Associative Discussion Among Generating Adversarial Samples Using Evolutionary Algorithm and Samples Generated Using GAN

The remarkable accomplishments of deep neural networks (DNN) have led to their widespread adoption in various contexts, including safety-critical applications. Many strategies have been implemented to generate adversarial samples using DNN, raising the question of the security of the model. Adding slight magnitude noise to the input samples during training or testing can misguide DNN to produce different results than the actual one. DNNs are sensitive to indiscernible adversarial samples but readily identifiable by them. Currently, gradient-based approaches are used to generate adversarial samples. Gradient-based methods require internal details of the model, such as several parameters, model type, Etc. Usually, these details are practically unavailable, and calculating the gradient for non-differential models is impossible. In this work, we propose a novel DESapsDE framework based on evolutionary algorithms to generate adversarial samples from the probability of labels. We also incorporated the discussion with the various Generative Adversarial Networks (GANs) models, such as ACGAN, DCGAN, and SAGAN. It has been observed that GANs differ from adversarial sample generation methods and can be applied as defense mechanisms. The proposed method reduced model confidence to 13.09% for the ResNet50 model, 30.34% for the WideResNet model, and 23.1% for the DenseNet model, with an FID score of 16.45. The proposed model varies from the GAN model. It applies to attack-on-network models as a preventive major to make the model robust.


Integrating deep machine learning with industrial automation solutions can significantly increase speed in all processes by
The associate editor coordinating the review of this manuscript and approving it for publication was Mauro Gaggero .
avoiding human errors and reducing human interventions.The use of deep learning changed human life in many fields.Computer vision is the field of deep learning that is increasingly used in many applications, from disease prediction [1], [2], [3] to automated surveillance systems [4].The advent of many deep learning technologies has given rise to protecting computing systems from digital attacks [5].Many of these applications exhibit better performance than humans.Despite having high performance, recent research demonstrates that though many of the network models are strong, they are not robust.The most popular term nowadays being used by an adversary is adversarial machine learning, which fools machine learning models with perturbed data.Adversarial machine learning is becoming one of the significant threats in machine learning.Adversarial machine learning considers both the generation and identification of samples.Adversarial samples are specially crafted to deceive the prediction model and are exposed in many areas, such as image classification, disease prediction, to face recognition.
An adversarial mechanism is an approach to producing adversarial samples.Adversarial samples are inputs to a classification model designed intentionally to make the model incorrect, despite resembling a valid input to the human eye.Researchers for the generation of adversarial samples propose many approaches.Adversarial mechanisms that assist in generating adversarial samples may be derivative-based (gradient-based) optimization techniques.Assuming no prior knowledge of the model, adversarial attacks are conceivable during testing and deployment without direct access to the model.
Szegedy et al. [6] first proposed the term adversarial examples using gradient-based evasion attacks.Recently, many researchers attempted adversarial example attacks on deep neural networks.Kurakin et al. [7] tried adversarial examples in the physical environment.In the same context, Carlini and Wagner [8] and Chen et al. [9] verified adversarial standards in speech recognition models (ASR) and Voice Controller systems (VCS).The recent work shows effective attacks in contrast to neural networks that resolve numerous problems.Initially, adversarial examples generated were not appropriately imperceptible.Most methods use distance metrics of L p -norms (L 0 , L 2 , L ∞ ).Sharif et al. [10] showed that L p norms are not essential for perceptual resembles.Secondly, several methods were proposed for constructing adversarial examples and making the network robust against adversarial examples.Currently, no single defense is available to accurately categorize the adversarial examples.
Many analysts use generative adversarial networks to generate different types of adversarial samples.The initial framework, called GAN, was suggested by Goodfellow et al. [11] for producing fresh instances from the entire dataset in deep learning.In recent years, GAN has progressed from making realistic human features to producing artistic artworks [12], [13].The effectiveness of these models comes from the expense of computation and data.GAN models are data-hungry to produce high-accuracy images of many categories.GAN models require high-quality training samples with huge volumes.These massive datasets need time, significant human work, and expensive annotation costs to collect and process data.Generative modeling is applicable to produce real examples that result from a distribution of existing samples.For instance, producing new similar but distinct images from a collection of existing images.GAN works on image data and makes use of convolutional neural networks.Brock et al. [14] demonstrate how their BigGAN technique can produce synthetic photographs that are almost different from actual photographs.Applications such as Generate Realistic Photographs [11], Cartoon Characters, Text-to-Image Translation [13], Generate New Human Poses, Image-to-Image Translation, Photo Blending, Photo Inpainting, Clothing Translation, and Photograph Editing are designed using GAN and many more.
Adversarial attacks may be launched in several ways.These attacks are made primarily for image recognition issues and are made to be effective against Neural Network (NN) models.The training of Generative Adversarial Networks (GANs) is infamous.Research has been done from various perspectives to overcome the difficulty of training GAN.Discriminators or classifiers are vulnerable to hostile perturbations.The adversarial robustness of these models is increased when they are trained on data generated by GANs.Many defenses have been suggested to lessen the impact of adversarial attacks.Researchers use generative adversarial networks to defend against attacks [15], [16].Many researchers concentrated on defensive mechanisms using GAN, such as Zhang et al. [17], who proposed a robust system to defend the gradient-based attack applied during the attacking and testing stages.The attacking phase works as a proactive mechanism to intercept the attacker from generating adversarial samples, and the testing stage allows them to discover the perturbed examples and avoid feeding into the classifier while preventing the attacker from developing malicious samples.The authors utilized a neural network to design the defense and allow the network to find the adversarial examples.
Defense mechanisms modify the samples to make the classifier more robust to the attack.Many defense mechanisms have limitations that apply to black-box or white-box attacks but not to both, and most of the defense mechanisms are specific to the attack and not applicable to the new attack.
This work addresses the associative discussion between the generation of adversarial examples using evolutionary algorithms (DESapsDE) [18] and the samples generated using generative adversarial networks (GAN).The proposed framework makes use to fool the different neural network architectures.It generates adversarial samples with a success rate while maintaining human perception and the speed of the generation of samples very rapidly.The previous work concentrates on generating adversarial samples using gradient optimization methods that need internal design aspects of the model, such as several parameters for training, training data, and neural network type [6], [19].Several adversarial samples are created without understanding the model's essential details, like the internal organization of the model [9], [20].Evolutionary algorithms work only on the probability of labels from the target model; no internal details are required.
The data is often fetched from physical devices, including mobile phones and cameras.In such scenarios, getting the gradient details in the real world is challenging.Deep neural network models are black-box and consist of multiple layers, and it is not easy to examine the model line by line, even if internal details are known.It is possible to provide cost-effective solutions using pretrained models; hence, the adversary can make the model generate the expected output.Evolutionary algorithms are the most robust, reliable, and stable solutions introduced by Su et al. to add small perturbations [21].A differential evolutionary algorithm is a global optimizer that requires only three parameters, population, crossover, and scaling parameters, to search for a solution from a large space [22], [23].Most of the existing evolutionary algorithms [21], [22], [23] concentrate on fixed population size that results in solutions getting stuck in local search space.Researchers have reported methods using evolutionary algorithms based on differential evolution and variants, but their success rate is low [21].In a natural environment, the population size varies due to many parameters.The proposed solutions concentrate on changing the population size to provide more robust solutions.The proposed solution is more effective for low search space and focuses on only the probability of labels with flexibility regarding attack on any deep neural network model.
In 2017 google brain showed that any prediction system designed using machine algorithms could be fooled and allow the system to yield incorrect results with significantly less skill.Researchers can get them to provide any effect that they want.This vulnerability is a significant problem for the applicability of these safety-critical practices.Most existing machine-learning classifiers are vulnerable to adversarial examples [24], [25].Machine learning algorithms, such as deep neural networks, have been weak to well-crafted input samples [6].This weakness of adversarial mechanisms' deep neural networks becomes a significant threat to applying deep neural networks in safety-critical scenarios.
The creation of adversarial examples is an optimization issue with some conditions.The adversary aims to get the optimal solution by adding perturbation as a minimization or maximization function.Generating adversarial samples becomes a significant challenge when the gradient calculation is complex such that perturbation added can hide adversarial modification.
Deep neural networks have demonstrated unparalleled success in solving complex problems previously deemed challenging for traditional machine-learning approaches.Deep neural networks handle large amounts of data and model complex relationships, contributing to their success in diverse domains.The deep neural network generalizes its capacity to unseen data and adapts to various tasks, making it the go-to choice for many machine learning applications.Deep Neural Network automates the feature extraction process, eliminating the need for manual feature engineering saving time and resources for training the model.Deep neural networks offer remarkable capabilities but are not immune to vulnerabilities.
Deep neural networks are susceptible to adversarial attacks, where small, carefully crafted input can lead to misclassification.Deep Neural networks raise a significant challenge to the security and reliability of DNN-based systems.Szegedy et al. [6] contributed to discovering and exploring vulnerabilities in neural networks.The critical vulnerability Szegedy highlights is the sensitivity of neural networks to small and imperceptible perturbations in input data.The reasons for the vulnerability of neural networks are as follows: Non-Linearity: A deep Neural Network is a non-linearity in nature; small changes in input data can lead to disproportionately large differences in the activation of neurons and, consequently, in the final output.
High-Dimensional Input Space: Neural networks operate in high dimensional input space with millions of pixels.In high-dimensional areas, numerous directions exist, and small changes can cause significant alterations in the final output.
Lack of Robust Features: Deep neural networks often rely on features that might not be robust or stable across different inputs.
Limited Generalization: Deep neural networks demonstrate impressive generalization capabilities.They may need help to generalize effectively in the presence of adversarial examples.
The models may focus on learning patterns present in the training data but fail to capture the underlying structure of the data, making them vulnerable to manipulation.
Understanding and addressing these limitations are critical for developing and deploying deep neural networks.Most of the ongoing research focuses on mitigating these challenges and ensuring that deep neural networks are used ethically and effectively in various applications.There are many applications, such as style transfer, transferring one image's properties to another, 3-D object generations, generating faces, etc.Most applications using GAN generate similar to the original images but significantly differ nearby.This motivates us to work on how GAN is different from adversarial samples.Therefore, the attacks and defense strategies for generating adversarial mechanisms pulled great attention.
We introduce below a few basic terminologies to understand the concept of adversarial samples.

A. ADVERSARIAL SAMPLES
Examples are created by purposely adding minor worst-case perturbations to regular examples so humans can not recognize them easily.As shown in Figure 1, the original image x, after adding a small perturbation of ε (>0), makes the machine learning model change the output class with some confidence.

B. LOSS FUNCTION FOR ATTACK
The convolutional neural network (CNN) is a dominant deep learning model that trains network models to categorize pictures based on available patterns.It may then be  taught to recognize things in photos.As shown in Figure 2, networks are developed by embedding an optimization procedure that involves a loss function to quantify the model's error.
The loss function evaluates the machine learning model's performance using various loss functions.As shown in Figure 3, the network model θ is trained using optimization algorithms that calculate the error generated.
The loss function is used to upgrade the model by providing retraining.The purpose of retraining the model is to minimize loss, as minimum values represent an improved model than a larger value.Let us consider a network parameterized by θ that transfers a sample x to a real label y 0 .An adversary intends to use the function to misclassify x0 to y false .Here y false is the output label other than the actual class label.Here y 0 is the original label, and y true is the predicted label.The function's output after training is shown in (1).The input x never changes during training.
where c(a, b) is a cost function between a and b.

C. NON-TARGETED ATTACK
This attack misguides the model to any one of the classes.Adversaries make the model give incorrect results.In a nontargeted attack, θ designates the number of parameters as constant, and the loss function is minimized optimal solution is as shown in (2).
Targeted attack misguides the deep neural network to a determined class.This attack is targeted to receive a specific class for the given input, making it more difficult to attack.The output may be any arbitrary class, but not the original one.
In a targeted attack, the loss function is maximized optimal solution as shown in (3).

E. PERTURBATION MEASUREMENT METRICS
The correlation between the original image and the adversarial sample was assessed using L p norms.The generally used p-norm metrics for assessing perturbation magnitude are L 0 , L 2 , and d(x, x ′ ) is a distance constraint that should be less than some value ε as represented in (4).The similarity between the original and adversarial samples was assessed using L p norms.The generally used p-norm metrics for quantifying perturbation magnitude are L 0 , L 2 , and L ∞ .d x, x ′ is a distance restriction that must be smaller than the value while adding perturbation to the sample, as shown in (4).
F. L 0 -NORM This norm gives the count of aggregated pixels altered in the perturbed samples.The maximum possible perturbation is one pixel, as represented in (5).
For each pixel, calculating the variation between the actual input sample and the perturbed sample and summing it over all the pixels is called the L2 norm.Mathematically it is represented in (6).
The Euclidean distance measure finds the variation between the perturbed and actual samples.For each pixel, the variation between the actual sample and the perturbed image is computed, squared, and summed over all the pixels, as shown in (7).
This work is organized as follows: Section II discusses related work with adversarial machine learning; section III briefly introduces generative adversarial networks (GANs) and the proposed system.The experimental results and their comparison associated with generative adversarial examples are provided in section IV.Finally, section V presents the conclusion and future directions.

II. RELATED WORK
The related work concentrates on gradient-based attacks, evolutionary-based attacks, and work related to generative adversarial networks.The first adversarial attack (L-BFGS) [6] for deep neural networks was presented by Szegedy.By using a visual perturbation, the network can be utilized to classify an image incorrectly.The author demonstrated how various models and datasets might use the created adversarial attack.Iterative attack frequency and perturbation magnitude were utilized as the validation metrics.2.1% error rate and 0.058 distortion rate.The L-BFGS method's reliance on an expensive linear search technique was time-consuming and challenging to execute.Although linear behavior accelerates the training process, the authors [11] claim that the susceptibility of deep neural networks to adversarial perturbation arises from their collinear character.The validation metric was attack frequency multiplied by perturbation magnitude.A. Rozza [26] created the fast gradient value technique by altering the gradient's sign in the fast gradient sign technique using the raw gradient.The proposed method improved the system's dependability and accuracy.A practical saliency adversarial map, known as the Jacobian-based Saliency Map Attack, as stated by Papernot et al. [19].A modest perturbation was created to track the neural network that could successfully produce massive output changes.The authors described two adversarial saliency maps to choose the feature to be created over each iteration.Only 4.02% of the input characteristics per sample were changed to attain their 97% adversarial success rate.Deepfool [27] is the author's approach for determining the shortest distance between the genuine input and adversarial samples' decision boundary.They used an iterative technique based on a linear approximation to deal with the high-dimension nonlinearity.Chen et al. [9] developed a strategy based on Zeroth Order Optimization (ZOO).
Although this attack does not need gradients, it can be used immediately in a black box attack without delivering any data.The researchers also modified stochastic coordinate descent (SCD) techniques by converting the gradient function into a novel loss function called ZOO-ADAM, which resembles a hinge.The results demonstrated that the white box assaults used by ZOO and C&W functioned equally.
Lin et al. [28] presented the Black-box Momentum Iterative Fast Gradient Sign Method to create the adversarial samples.The major goal is to assure the DNN's resilience by considering model features such as input and output rather than internal details such as weight values, gradients, or model architectural information.On the ImageNet dataset, the suggested solution is tested for targeted and untargeted assaults.The author used differential evolution to enhance the model's inaccurate gradient direction and enabled double-step size and candidate reprocessing.The suggested system was tested against CIFAR10, MNIST, and ImageNet.In this study, the ResNet101 architecture is utilized as a basic model with 100 samples verified for both the targeted attack, with a success rate of 93.2%, and the nontargeted attack, with a success rate of 98.6%.The author claims this method takes less time and produces more transferrable samples than the Zoo approach.Shu et al. [29] developed a straightforward method for producing and identifying adversarial samples.Users may define the number of pixels affected, the chance of misclassification, and the targeted erroneous pixels.The disclosed method is a white box attack that can recognize vulnerable samples, i.e., pixels using a unique manifold-based F1 measure.According to the author, this attack is universal, rapid, and gradient-free over a sample size of 200, 500, and 1000 using particle swarm optimization methods.The ResNet32 model is used in this work to train and evaluate samples over the MNIST and CIFAR10 datasets.
In the study by Luo et al., [30] a random directed attack over the hill climbing method was to get the gradient direction for the generation of adversarial samples.The generated adversarial samples were applied for both the targeted and non-targeted labels without internal information available, and experiments were tested using MNIST, SVHN, CIFAR-10, and ImageNet-10 datasets.The model is trained for 100 epochs through the Adam optimizer and with different operations on samples like rotation, vertical shift, and horizontal flip.Experimental results examine the effect on the success rate of a different selected number of dimensions, the angle of rotation of samples, attack direction, and the number of iterations.The results given by the RDA method are aggressive in most of the analyses, which achieves the highest success rate of 100 % after multiple iterations.
In a novel attack known as compositional patternproducing network-encoded EA (CPPN EA) [31], adversarial samples are classified with notable accuracy (99%) using a deep neural network.However, these objects are not identifiable to humans.Pavate et al. [20] discussed the different adversarial generations using gradient-based methods and concluded that calculating the gradient is practically difficult.Evolutionary algorithms (EAs) have been used to generate hostile examples.It is challenging to avail the information about the model and calculate the gradient for the system designed using non-differential techniques.Evolutionary algorithms require only the probability of labels from the target model.For Evolutionary algorithms, it has been shown that 72.29%,72.32%& 61.28 % success rates for non-targeted attacks and 88.68%,83.63%,and 73.07%confidence with best parameter settings on three different types of networks [32].As more effective methods are available, we can compare them with other categories of evolutionary algorithms [18], [21], [32], [33].As varieties of evolutionary algorithms are available, implementing samples can be possible using more advanced algorithms such as Covariance Matrix Adaptation Evolution Strategy, Adaptive DE, SUNA, etc.
There are many GAN-based methods used for the attack [34], [35] and model protection [24], [37].Radford et al. [38] proposed a DCGAN (deep convolutional GAN) system that is more secure and fast in most settings.Xiao et al. [25] proposed AdvGAN design perturbed instances from the original ones.
The generated adversarial samples were verified in Black Box and semi-White box settings.The generated model is a defense method against attack [11], [39].The authors showed that the generated samples achieved a high success rate of 94.7 for the ResNet model and 99.3 for the WideResNet model in a semi-white box attack setting for the CIFAR-10 dataset.
The discriminator's loss function in the Least Squares Generative Adversarial Network (LSGAN) is designed to utilize the a-b coding technique in the least squares technique to solve the issue of gradients vanishing during the GAN training process [40].The LSGAN helps to generate highquality images.A representation learning technique with the potential to fully framework for the implementation of the disentangled design was introduced by Information Maximizing GAN (InfoGAN) [41].InfoGAN, an unsupervised framework based on GAN, distinguishes continuous and discrete latent components, scales to huge datasets, and takes no further training time than GAN.
Xiao et al. [25] proposed AdvGAN for protecting the network model from adversarial attacks.The adversarial samples are generated by establishing perturbation into the real world.
For human perceptual testing, authors engaged humans to choose more realistic image pairs.The AdvGAN applies to high-resolution images.The advanced version of AdvGAN++ addressed the limitations of AdvGAN and improved the attack success rate concerning time [42].
Table 1 represents a variety of adversarial networks with performances.The metrics mentioned, such as accuracy, attack success rate, and FID score, provide insights into the robustness and effectiveness of these models under various attack scenarios and datasets.Many of the GAN models were used as defense mechanisms, whereas few of the models used adversarial examples to retrain the model.
According to the study, the primary source of attacks on machine learning models is that it remembers far too much.Because the model is nonlinear, parameters may be adjusted to match the training dataset.The opponent can use this advantage to reveal confidential information or alter 143762 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.the model's output.There is no guarantee that an adversarial picture will be labeled wrongly using these approaches; sometimes, the attacker wins, and sometimes the machine learning model prevails.

III. METHODOLOGY A. DATASET & ARCHITECURES
The experiments were conducted on various deep neural network models such as LeNet, ResNet50, Network-In-Network, DenseNet, and WideResNet [18] as target image classifiers on the CIFAR-10 dataset [51].The dataset contains 60000 images of sample size 32 × 32 in 10 classes.Each class has 1000 images.The simplified specification of all the models used for experimentation is shown in Table 2.The DenseNet architecture is flexible and can be adapted for different datasets.In this experiment has considered depth = 16, batch size =128 epochs =200, iterations=391 and weight decay = 0.0005 and other parametric setting is mentioned in Table 2 These models are used to attack adversarial samples generated using the DESapsDE Algorithm.

B. METHOD
A summary of the systems methods is shown in Figure 4 and represents the associated discussion among two different models, GAN and novel DESapsDE.: Figure 4A represents the overview of GAN's general architecture for samples.We the proposed DESapsDE [18] system to generate adversarial samples, as Figure 4B highlighted with a blue dotted line.Group B generates the adversarial samples by training some other model.The first group, Figure 4A, consists of original images mixed with some noise images to generate the new samples using GAN.The working of each model is discussed below in sections.

C. SAMPLES GENERATIONS WITH GAN
This section concentrates on training the GAN model using CIFAR 10 dataset and comparing the functional performance of the GAN in synchronization with the proposed system.Figure 4 A shows the generation of adversarial samples using the general generative adversarial network.GAN comprises two models: generative(adversarial) and discriminator models.The model takes sample images with three color channels (R, G, B) and the 32 × 32 image from dataset CIFAR10 as input and outputs a binary class prediction of whether the sample is real (or fake).The image pixel values in the range (0,255) are scaled down to the range (−1,1).
The adversarial model generates the pixels using the tanh action function (1, −1).The adversary model creates new adversarial samples by adding random noise, and the discriminator model verifies whether the samples are fake or real.The discriminator model determines the samples taken from the dataset or adversarial samples.Mathematically the model is represented as shown in (8): Here G is the adversary, x is actual samples from the dataset, D is discriminator.z is generated samples, D (x) is the discriminator network model, and G(z) is a generator network model.The GAN is an unsupervised model based on the deep neural network architecture.The discriminative model acts as a supervised model.GAN models are trained like other network architecture models such as ResNet, DenseNet Etc.However, these models are complex to train.This model uses random noise with input samples to create new perturbed samples.Extending the number of output labels while training the model can improve the model's performance, but getting the number of output labels is practically challenging.The GAN models help to make the model more robust to attack [15].In this work, GAN models incorporated for conversation are DCGAN, ACGAN, and SAGAN.The working of each model and experimental settings is discussed below.

1) SAMPLES GENERATION USING DCGAN
The generator model produces an image using up-sampling by adding random noise, as shown in  The samples produced by the generator are transferred to the discriminator and the actual images.The DCGAN causes the problem of mode collapse, where the generator over-optimizes, and the discriminator can never detect fake images; as a result, the generator generates many similar images [38].The preprocessing images are scaled to a specific range of tanh activation functions.

2) SAMPLES GENERATION USING SAGAN
Self-Attention for Generative Adversarial Networks (SAGANs) [52] is a redraft of the original GANs, as shown in (Fig 6).Here, the idea is to generate global detailing samples.The discriminator and the generator layer contain convolution layer output followed by the attention layer.To deal with the problem of DCGAN, self-attention GAN introduces two time-scale updates in GAN training by providing different learning rates for the generator and discriminator [36].This helps in solving the issue of slow learning and imbalanced updates.Self-Attention for GANs uses spectral normalization to avoid increased parameters and unwanted gradients.The f(x), g(x), and h(x) are the feature vectors.The feature vectors f(x) and g(x) have different dimensions than h(x), and both feature vectors are aggregated using matrix multiplication to calculate the attention.The aggregated results are passed to the SoftMax layer, which generates the attention map.

3) SAMPLES GENERATION USING ACGAN
Conventional GAN was designed for unsupervised learning with an output of the discriminator of dimension 1 with some real probability value.The auxiliary classifier GAN (ACGAN) [40] helps to create class-specific samples using the auxiliary classifier in the discriminator.The discriminator comprises two output layers, the first is used for determining whether the output is real or fake, and the second decides which input belongs to which class, as shown in Figure 7.

D. SAMPLES GENERATION USING NOVEL DESapsDE
The adversarial Mechanism for designing the model starts with collecting the input samples from a similar domain.In this work, the classifier attacked using images from the CIFAR-10 dataset [51].As shown in figure 4B, the generation of adversarial mechanisms has two different models one is on the victim side, and the other is on the adversary side.
Adversarial mechanisms are the methods used to generate adversarial samples.An adversarial sample is an input to the neural network model designed by adding a small perturbation that causes a model to predict different class output than the actual one resembling an original input to a human.The adversary knows victim model labels.Adversary trains the model with domain samples and obtains similar results.Optimization is the math.Targeted attacks are maximization problems, whereas non-targeted attacks are minimization problems.
The algorithm shows the steps for generating adversarial samples, as discussed in [18].This method is based on a differential evolutionary algorithm with changing population size.Previous work [21] concentrated on fixed-size populations, but naturally, this is not true as the population changes randomly.
This work concentrates on changing the population and increasing convergence speed.In this algorithm, input is the n-dimensional input as original image X=(x1,. . . . . ..xn).P is ((x1,y1,r1,g1,b1),(x2,y2,r2,g2,b2),. . .,(x100,y100,r100, g100,b100)) the population size, xm1,xm2,xm3 are the arbitrary indices of the range [1, P].The differential evolutionary algorithm based on DE/Base/Num/Cross scheme.The base represents how the mutant vector is constructed, Num represents the number of differential vectors, and the cross represents the crossover scheme.θ decides on one of the mutation schemes θ ∈ [1, 0.1], e(p) is the additive perturbation w.r.t.natural image X, e(p) * is the fitness function, for the targeted attack, it is considered a maximization function, and for non-targeted, it is a minimization function.The fitness value of each input sample is the probability value of the actual class for each input sample.L is the minimum constant value.Here, L is 1 for one-pixel perturbation, qi is the trial vector, x is the original, and g is the number of generations, initially set to g=0.

Algorithm -Adversarial Sample Generation (Novel DESapsDE)
Input: Images of size 32 × 32(CIFAR10 Dataset) Set the initial population P= (X1,X2,. . . . . .Xn) i.e., n is equivalent to 100; Mutation set to 0.5F; Crossover set to 0. The algorithm starts with selecting the initial random population.At the start, it considers the whole search space.The second step obtains the mutation strategy.Crossover merges with individuals to make new offspring.Three population schemes are included to get the population according to the desired population distribution either 5% of the individuals from the whole population, randomly selects the best individual, or randomly selects the best and removes 5% of the individuals.The algorithm helps to include the perturbation in the input sample so that it is not easily detectable by human eyes.These samples are applied on different neural network models during the testing or deployment phase, and observed the results.The work concentrates on black-box attacks for both targeted and nontargeted attacks during the testing of the model.

IV. RESULTS AND DISCUSSION
The comparison and performance evaluation of images generated by evolutionary algorithms and GAN is challenging.The parameter setting for experimental purposes is mentioned in Table 3.The GAN uses different activation functions at the generator and discriminator as DCGAN uses the G>ReLu, Tanh and D->leaky ReLUs, SAGAN uses G>ReLu, Tanh D-> ReLUs, ACGAN uses at G>ReLu, Tanh and D-> Leaky ReLU, Sigmoid, Softmax whereas DESapsDE applies only one activation function.Generative adversarial Networks and Adversarial examples are distinct concepts with different purposes and applications.GAN is designed to generate new, realistic data samples.They consist of a generator and a discriminator, and both networks are engaged in a competitive process.The purpose of DESapsDE is to test the robustness and vulnerability of the model to small perturbations in the input data.
The parameters of DESapsDE involve the magnitude and direction of noise applied to the input data to cause misclassifications.DESapsDE calculates the fitness value for targeted labels and nontargeted labels.For targeted attacks, it is a maximization function; for nontargeted attacks, it is a minimization function to add minimal noise into the sample.
The novels DESapsDE and GAN have executed in Google Collab with GPU configuration.
In this work, we have used the FID score to check the model's performance and accuracy, as shown in Table 4.The previous works concentrate on different norms L0 to L∞ to identify the amount of perturbation added into the samples, making the state-of-the-art complicated to perceive [6], [54].FID provides a comprehensive evaluation that goes beyond single-image metrics.It considers the entire generated image distribution, offering a more holistic view of the model's performance.FID scores have been shown to correlate with human judgment of image quality.
Models that achieve lower FID scores tend to produce visually closer images to real images according to human perception.Frechet Inception Distance is an assessment metric that calculates the Wsserstein-2 distance between the actual and the constructed samples, where a lower FID score indicates optimal results for the models.However, evaluating the model's performance is difficult based on the cost function and many other parameters.Many time cost functions address the vanishing gradient or gradient stuck in local optima.Becoming trapped in local optima is overcome using innovative DESapsDE evolutionary algorithms by considering dynamic population.However, it is dependent on the cost function.The performance of the GAN and DESapsDE is mentioned in Table 4.The training time required GAN to get the images is more.GANs can be notoriously difficult to train and may suffer from issues like mode collapse.
The GAN model's loss for the discriminator and the generator is observed after every batch.After training, the model over many epochs displays images with some loss remains stable.The discriminator loss on the real and the generated samples is over 1.5.The loss for the adversary model trained using a discriminator over around 2.  The model is adversarial, meaning the generator model changes after every batch until good-quality images can be produced.The quality of the images may vary, sometimes improve or even degrade with subsequent updates.The GAN models require more training time to get better-quality samples.The Figure 9 represents the model confidence (left) and sample generated after 100 epochs using the proposed system.As per observation, the GAN requires more epochs to generate good-quality images compare to Novel DESapsDE.The model predicts the image as a cat instead of an airplane with the effect of adding noise.
GAN models experimented using weights and biases on the MLOps platform with TESLA T4 configurations.Most of the previous work concentrated on gradient-based methods [6], [9], [18], [27] for generating adversarial samples, but practically getting gradient information is challenging, so many of the researchers concentrated on evolutionary algorithms.Much of the previous work was completed using GAN to visually evaluate images and it is difficult to assess the visual quality.The Frechet Inception distance (FID) [36] and Inception score (IS) [53] measures are most typically employed to assess image quality.
In DCGAN confidence, the label cannot infer the latent variable from input samples, and it requires low performance and produces many samples belonging to the same class.The images generated using SAGAN are more quality than DCGAN, but again it depends on the depth of the network.High-level feature maps gave better-quality images.The ACGAN produces the samples based on the class labels and does not require the probability to generate the images.The produced samples mostly show one of the classes.As shown in Figure 10, in the first row, most images are cars representing the latent space class conditional and partial.Creating the complex structure is difficult because complex geometrical patterns require long-range information, which traditional convolution may not recognize.Specific categories of classes GAN can work well but often fail where non-local dependencies frequently appear in some classes of images.
Once the GAN model has been trained, the generative attack is quick and effective compared to the conventional optimization-based methods.The GAN black box attacks method does not work well and lacks transferability.In this experiment, DESapsDE is superior to adversarial attacks relating to accuracy.Compared to the results of GAN models, the quality of the images generated using novel DESapsDE is superior, as shown in Figure 11.The scenario is limited as samples contain only a few pixels of noise.Considering the attack rate, the WideResNet model has stronger resilience against noise attacks.
DESapsDE shows varying success rates across different models, with LeNet achieving the highest success rates in targeted and nontargeted attacks.Standard DE [21] and its variants demonstrate competitive performance, particularly in nontargeted attacks.JADE(Adaptive Differential Evolution) [54] also shows noteworthy success rates, with ResNet achieving high success rates in nontargeted attacks.Table 5 provides a clear comparison of the success rates of different models under targeted and non-targeted one-pixel attacks, offering insights into the robustness of these models against adversarial manipulations.generated images only.However, it is much more challenging to create geometrically complex structures.
Figure 13 shows the output generated using the Novel DESapsDE method.The real image corresponds to the horse class but is projected by the model as a dog, bird, or cat class.The goal is to undermine the confidence of models in the target class.These samples train the model and improve the system's resilience.The innovative DESapsDE method is effective for low-dimensional space.

V. CONCLUSION AND FUTURE WORK
Generative adversarial network models are more successful techniques and applicable in high dimensions.Many times, acquiring data may be costly.GAN works on both unsupervised and supervised learning data with handling multimodal capacity.The proposed concentrates on low dimensional space and tries to solve the problem of the gradient being stuck in local space by including a population resizing scheme to increase convergence speed.GAN models frequently reject convergence due to switching between the generator and discriminator.This problem is solved by embedding the noise to the discriminator input or penalizing weights at the discriminator.Though researchers are working on convergence, the problem of stabilizing the network is still unresolved.GAN could be applicable to protect or defend against adversarial mechanisms.The discriminator model in GAN can be trained to resist the adversarial samples, and the system becomes more robust to such examples.The proposed model differs from the GAN and applies to attack-on-network models as a preventive major to make the model robust.
There are growing concerns about the security of deep neural networks (DNN) due to the susceptibility to adversarial samples.
The work introduces a novel DESapsDE framework based on evolutionary algorithms to generate adversarial samples, addressing the challenges associated with gradient-based methods.The approach is discussed in the context of various GAN models, emphasizing its potential as both an attack prevention measure and a way to enhance the robustness of deep neural networks against adversarial threats.The results demonstrate promising outcomes in reducing model confidence, providing valuable insights into improving the security of DNNs.The reported results show a reduction in model confidence for specific DNN models, such as ResNet50, WideResNet, and DenseNet, with an associated FID score of 16.45.
The future work concentrates on considering high dimensional space and more advanced differential evolutionary algorithms.The experiments can be conducted using changing population size, various strategies, constant of differentiation, number of steps included in the traversal phase, and constant of crossover.

FIGURE 2 .
FIGURE 2. Deep learning as the optimization process.

FIGURE 3 .
FIGURE 3. The loss function for adversarial sample attack.

FIGURE 4 .
FIGURE 4. Associated discussion between the (A): Adversarial samples generation using generative adversarial network and (B): Adversarial sample generation using novel DESaps-DE algorithm.

Figure 5 .
The discriminator consists of stride, batch norms, and LeakyReLU activation function.The samples the generator produces are transferred to the discriminator along with images.The training model setting for Deep convolutional generative adversarial network (DCGAN) is as follows: Generator model settings include sride2, eliminated FC layer, and used inverse convolution for upscaling.Discriminator model setting: CNN, LeakyReLU, kernel size=5, b1 = 0:5, batch size = 64, epochs=100.Here it takes a 3 × 32 × 32 input image, and the output is 3 × 32 × 32.

FIGURE 6 .
FIGURE 6. Architecture of self-attention for generative adversarial networks.

1 ;
For all g = 1 to 75, do : Assess fitness e(p) * = maximize ftadv(p+e(p)) e(p) * subject to ∥e(p)∥ ≤ L For i=1 to 100, do: Select any 3 vectors (xm1, xm2, xm3) randomly with different indices, where X1=xm1 = (x1, y1, r1, g1,b1) flat vector Assess n new_mutant using Xi=xm1 + F(xm2 -xm3) Generate trial vector qi through crossover_operation if f(qi)>= f(Xi) New_offspring = trial vector(qi) Else New_offspring = Xi P = (new_offspring, i=1,2,. . ..,n) //Selection one of the scheme to speed up the process a. Remove 5% of individuals from the total population or b.Randomly selection of best individuals or c.Randomly select of best individuals and remove 5% from the total population Output: Perturbed samples 5 for much of the training process.The model's training starts at epoch 100, and the model starts getting the acceptable images at 3120 epochs as shown in figure 8 whereas for DESapsDE generates the acceptable images.

FIGURE 8 .
FIGURE 8. Evaluating model performance using generative adversarial network.

A
deer or possibly a deer-horse-looking animal is the output of the classifier from the DCGAN model, and humans and other images can easily detect it, as shown in Figure 12.Most of the images generated do not belong to any of the classes.The images are familiar and similar to CIFAR-10 dataset images, but most images are not specified to one of the 10 classes.A human operator evaluates the quality of the images, knowing when to stop training the model is difficult in the GAN model.The training stops by observing the

FIGURE 11 .
FIGURE 11.Adversarial samples were generated using DESapsDE (Differential evolution self-adaptive population resizing scheme) and verified using various CNN network models.

FIGURE 12 .
FIGURE 12. Images produced using the GAN model on CIFAR 10 dataset.

FIGURE 13 .
FIGURE 13.Generated sample using DESapsDE applied over ResNet model and LeNet model.

TABLE 1 .
Experiment conducted using GAN with adversarial samples.

TABLE 2 .
Specifications of models used for experimentation.

TABLE 3 .
Comparative parameter settings for experimentation.

TABLE 4 .
Performance of the proposed system with GAN models (200 epoch for Accuracy) on the CIFAR 10 dataset.

TABLE 5 .
Performance of the proposed system with other models on the CIFAR 10 dataset.