To improve storage and transmission, images are generally compressed. Vector quantization (VQ) is a popular compression method as it has a high compression ratio that suppresses other compression techniques. Despite this, existing adversarial attack methods on image classification are mostly performed in the pixel domain with few exceptions in the compressed domain, making them less applicable in real-world scenarios. In this paper, we propose a novel one-index attack method in the VQ domain to generate adversarial images by a differential evolution algorithm, successfully resulting in image misclassification in victim models. The one-index attack method modifies a single index in the compressed data stream so that the decompressed image is misclassified. It only needs to modify a single VQ index to realize an attack, which limits the number of perturbed indexes. The proposed method belongs to a semi-black-box attack, which is more in line with the actual attack scenario. We apply our method to attack three popular image classification models, i.e., Resnet, NIN, and VGG16. On average, 55.9% and 77.4% of the images in CIFAR-10 and Fashion MNIST, respectively, are successfully attacked, with a high level of misclassification confidence and a low level of image perturbation.

翻译：为提高存储和传输效率，图像通常需进行压缩。向量量化（VQ）因其高压缩比优于其他压缩技术，成为一种主流的压缩方法。尽管如此，现有的图像分类对抗攻击方法大多在像素域进行，仅有少数在压缩域实施，这限制了其在真实场景中的应用。本文提出一种新颖的VQ域单索引攻击方法，通过差分进化算法生成对抗图像，成功导致目标模型对图像产生误分类。该单索引攻击方法仅需修改压缩数据流中的单个索引，即可使解压后的图像被误分类。该方法仅需改动单个VQ索引即可实现攻击，从而限制了被扰动索引的数量。所提方法属于半黑盒攻击，更符合实际攻击场景。我们将该方法应用于攻击三种主流图像分类模型——Resnet、NIN和VGG16。在CIFAR-10和Fashion MNIST数据集上，平均分别有55.9%和77.4%的图像被成功攻击，且具有较高的误分类置信度与较低的图像扰动水平。