Adversarial examples which mislead deep neural networks by adding well-crafted perturbations have become a major threat to classification models. Gradient-based white-box attack algorithms have been widely used to generate adversarial examples. However, most of them are designed for multi-class models, and only a few gradient-based adversarial attack algorithms specifically designed for multi-label classification models. Due to the correlation between multiple labels, the performance of these gradient-based algorithms in generating adversarial examples for multi-label classification is worthy of analyzing and evaluating comprehensively. In this paper, we first transplant five typical gradient-based adversarial attack algorithms in the multi-class environment to the multi-label environment. Secondly, we comprehensively compared the performance of these five attack algorithms and the other four existing multi-label adversarial attack algorithms by experiments on six different attack types, and evaluated the transferability of adversarial examples generated by all algorithms under two attack types. Experimental results show that, among different attack types, the majority of multi-step attack algorithms have higher attack success rates compared to one-step attack algorithms. Additionally, these gradient-based algorithms face greater difficulty in augmenting labels than in hiding them. For transfer experimental results, the adversarial examples generated by all attack algorithms exhibit weaker transferability when attacking other different models.

通过添加精心设计的扰动来误导深度神经网络的对抗性示例已成为分类模型的主要威胁。基于梯度的白盒攻击算法已被广泛用于生成对抗性示例。然而，大多数都是针对多类模型设计的，只有少数基于梯度的对抗攻击算法专门针对多标签分类模型设计。由于多个标签之间的相关性，这些基于梯度的算法在生成多标签分类的对抗性示例方面的性能值得全面分析和评估。在本文中，我们首先将多类环境中的五种典型的基于梯度的对抗攻击算法移植到多标签环境中。其次，我们通过对六种不同攻击类型的实验，综合比较了这五种攻击算法与其他四种现有多标签对抗攻击算法的性能，并评估了两种攻击类型下所有算法生成的对抗样本的可迁移性。实验结果表明，在不同的攻击类型中，大多数多步攻击算法比一步攻击算法具有更高的攻击成功率。此外，这些基于梯度的算法在增强标签方面比隐藏标签面临更大的困难。对于迁移实验结果而言，所有攻击算法生成的对抗样本在攻击其他不同模型时都表现出较弱的可迁移性。