计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (4): 88-95.doi: 10.11896/jsjkx.211100164

• 计算机图形学&多媒体 • 上一篇    下一篇

基于图像颜色随机变换的对抗样本生成方法

白祉旭, 王衡军, 郭可翔   

  1. 战略支援部队信息工程大学 郑州 450001
  • 收稿日期:2021-11-15 修回日期:2022-06-15 出版日期:2023-04-15 发布日期:2023-04-06
  • 通讯作者: 王衡军(b347072272@163.com)
  • 作者简介:(347072272@qq.com)

Adversarial Examples Generation Method Based on Image Color Random Transformation

BAI Zhixu, WANG Hengjun, GUO Kexiang   

  1. Strategic Support Force Information Engineering University,Zhengzhou 450001,China
  • Received:2021-11-15 Revised:2022-06-15 Online:2023-04-15 Published:2023-04-06
  • About author:BAI Zhixu,born in 1992,postgraduate.His main research interests include artificial intelligence and adversarial examples.
    WANG Hengjun,born in 1973.Ph.D,associate professor.His main research interests include intelligent information processing,natural language processing and machine learning.

PDF (PC)

301

摘要: 尽管深度神经网络(Deep Neural Networks,DNNs)在大多数分类任务中拥有良好的表现,但在面对对抗样本(Adversarial Example)时显得十分脆弱,使得DNNs的安全性受到质疑。研究设计生成强攻击性的对抗样本可以帮助提升DNNs的安全性和鲁棒性。在生成对抗样本的方法中,相比需要依赖模型结构参数的白盒攻击,黑盒攻击更具实用性。黑盒攻击一般基于迭代方法来生成对抗样本,其迁移性较差,从而导致其黑盒攻击的成功率普遍偏低。针对这一问题,在对抗样本生成过程中引入数据增强技术,在有限范围内随机改变原始图像的颜色,可有效改善对抗样本的迁移性,从而提高对抗样本黑盒攻击的成功率。在ImageNet数据集上利用所提方法对正常网络及对抗训练网络进行对抗攻击实验,结果显示该方法能够有效提升所生成对抗样本的迁移性。

关键词: 深度神经网络, 对抗样本, 白盒攻击, 黑盒攻击, 迁移性

Abstract: Although deep neural networks(DNNs) have good performance in most classification tasks,they are vulnerable to adversarial examples,making the security of DNNs questionable.Research designs to generate strongly aggressive adversarial examples can help improve the security and robustness of DNNs.Among the methods for generating adversarial examples,black-box attacks are more practical than white-box attacks,which need to rely on model structural parameters.Black-box attacks are gene-rally based on iterative methods to generate adversarial examples,which are less migratory,leading to a generally low success rate of their black-box attacks.To address this problem,introducing data enhancement techniques in the process of countermeasure example generation to randomly change the color of the original image within a limited range can effectively improve the migration of countermeasure examples,thus increasing the success rate of countermeasure example black box attacks.This method is validated through adversarial attack experiments on ImageNet dataset with normal network and adversarial training network,and the experimental results indicate that the method can effectively improve the mobility of the generated adversarial examples.

Key words: Deep neural network, Adversarial example, White-box attack, Black-box attack, Migration

中图分类号: 

  • TP393.08
[1]SZEGEDY C,LIU W,JIA Y,et al.Going deeper with convolutions[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2015:1-9.
[2]BAI Z X,WANG H J.An adversarial sample generation method based on improved genetic algorithm[J/OL].Computer Engineering:1-15.[2022-10-26].DOI:10.19678/j.issn.1000-3428.0065260.
[3]MA Y K,WU L F,JIAN M,et al.An adversarial example ge-neration algorithm for face live detection[J].Journal of Software,2019,30(2):279-290.
[4]MADRY A,MAKELOV A,SCHMIDT L,et al.Towards deep learning models resistant to adversarial attacks[J].arXiv:1706.06083,2017.
[5]GUO C,RANA M,CISSE M,et al.Countering adversarial images using input transformations[J].arXiv:1711.00117,2017.
[6]SAMANGOUEI P,KABKAB M,CHELLAPPA R.Defense-gan:Protecting classifiers against adversarial attacks using ge-nerative models[J].arXiv:1805.06605,2018.
[7]XIE C,ZHANG Z,ZHOU Y,et al.Improving transferability of adversarial examples with input diversity[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2019:2730-2739.
[8]SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.Intriguing properties of neural networks[J].arXiv:1312.6199,2013.
[9]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[J].arXiv:1412.6572,2014.
[10]KURAKIN A,GOODFELLOW I,BENGIO S.Adversarialexamples in the physical world[J].arXiv:1607.02533,2016.
[11]DONG Y,LIAO F,PANG T,et al.Boosting adversarial attacks with momentum[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2018:9185-9193.
[12]DONG Y,PANG T,SU H,et al.Evading defenses to transferable adversarial examples by translation invariant attacks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2019:4312-4321.
[13]LIN J,SONG C,HE K,et al.Nesterov accelerated gradient and scale invariance for adversarial attacks[J].arXiv:1908.06281,2019.
[14]BAI Z X,WANG H J,GUO K X.A review of adversarial example techniques based on deep neural networks[J/OL].Compu-ter Engineering and Applications.[2021-11-01].http://kns.cnki.net/kcms/detail/11.2127.tp.20211008.1826.002.html.
[15]SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[J].arXiv:1409.1556.2014.
[16]FU Y,ZHENG Y,HUANG H,et al.Hyperspectral image super-resolution with a Mosaic RGB image[J].IEEE Transactions on Image Process,2018,27:5539-5552.
[17]SZEGEDY C,VANHOUCKE V,IOFFE S,et al.Rethinking the inception architecture for computer vision[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition(CVPR).Las Vegas,NV,USA,2016:2818-2826.
[18]SZEGEDY C,IOFFE S,VANHOUCKE V,et al.Inception-v4,inception-ResNet and the impact of residual connections on learning[C]//Proceedings of The Thirty-First AAAI Confe-rence on Artificial Intelligence.San Francisco,California,USA,2017.
[19]HE K,ZHANG X,REN S,et al.Identity mappings in deep residual networks[C]//Proceedings of the European Conference on Computer Vision 2016.Cham,2016:630-645.
[20]TRAMÈR F,KURAKIN A,PAPERNOT N,et al.Ensembleadversarial training:Attacks and defenses[OL].https://arxiv.org/abs/1705.07204.
[1] 尹海涛, 王天由.
基于深度多尺度卷积稀疏编码的图像去噪算法
Image Denoising Algorithm Based on Deep Multi-scale Convolution Sparse Coding
计算机科学, 2023, 50(4): 133-140. https://doi.org/10.11896/jsjkx.220100090
[2] 饶丹, 时宏伟.
基于深度聚类的航空交通流识别与异常检测研究
Study on Air Traffic Flow Recognition and Anomaly Detection Based on Deep Clustering
计算机科学, 2023, 50(3): 121-128. https://doi.org/10.11896/jsjkx.220100086
[3] 王祥炜, 韩锐, 刘驰.
基于层级化数据记忆池的边缘侧半监督持续学习方法
Hierarchical Memory Pool Based Edge Semi-supervised Continual Learning Method
计算机科学, 2023, 50(2): 23-31. https://doi.org/10.11896/jsjkx.221100133
[4] 吴子斌, 闫巧.
基于动量的映射式梯度下降算法
Projected Gradient Descent Algorithm with Momentum
计算机科学, 2022, 49(6A): 178-183. https://doi.org/10.11896/jsjkx.210500039
[5] 焦翔, 魏祥麟, 薛羽, 王超, 段强.
基于深度学习的自动调制识别研究
Automatic Modulation Recognition Based on Deep Learning
计算机科学, 2022, 49(5): 266-278. https://doi.org/10.11896/jsjkx.211000085
[6] 高捷, 刘沙, 黄则强, 郑天宇, 刘鑫, 漆锋滨.
基于国产众核处理器的深度神经网络算子加速库优化
Deep Neural Network Operator Acceleration Library Optimization Based on Domestic Many-core Processor
计算机科学, 2022, 49(5): 355-362. https://doi.org/10.11896/jsjkx.210500226
[7] 李建, 郭延明, 于天元, 武与伦, 王翔汉, 老松杨.
基于生成对抗网络的多目标类别对抗样本生成算法
Multi-target Category Adversarial Example Generating Algorithm Based on GAN
计算机科学, 2022, 49(2): 83-91. https://doi.org/10.11896/jsjkx.210800130
[8] 陈梦轩, 张振永, 纪守领, 魏贵义, 邵俊.
图像对抗样本研究综述
Survey of Research Progress on Adversarial Examples in Images
计算机科学, 2022, 49(2): 92-106. https://doi.org/10.11896/jsjkx.210800087
[9] 王珏, 芦斌, 祝跃飞.
对抗性网络流量的生成与应用综述
Generation and Application of Adversarial Network Traffic:A Survey
计算机科学, 2022, 49(11A): 211000039-11. https://doi.org/10.11896/jsjkx.211000039
[10] 赵宏, 常有康, 王伟杰.
深度神经网络的对抗攻击及防御方法综述
Survey of Adversarial Attacks and Defense Methods for Deep Neural Networks
计算机科学, 2022, 49(11A): 210900163-11. https://doi.org/10.11896/jsjkx.210900163
[11] 杨浩, 闫巧.
基于差分进化算法的字符对抗验证码生成方法
Adversarial Character CAPTCHA Generation Method Based on Differential Evolution Algorithm
计算机科学, 2022, 49(11A): 211100074-5. https://doi.org/10.11896/jsjkx.211100074
[12] 钱栋炜, 崔阳光, 魏同权.
基于深度神经网络与联邦学习的污染物浓度预测二次建模
Secondary Modeling of Pollutant Concentration Prediction Based on Deep Neural Networks with Federal Learning
计算机科学, 2022, 49(11A): 211200084-5. https://doi.org/10.11896/jsjkx.211200084
[13] 金玉杰, 初旭, 王亚沙, 赵俊峰.
变分推断域适配驱动的城市街景语义分割
Variational Domain Adaptation Driven Semantic Segmentation of Urban Scenes
计算机科学, 2022, 49(11): 126-133. https://doi.org/10.11896/jsjkx.220500193
[14] 范红杰, 李雪冬, 叶松涛.
面向电子病历语义解析的疾病辅助诊断方法
Aided Disease Diagnosis Method for EMR Semantic Analysis
计算机科学, 2022, 49(1): 153-158. https://doi.org/10.11896/jsjkx.201100125
[15] 王超, 魏祥麟, 田青, 焦翔, 魏楠, 段强.
基于特征梯度的调制识别深度网络对抗攻击方法
Feature Gradient-based Adversarial Attack on Modulation Recognition-oriented Deep Neural Networks
计算机科学, 2021, 48(7): 25-32. https://doi.org/10.11896/jsjkx.210300299
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发