	−0.06
	ResNeXt50	91.88%	71.81%	−20.07%	0.83	0.74	−0.09
	Mean	91.39%	83.95%	−7.44%	0.85	0.78	−0.07
	A-Conv-BN	90.23%	83.79%	−6.44%	0.87	0.80	−0.07
	VGG16-BN	88.19%	72.38%	−15.81%	0.69	0.31	−0.38
	GoogLeNet	77.74%	57.79%	−19.95%	0.83	0.71	−0.12
ResG	InceptionV3	84.27%	79.72%	−4.55%	0.84	0.69	−0.15
	ResNet50	88.08%	70.97%	−17.11%	0.75	0.63	−0.12
	ResNeXt50	83.89%	72.61%	−11.28%	0.75	0.62	−0.13
	Mean	85.40%	72.88%	−12.52%	0.79	0.63	−0.16

, respectively.

As we can see, the reduction in training data seriously impacts the attack performance of the UAN and ResNet Genenrator. Although a slight deterioration in the Acc metric can be tolerated, the average decrease in the SSIM metric is nearly $0.2$. This means that the above methods severely sacrifice the attack’s stealthiness for better attack effectiveness, which makes the generated adversarial examples easily detected by defenders. However, ULAN and U-Net still maintain good attack effectiveness and stealthiness under small sample conditions. The average change in the Acc metric in both attack modes is less than $8\%$, and the mean decrease in the SSIM metric is within $0.07$.

The reasons for the above results might be due to the skip connection structure of the network and the fixation structure of the SAR image. The decoder of ULAN and U-Net fuses the features from different layers through the skip connection structure, which can help the generator learn the data distribution sufficiently. Moreover, the low dependence on the training data can also be attributed to the fixation structure of the SAR image itself such that its semantic features are more easily extracted and represented than natural images. Thus, our approach can work well in the situation where attackers have difficulty obtaining sufficient training data.

4.7. Influence of Parameters

This section evaluates the attack performance of ULAN trained on different parameter settings, providing guidance for attackers to achieve superior attack performance. The parameters mainly include the perturbation size $w\times h$, the weight coefficient $\omega$, and the type of $L_p$-norm.

4.7.1. Perturbation Size $w\times h$

To investigate the influence of the perturbation size $w\times h$ on the attack’s performance, we trained ULAN on seven different size settings: $22\times 22$, $33\times 33$, $44\times 44$, $55\times 55$, $66\times 66$, $77\times 77$, and $88\times 88$. Then, we evaluate the attack performance on the testing dataset, and the results are shown in Figure 7. As expected, for both non-targeted and targeted attacks, a larger perturbation size improves the attack effectiveness, while the attack stealthiness becomes worse. Meanwhile, we find that when the perturbation size exceeds $55\times 55$, the SSIM metric of each DNN model shown in Figure 7b,d continuously decreases, while the corresponding Acc metric shown in Figure 7a,c tends to a stable value. We speculate the reason is that perturbation offset will inevitably occur as the perturbation size increases, resulting in the fact that only partial perturbations can be fed to the victim model such that the attack effectiveness is no longer improved. Therefore, the advised perturbation size in this paper is between $44\times 44$ and $55\times 55$.

Furthermore, ULAN has superior attack performance even in the case of perturbation offset, which is quite different from baseline methods. Specifically, according to Table 4 and Table 5, a large number of global UAPs generated by baseline methods fail to attack the victim model in the case of perturbation offset. Yet, when the perturbation size reaches $88\times 88$, more than $80\%$ of the adversarial examples generated by ULAN still work well. This is because the perturbation size is too large to prevent perturbation offset during the training phase. In other words, ULAN itself is trained in the case of perturbation offset. Thus, there is no doubt that a well-trained ULAN has already been equipped with the ability to fool models effectively in the case of perturbation offset.

4.7.2. Weight Coefficient $\omega$

The weight coefficient $\omega$ is a constant measuring the relative importance of attack effectiveness and stealthiness, which has a great impact on the attack performance. We now train ULAN on nine different weight coefficients, $0.1$, $0.2$, $0.3$, $0.4$, $0.5$, $0.6$, $0.7$, $0.8$, and $0.9$, and report attack results on the testing dataset in Figure 8. We can see that for non-targeted attacks, the Acc and SSIM metrics increase as $\omega$ becomes larger. In targeted attacks, the Acc metric declines as $\omega$ grows, while the SSIM metric is still increasing. Since the non-targeted attack effectiveness is inversely proportional to the Acc metric, and the targeted attack effectiveness is proportional to this metric, the effectiveness of adversarial attacks becomes worse as $\omega$ increases. However, in both attack modes, the SSIM metric is always proportional to the attack stealthiness such that UAPs become more imperceptible as $\omega$ gets larger. Meanwhile, Figure 8a,c suggests that the Acc metric of each DNN model cannot converge to a stable value, and the corresponding SSIM metric shown in Figure 8b,d is also constantly changing. Thus, for superior attack performance, attackers are supposed to choose an appropriate weight as needed in the training phase of ULAN.

4.7.3. Type of $L_p$-Norm

Thus far, we have adopted the $L_2$-norm to measure the image distortion caused by adversarial attacks. However, in addition to the $L_2$-norm, there are many distance metrics, such as the $L_{\infty }$-norm and the $L_1$-norm, etc.

In this section, we evaluate the attack performance of ULAN trained on different distance metrics: the $L_2$-norm and the $L_{\infty }$-norm. Note that the values of image distortion calculated by the two metrics differ by several orders of magnitude, so we set the weight $\omega$ of the $L_2$-norm to $0.5$ and 10 for the $L_{\infty }$-norm. The results of non-targeted and targeted attacks are shown in

Table 8. Adversarial attacks that adopt different types of $L_p$-norm as the distance metric. We report attack results on the testing dataset.

Mode	Victim	Acc		SSIM
		${\mathit{L}}_2$-Norm	${\mathit{L}}_{\mathit{\infty }}$-Norm	${\mathit{L}}_2$-Norm	${\mathit{L}}_{\mathit{\infty }}$-Norm
	A-Conv	31.53%	28.85%	0.96	0.92
	VGG16	16.94%	21.19%	0.95	0.88
	GoogLeNet	16.90%	17.60%	0.95	0.91
Non-target	InceptionV3	23.00%	24.65%	0.96	0.91
	ResNet50	16.08%	14.10%	0.94	0.88
	ResNeXt50	17.35%	18.43%	0.94	0.90
	Mean	20.30%	20.80%	0.95	0.90
	A-Conv	85.45%	84.33%	0.90	0.85
	VGG16	90.21%	87.25%	0.90	0.83
	GoogLeNet	81.65%	81.39%	0.92	0.85
Target	InceptionV3	80.06%	78.72%	0.93	0.86
	ResNet50	85.31%	83.03%	0.90	0.82
	ResNeXt50	86.53%	82.07%	0.90	0.85
	Mean	84.87%	82.80%	0.91	0.84

. We can find that ULAN trained on the $L_2$-norm has better performance on both the attack effectiveness and stealthiness. Therefore, to obtain a more threatening attack network, the advised distance metric in this paper is the $L_2$-norm.

5. Discussion

The above research demonstrates that our method can efficiently attack DNN models on the MSTAR dataset. To further investigate the generality of the proposed method in SAR target recognition tasks, we also apply experiments on the FUSAR-Ship dataset [49]. Specifically, we select four kinds of sub-class targets for the experiments, and the details of the dataset are displayed in

Table A2. Details of FUSAR-Ship, including target classes and sample numbers.

Target Class	Training Number	Testing Number
BulkCarrier	97	25
CargoShip	126	32
Fishing	75	19
Tanker	36	10

. Considering the size of SAR images is $512\times 512$, we set the input size of models to $384\times 384$, the perturbation size to $96\times 96$, and the weight coefficient $\omega$ to $0.1$. For the victim models, we adopt four common DNNs, GoogLeNet [42], InceptionV3 [43], ResNet50 [44], and ResNeXt50 [45]. The attack results of ULAN against DNN models on the FUSAR-Ship dataset are shown in

Table A3. Adversarial attacks of ULAN against DNN models on the FUSAR-Ship dataset. We report attack results on the testing dataset.

Mode	Victim	Acc			Confidence			${\mathit{L}}_2$-Norm	SSIM
		Clean	Adv	Gap	Clean	Adv	Gap
	GoogLeNet	77.65%	29.41%	−48.24%	0.77	0.30	-0.47	8.87	0.99
	InceptionV3	77.65%	34.12%	−43.53%	0.77	0.34	−0.43	7.59	0.97
Non-target	ResNet50	72.94%	29.41%	−43.53%	0.73	0.30	−0.43	4.49	0.98
	ResNeXt50	64.71%	28.24%	−36.47%	0.63	0.30	−0.33	20.35	0.96
	Mean	73.24%	30.30%	−42.94%	0.73	0.31	−0.42	10.33	0.98
	GoogLeNet	25.88%	79.71%	+53.83%	0.26	0.79	+0.53	10.95	0.97
	InceptionV3	24.12%	75.00%	+50.88%	0.25	0.74	+0.49	7.53	0.98
Target	ResNet50	24.71%	68.53%	+43.82%	0.25	0.67	+0.42	14.73	0.97
	ResNeXt50	23.82%	67.65%	+43.83%	0.24	0.67	+0.43	14.79	0.97
	Mean	24.63%	72.72%	+48.09%	0.25	0.72	+0.47	12.00	0.97

. Experiments suggest that our method can fool DNN models on the FUSAR-Ship dataset by perturbing the target regions of SAR images. Meanwhile, the results in

Table A4. Adversarial attacks of ULAN against DNN models on the FUSAR-Ship dataset in the case of perturbation offset. We report attack results on the testing dataset.

Mode	Victim	Acc			Confidence
		No-Offset	Offset	Gap	No-Offset	Offset	Gap
	GoogLeNet	29.41%	30.59%	+1.18%	0.30	0.31	+0.01
	InceptionV3	34.12%	41.18%	+7.06%	0.34	0.39	+0.05
Non-target	ResNet50	29.41%	31.24%	+1.82%	0.30	0.32	+0.02
	ResNeXt50	28.24%	31.76%	+3.53%	0.30	0.32	+0.02
	Mean	30.30%	33.69%	+3.40%	0.31	0.34	+0.03
	GoogLeNet	79.71%	78.24%	−1.47%	0.79	0.76	−0.03
	InceptionV3	75.00%	69.41%	−5.59%	0.74	0.66	−0.08
Target	ResNet50	68.53%	60.00%	−8.53%	0.67	0.61	−0.06
	ResNeXt50	67.65%	61.47%	−6.18%	0.67	0.60	−0.07
	Mean	72.72%	67.28%	−5.44%	0.72	0.66	−0.06

indicate that the adversarial examples generated by ULAN prevent perturbation offset effectively. In summary, the method proposed in this paper has a promising application in adversarial attacks against DNN-based SAR-ATR models.

6. Conclusions

In this paper, a semi-white-box attack network called Universal Local Adversarial Network is proposed to generate UAPs for the target regions of SAR images with the benefit of focusing perturbations on the target regions in SAR images that have high relevance to the recognition results. A focused perturbation on the high-relevance target region significantly improves the efficiency of adversarial attacks. Additionally, it can be fed to the victim model as completely as possible regardless of the input regions such that perturbation offset is effectively prevented. Since ULAN, a generative network, requires model information only during the training phase, once the network is trained and given inputs, it can craft adversarial examples in real time for the DNN-based SAR-ATR model through one-step forward mapping without requiring access to the model itself anymore, which possesses better feasibility than traditional iterative methods. Experimental results demonstrate that the proposed method prevents perturbation offset effectively and achieves comparable attack performance to the conventional global UAPs by perturbing only a quarter or less of the SAR image area. Moreover, our experiments also indicate that ULAN is insensitive to the amount of training data, which makes it still work well under small sample conditions. Potential future work could consider replacing the victim model with a distillation model to construct a black-box attack network. It is also of great interest to enhance the transferability of adversarial examples between different DNN models.