计算机科学

计算机科学 ›› 2026, Vol. 53 ›› Issue (5): 426-434.doi: 10.11896/jsjkx.250600185

• 信息安全 • 上一篇    下一篇

坐标步长单调的动量对抗攻击方法

陈军1, 陶蔚2,3, 鲍蕾1, 陶卿1,4   

  1. 1 陆军兵种大学 合肥 230031
    2 国防科技大学大数据与决策重点实验室 长沙 410073
    3 军事科学院 北京 100091
    4 合肥理工学院 合肥 238076
  • 收稿日期:2025-06-26 修回日期:2025-09-22 发布日期:2026-05-08
  • 通讯作者: 陶卿(taoqing@gmail.com)
  • 作者简介:(chenjun342423@sina.com)
  • 基金资助:
    国家自然科学基金(60903098,62576351);中国博士后科学基金面上项目(2024M764294)

Momentum Method with Monotonical Coordinate-wise Step-sizes for Adversarial Attacks

CHEN Jun1, TAO Wei2,3, BAO Lei1, TAO Qing1,4   

  1. 1 Army Arms University of PLA, Hefei 230031, China
    2 Key Laboratory of Big Data and Decision-making, National University of Defense Technology(NUDT), Changsha 410073, China
    3 Academy of Military Science, Beijing 100091, China
    4 Hefei University of Technology, Hefei 238076, China
  • Received:2025-06-26 Revised:2025-09-22 Online:2026-05-08
  • About author:CHEN Jun,born in 1989,postgraduate.His main research interests include machine learning and mathematical optimization.
    TAO Qing,born in 1965,Ph.D,professor,doctoral supervisor,is a senior member of CCF(No.09081S).His main research interests include machine learning,pattern recognition and applied mathematics.
  • Supported by:
    National Natural Science Foundation of China(60903098,62576351) and China Postdoctoral Science Foundation(General Program) (2024M764294).

PDF (PC)

224

摘要: 对抗样本生成可以归结为最大化模型目标函数的优化问题,目前的求解策略主要采用符号梯度或者符号动量方法。然而这种方法牺牲了关键的梯度和动量方向信息,常常导致收敛性问题,从而造成了对抗攻击的不稳定性。受AMSGrad收敛性分析方法的启发,通过限定各坐标维度的步长单调递减,在MI-FGSM基础上提出了一种坐标步长单调的动量对抗攻击算法MCS-MI。在一般凸条件下,证明了MCS-MI可以获得最优收敛速率O(1/T),其中T是迭代步数;并且,限定坐标步长单调作为一种通用且高效的策略,可以与现有的动量攻击算法相结合。在标准数据集上与近年来表现优异的8种对抗攻击算法进行了实验比较,其不仅具有很好的稳定性,还明显提升了攻击成功率,其中在CNN模型与ViT模型上的攻击成功率最高分别提升了12.3%与5.9%。

关键词: 机器学习, 对抗攻击, 动量, 符号梯度, 收敛性

Abstract: The generation of adversarial samples can be due to an optimization problem aimed at maximizing the objective functions of models.Currently,the strategies to solve the induced problems primarily rely on sign-gradient or sign-momentum methods.However,these approaches sacrifice critical gradient and momentum direction information,often leading to convergence issues and then resulting in instability of adversarial attacks.Inspired by the convergence analysis of AMSGrad,this paper proposes a momentum method with monotonical coordinate-wise step-size(MCS-MI) based on MI-FGSM,which enforces monotonically decreasing coordinate-wise step-sizes.For general convex cases,MCS-MI is proved to attain an optimal convergence rate of O(1/T),where T is the number of iterations.Furthermore,the strategy of enforcing monotonic coordinate-wise step-sizes is a general and efficient technique that can be integrated with existing momentum-based attack algorithms.Experimental comparisons with eight state-of-the-art adversarial attack methods on benchmark datasets demonstrate that the proposed approach not only exhibits superior stability but also significantly improves attack success rates,achieving maximum increases of 12.3% on CNN models and 5.9% on ViTs(Vision Transformers) respectively.

Key words: Machine learning, Adversarial attacks, Momentum, Sign-gradient, Convergence

中图分类号: 

  • TP391
[1]LANG C,CHENG G,TU B,et al.Learning What Not to Segment:A New Perspective on Few-Shot Segmentation[C]//2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition(CVPR).2022:8047-8057.
[2]TIAN Z,SHEN C,CHEN H,et al.FCOS:Fully Convolutional One-Stage Object Detection[C]//2019 IEEE/CVF International Conference on Computer Vision(ICCV).2019:9626-9635.
[3]GOODFELLOW I J,POUGET-ABADIE J,MIRZA M,et al.Generative adversarial networks[J].Communications of the ACM,2014,63:139-144.
[4]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and Harnessing Adversarial Examples[J].arXiv:1412.6572,2014.
[5]KURAKIN A,GOODFELLOW I J,BENGIO S.Adversarialexamples in the physical world[J].arXiv:1607.02533,2016.
[6]DONG Y,LIAO F,PANG T,et al.Boosting Adversarial Attacks with Momentum[C]//2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.2018:9185-9193.
[7]MADRY A,MAKELOV A,SCHMIDT L,et al.Towards Deep Learning Models Resistant to Adversarial Attacks[J].arXiv:1706.06083,2017.
[8]LIN J,SONG C,HE K,et al.Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks[J].arXiv:1908.06281,2019.
[9]WANG J,CHEN Z,JIANG K,et al.Boosting the Transferability of Adversarial Attacks with Global Momentum Initialization[J].arXiv:2211.11236,2022.
[10]WANG X,HE K.Enhancing the Transferability of Adversarial Attacks through Variance Tuning[C]//2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition(CVPR).2021:1924-1933.
[11]WANG X,LIN J,HU H,et al.Boosting Adversarial Transferability through Enhanced Momentum[C]//British Machine Vision Conference.2021.
[12]PENG A,LIN Z,ZENG H,et al.Boosting Transferability ofAdversarial Example via an Enhanced Euler’s Method[C]//ICASSP 2023-2023 IEEE International Conference on Acoustics,Speech and Signal Processing(ICASSP).2023:1-5.
[13]GE Z,SHANG F,LIU H,et al.Boosting Adversarial Transferability by Achieving Flat Local Maxima[J].arXiv:2306.05225,2023.
[14]QIU C,DUAN Y,ZHAO L,et al.Enhancing Adversarial Transferability Through Neighborhood Conditional Sampling[J].ar-Xiv:2405.16181,2024.
[15]KARIMIREDDY S P,REBJOCK Q,STICH S U,et al.Error Feedback Fixes SignSGD and other Gradient Compression Schemes[J].arXiv:1901.09847,2019.
[16]REDDI S J,KALE S,KUMAR S.On the Convergence of Adam and Beyond[J].arXiv:1904.09237,2019.
[17]ZINKEVICH M A.Online Convex Programming and Genera-lized Infinitesimal Gradient Ascent[C]//International Confe-rence on Machine Learning.2003.
[18]LONG S,TAO W,ZHANG Z,et al.Optimal Convergence Rate of Adam-Type Algorithms for Non-Smooth Strongly Convex Problems[J].Journal of Electronics,2022(9):2049-2059.
[19]KINGMA D P,BA J.Adam:A Method for Stochastic Optimization[J].arXiv:1412.6980,2014.
[20]RUSSAKOVSKY O,DENG J,SU H,et al.ImageNet LargeScale Visual Recognition Challenge[J].International Journal of Computer Vision,2014,115:211-252.
[21]HE K,ZHANG X,REN S,et al.Deep Residual Learning forImage Recognition[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition(CVPR).2016:770-778.
[22]SZEGEDY C,VANHOUCKE V,IOFFE S,et al.Rethinking the Inception Architecture for Computer Vision[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition(CVPR).2016:2818-2826.
[23]SIMONYAN K,ZISSERMAN A.Very Deep Convolutional Networks for Large-Scale Image Recognition[J].arXiv:1409.1556,2014.
[24]HUANG G,LIU Z,WEINBERGER K Q.Densely ConnectedConvolutional Networks[C]//2017 IEEE Conference on Computer Vision and Pattern Recognition(CVPR).2017:2261-2269.
[25]SANDLER M,HOWARD A G,ZHU M,et al.MobileNetV2:Inverted Residuals and Linear Bottlenecks[C]//2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.2018:4510-4520.
[26]DOSOVITSKIY A,BEYER L,KOLESNIKOV A,et al.AnImage is Worth 16x16 Words:Transformers for Image Recognition at Scale[J].arXiv:2010.11929,2020.
[27]LIU Z,LIN Y,CAO Y,et al.Swin Transformer:Hierarchical Vision Transformer using Shifted Windows[C]//2021 IEEE/CVF International Conference on Computer Vision(ICCV).2021:9992-10002.
[28]TRAMÈR F,KURAKIN A,PAPERNOT N,et al.EnsembleAdversarial Training:Attacks and Defenses[J].arXiv:1705.07204,2017.
[29]LIU Y,CHEN X,LIU C,et al.Delving into Transferable Adversarial Examples and Black-box Attacks[J].arXiv:1611.02770,2016.
[30]BAO L,TAO W,TAO Q.Enhancing Transferability of Adversarial Attacks by Combining Adaptive Step Size Strategy and Data Augmentation Mechanism[J].Journal of Electronics,2024(1):157-169.
[31]DONG Y,PANG T,SU H.Evading Defenses to TransferableAdversarial Examples by Translation-Invariant Attacks[C]//2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition(CVPR).2019:4307-4316.
[32]XIE C,ZHANG Z,WANG J,et al.Improving Transferability of Adversarial Examples With Input Diversity[C]//2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition(CVPR).2019:2725-2734.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市两江新区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发