计算机科学 ›› 2023, Vol. 50 ›› Issue (11A): 230100036-6.doi: 10.11896/jsjkx.230100036
李炎达, 范纯龙, 滕一平, 于铠博
LI Yanda, FAN Chunlong, TENG Yiping, YU Kaibo
摘要: 在面向神经网络的对抗攻击领域中,针对黑盒模型进行的通用攻击,如何生成导致多数样本输出错误的通用扰动是亟待解决的问题。然而,现有黑盒通用扰动生成算法的攻击效果不佳,且生成的扰动易被肉眼察觉。针对该问题,以典型卷积神经网络为研究对象,提出基于替代模型的批量零阶梯度符号算法。该算法通过对替代模型集合进行白盒攻击来初始化通用扰动,并在黑盒条件下查询目标模型,实现对通用扰动的稳定高效更新。在CIFAR-10和SVHN两个数据集上的实验结果表明,与基线算法对比,该算法攻击能力显著提升,其生成通用扰动的性能提高了近3倍。
中图分类号:
| [1]DENG J,DONG W,SOCHER R,et al.Imagenet:A large-scale hierarchical image database[C]//2009 IEEE Conference on Computer Vision and Pattern Recognition.IEEE,2009:248-255. [2]SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.Intriguing properties of neural networks[EB/OL].https://doi.org/10.48550/arXiv.1312.6199. [3]KOGA K,TAKEMOTO K.Simple Black-Box Universal Adversarial Attacks on Deep Neural Networks for Medical Image Classification[J].Algorithms,2022,15(5):144. [4]HAO Z R,CHEN L,HUANG J C.Class Discriminative Universal Adversarial Attack for Text Classification[J].Computer Science,2022,49(8):323-329. [5]MADRY A,MAKELOV A,SCHMIDT L,et al.Towards deep learning models resistant to adversarial attacks[EB/OL].https://doi.org/10.48550/arXiv.1706.06083. [6]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[EB/OL].https://doi.org/10.48550/arXiv.1412.6572. [7]PAPERNOT N,MCDANIEL P,GOODFELLOW I,et al.Practical black-box attacks against machine learning[C]//Procee-dings of the 2017 ACM on Asia Conference on Computer and Communications Security.2017:506-519. [8]MOOSAVI-DEZFOOLI S M,FAWZI A,FAWZI O,et al.Universal adversarial perturbations[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2017:1765-1773. [9]KURAKIN A,GOODFELLOW I J,BENGIO S.Adversarial examples in the physical world[J].arXiv:1611.01236,2016. [10]MOOSAVI-DEZFOOLI S M,FAWZI A,FROSSARD P.Deepfool:a simple and accurate method to fool deep neural networks[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:2574-2582. [11]ZHOU M,WU J,LIU Y,et al.Dast:Data-free substitute training for adversarial attacks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2020:234-243. [12]CHEN P Y,ZHANG H,SHARMA Y,et al.Zoo:Zeroth order optimization based black-box attacks to deep neural networks without training substitute models[C]//Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security.2017:15-26. [13]SU J,VARGAS D V,SAKURAI K.One pixel attack for fooling deep neural networks[J].IEEE Transactions on Evolutionary Computation,2019,23(5):828-841. [14]ZHANG C,BENZ P,IMTIAZ T,et al.Cd-uap:Class discriminative universal adversarial perturbation[C]//Proceedings of the AAAI Conference on Artificial Intelligence.2020:6754-6761. [15]SARKAR S,BANSAL A,MAHBUB U,et al.UPSET and ANGRI:Breaking high performance image classifiers[EB/OL].https://doi.org/10.48550/arXiv.1707.01159. [16]MOPURI K R,OJHA U,GARG U,et al.Nag:Network for adversary generation[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2018:742-751. [17]FAN C L,LI Y D,XIA X F,et al.A general adversarial attack method based on random gradient Ascent and spherical projection[J].Journal of Northeastern University:Natural Science,2022,43(2):168-175. [18]ZHANG C,BENZ P,KARJAUV A,et al.Data-free universaladversarial perturbation and black-box attack[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision.2021:7868-7877. [19]WU J,ZHOU M,LIU S,et al.Decision-based universal adversarial attack[EB/OL].https://doi.org/10.48550/arXiv.2009.07024. [20]SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[EB/OL].https://doi.org/10.48550/arXiv.1409.1556. [21]LIN M,CHEN Q,YAN S.Network in network[EB/OL].https://doi.org/10.48550/arXiv.1312.4400. [22]HE K,ZHANG X,REN S,et al.Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:770-778. |
|
||
首页