计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (4): 110-116.doi: 10.11896/jsjkx.220300024

• 计算机图形学&多媒体 • 上一篇    下一篇

基于噪声不可见性的自适应图像对抗重编程方法

刘依凡, 欧博, 熊剑琴   

  1. 湖南大学信息科学与工程学院 长沙 410082
  • 收稿日期:2022-03-02 修回日期:2022-08-30 出版日期:2023-04-15 发布日期:2023-04-06
  • 通讯作者: 欧博(oubo@hnu.edu.cn)
  • 作者简介:(yifanliu@hnu.edu.cn)
  • 基金资助:
    国家自然科学基金(61872128)

Adaptive Image Adversarial Reprogramming Based on Noise Invisibility Factors

LIU Yifan, OU Bo, XIONG Jianqin   

  1. College of Computer Science and Electronic Engineering,Hunan University,Changsha 410082,China
  • Received:2022-03-02 Revised:2022-08-30 Online:2023-04-15 Published:2023-04-06
  • About author:LIU Yifan,born in 1999,postgraduate.Her main research interests include adversarial attack and so on.
    OU Bo,born in 1985,Ph.D,associate professor,Ph.D.supervisor.His main research interests include reversible data hiding and the related topics.
  • Supported by:
    National Natural Science Foundation of China(61872128).

PDF (PC)

313

摘要: 对抗重编程是一种针对深度神经网络的攻击方法,它通过往输入图像中添加扰动使网络模型执行攻击者指定的任务,能够破坏训练网络模型的合法使用权。研究和设计对抗重编程方法,对于理解此类攻击并设计相应的防御算法有积极意义。探讨对抗扰动添加区域对对抗重编程算法性能的影响,通过使用噪声不可见性函数来评估图像各区域的对抗失真特性,得到掩蔽矩阵,然后自适应地添加对抗扰动,优化对抗重编程任务。实验结果表明,对于当前主流的深度网络分类模型,所提算法能够提高对抗重编程的攻击性能,并提升修改后图像的不可感知性。

关键词: 对抗攻击, 对抗重编程, 自适应扰动, 噪声可见性函数

Abstract: Adversarial reprogramming is an attacking method against the deep neural networks.By adding a certain perturbation to the input image,the network could be made to execute the attacker’s specified task,i.e.,destroying the legitimate permission of the training network model.It is positive to deeply understand and investigate this kind of attacks for further designing the corresponding anti-reprogramming algorithms.This paper discusses the relationship between the location of perturbations and the performance of adversarial reprogramming.Specifically,the noise visibility function is used to evaluate the adversarial distortion for each local content,and obtain the masking matrix.Then,the adversarial perturbations are added adaptively to optimize the attacking task.Experimental results show that,for the state-of-the-art deep network models,the proposed algorithm can enhance the performance of adversarial reprogramming attack and improve the imperceptibility of modified image.

Key words: Adversarial attack, Adversarial reprogramming, Adaptive perturbation, Noise visibility function

中图分类号: 

  • TP309.7
[1]GE Y Z,LIU H,WANG Y,et al.Overview of Deep Learning Image Recognition Under Small Sample Dilemma[J].Journal of Software,2022,33(1):193-210.
[2]QIAO S B,PANG S C,WANG M,et al.Convolution NeuralNetwork Model for Brain CT Image Classification Based on Residual Mixed Attention Mechanism[J].Journal of Electronics,2021,49(5):984-991.
[3]YU J Y,DING P C,WANG C.Application of ConvolutionalNeural Network in Target Detection[J].Computer Science,2018,45(S2):17-26.
[4]WANG H L,QI X L,WU G S.Research Progress of Target De-tection Technology Based on Deep Convolution Neural Network[J].Computer Science,2018,45(9):11-19.
[5]WANG N Y,YE Y X,LIU L,et al.Research Progress of Language Model Based on Deep Learning[J].Journal of Software,2021,32(4):1082-1115.
[6]TONG X,WANG B J,WANG R Z,et al.A Survey of Samples of Deep Learning Confrontation for Natural Language Proces-sing[J].Computer Science,2021,48(1):258-267.
[7]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and Harnessing Adversarial Examples[J].Statistics,2014,3:1467-5463.
[8]ALEXEY K,IAN G,SAMY B.Adversarial Examples in The Physical World[J].Statistics,2016,2:1467-5463.
[9]CHENG X,WANG Y Y,ZHANG N J,et al.Multi level loss target tracking and countermeasure attack method based on spatial perception[J].Journal of communication,2021,42(11):242-254.
[10]CHEN J Y,CHEN Z Q,ZHENG H B,et al.PSO Based Road Sign Recognition Model Black Box Anti Attack Method[J].Journal of Software,2020,31(9):2785-2801.
[11]ELSAYED G F,GOODFELLOW I,SOHL-DICKSTEIN J.Adversarial Reprogramming of Neural Networks[J].Statistics,2018,1:1467-5463.
[12]NEEKHARA P,HUSSAIN S,DUBNOV S,et al.AdversarialReprogramming of Sequence Classification Neural Networks[J].Statistics,2018,2:1467-5463.
[13]NEEKHARA P,HUSSAIN S,DU J,et al.Cross-modal Adversarial Reprogramming[C]//Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision.2022:2427-2435.
[14]CARLINI N,WAGNER D.Towards Evaluating the Robus-tness of Neural Networks[C]//IEEE Symposiumon Security and Privacy(SP).IEEE,2017:39-57.
[15]MOOSAVI-DEZFOOLI S M,FAWZI A,FROSSARD P,et al.A Simple and Accurate Method to Fool Deep Neural Networks[C]//Proceedings of the CVPR.2016:2574-2582.
[16]WANG C,WEI X L,TIAN Q,et al.Modulation Recognition Depth Network Countermeasure Attack Method Based on Cha-racteristic Gradient[J].Computer Science,2021,48(7):25-32.
[17]SHI D,LU T L,DU Y H,et al.Face Gender Forgery Image Generation Model Based on Improved Cyclegan[J].Computer Science,2022,49(2):31-39.
[18]YU X M,HUANG H.Research on the Application of Im-proved Gan Network in Generating Short Video[J].Computer Science,2021,48(S2):625-629.
[19]LIN S Y,ZHANG M K,WU C M,et al.Face Image Step-by-Step Completion Method by Generating Countermeasure Network[J].Computer Science,2021,48(9):174-180.
[20]MA N,ZHANG X,ZHENG H T,et al.Shufflenet v2:Practical Guidelines for Efficient CNN Architecture Design[C]//Procee-dings of the European Conference on Computer Vision(ECCV).2018:116-131.
[21]HAN X,LIU Q,XU J,et al.Handwritten Numeral Recognition Algorithm Based on Pseudo PCA[J].Computer Science,2018,45(S2):278-281,307.
[22]KRIZHEVSKY A,NAIR V,HINTON G.Cifar-10(canadian institute for advanced research)[J/OL].http://www.cs.toronto.edu/kriz/cifar.html.
[23]LEE K,SU H C,RAMCHANDRAN K.Reprogramming GANs Via Input Noise Design[C]//Joint European Conference on Machine Learning and Knowledge Discovery in Databases.Springer,Cham,2020:256-271.
[24]PROCA A,BANBURSKI A,POGGIO T A.Cross-Domain Adversarial Reprogramming of a Recurrent Neural Network[C]//CogSci.2020.
[25]WANG X,WANG S,CHEN P Y,et al.Protecting Neural Networks with Hierarchical Random Switching:Towards Better Robustness-Accuracy Trade-off for Stochastic Defenses[C]//Twenty-Eighth International Joint Conference on Artificial Intelligence(IJCAI-19).2019.
[26]MENG X L,WANG Z Z.Image Diffusion Based on VisualMasking Effect[J].Journal of Automation,2011,37(1):21-27.
[27]SAJASI S,MOGHADAM A M E.An Adaptive Image Steganographic Scheme Based on Noise Visibility Function and an Optimal Chaotic Based Encryption Method[J].Applied Soft Computing,2015,30:375-389.
[28]VINYALS O,BLUNDELL C,LILLICRAP T,et al.MatchingNetworks for One Shot Learning[J].Advances in Neural Information Processing Systems,2016,29:3630-3638.
[29]KINGMA D,BA J.Adam:A Method for Stochastic Optimization[J].arXiv:1412.6980,2017.
[1] 郝志荣, 陈龙, 黄嘉成.
面向文本分类的类别区分式通用对抗攻击方法
Class Discriminative Universal Adversarial Attack for Text Classification
计算机科学, 2022, 49(8): 323-329. https://doi.org/10.11896/jsjkx.220200077
[2] 吴子斌, 闫巧.
基于动量的映射式梯度下降算法
Projected Gradient Descent Algorithm with Momentum
计算机科学, 2022, 49(6A): 178-183. https://doi.org/10.11896/jsjkx.210500039
[3] 闫萌, 林英, 聂志深, 曹一凡, 皮欢, 张兰.
一种提高联邦学习模型鲁棒性的训练方法
Training Method to Improve Robustness of Federated Learning
计算机科学, 2022, 49(6A): 496-501. https://doi.org/10.11896/jsjkx.210400298
[4] 李建, 郭延明, 于天元, 武与伦, 王翔汉, 老松杨.
基于生成对抗网络的多目标类别对抗样本生成算法
Multi-target Category Adversarial Example Generating Algorithm Based on GAN
计算机科学, 2022, 49(2): 83-91. https://doi.org/10.11896/jsjkx.210800130
[5] 陈梦轩, 张振永, 纪守领, 魏贵义, 邵俊.
图像对抗样本研究综述
Survey of Research Progress on Adversarial Examples in Images
计算机科学, 2022, 49(2): 92-106. https://doi.org/10.11896/jsjkx.210800087
[6] 王晓明, 温旭云, 徐梦婷, 张道强.
一种面向脑疾病诊断的图卷积网络对抗攻击方法
Graph Convolutional Network Adversarial Attack Method for Brain Disease Diagnosis
计算机科学, 2022, 49(12): 340-345. https://doi.org/10.11896/jsjkx.220500185
[7] 赵宏, 常有康, 王伟杰.
深度神经网络的对抗攻击及防御方法综述
Survey of Adversarial Attacks and Defense Methods for Deep Neural Networks
计算机科学, 2022, 49(11A): 210900163-11. https://doi.org/10.11896/jsjkx.210900163
[8] 杨文博, 原继东.
局部时间序列黑盒对抗攻击
Locally Black-box Adversarial Attack on Time Series
计算机科学, 2022, 49(10): 285-290. https://doi.org/10.11896/jsjkx.210900254
[9] 景慧昀, 周川, 贺欣.
针对人脸检测对抗攻击风险的安全测评方法
Security Evaluation Method for Risk of Adversarial Attack on Face Detection
计算机科学, 2021, 48(7): 17-24. https://doi.org/10.11896/jsjkx.210300305
[10] 羊洋, 陈伟, 张丹懿, 王丹妮, 宋爽.
对抗攻击威胁基于卷积神经网络的网络流量分类
Adversarial Attacks Threatened Network Traffic Classification Based on CNN
计算机科学, 2021, 48(7): 55-61. https://doi.org/10.11896/jsjkx.210100095
[11] 陈晋音, 邹健飞, 袁俊坤, 叶林辉.
面向恶意软件检测模型的黑盒对抗攻击方法
Black-box Adversarial Attack Method Towards Malware Detection
计算机科学, 2021, 48(5): 60-67. https://doi.org/10.11896/jsjkx.200300127
[12] 陈凯, 魏志鹏, 陈静静, 姜育刚.
多媒体模型对抗攻防综述
Adversarial Attacks and Defenses on Multimedia Models:A Survey
计算机科学, 2021, 48(3): 27-39. https://doi.org/10.11896/jsjkx.210100079
[13] 徐行, 孙嘉良, 汪政, 杨阳.
基于特征变换的图像检索对抗防御
Feature Transformation for Defending Adversarial Attack on Image Retrieval
计算机科学, 2021, 48(10): 258-265. https://doi.org/10.11896/jsjkx.200800222
[14] 华茂,余世明.
一种改进的混沌伊藤算法求解车辆配送问题
Modified Chaotic ITO Algorithm to Vehicle Routing Problem
计算机科学, 2016, 43(3): 266-270. https://doi.org/10.11896/j.issn.1002-137X.2016.03.049
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发