计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (6): 381-389.doi: 10.11896/jsjkx.240300083

• 信息安全 • 上一篇    下一篇

平衡可迁移与不可察觉的对抗攻击

康凯, 王家宝, 徐堃   

  1. 陆军工程大学指挥控制工程学院 南京 210007
  • 收稿日期:2024-03-12 修回日期:2024-07-08 出版日期:2025-06-15 发布日期:2025-06-11
  • 通讯作者: 王家宝(jiabao_1108@163.com)
  • 作者简介:(13913835075@139.com)
  • 基金资助:
    江苏省自然科学基金(BK20200581)

Balancing Transferability and Imperceptibility for Adversarial Attacks

KANG Kai, WANG Jiabao, XU Kun   

  1. College of Command and Control Engineering,Army Engineering University of PLA,Nanjing 210007,China
  • Received:2024-03-12 Revised:2024-07-08 Online:2025-06-15 Published:2025-06-11
  • About author:KANG Kai,born in 1986,Ph.D candidate.His main research interests include adversarial attack and so on.
    WANG Jiabao,born in 1985,Ph.D,associate professor.His main research interests include computer vision and machine learning.
  • Supported by:
    Natural Science Foundation of Jiangsu Province,China(BK20200581).

PDF (PC)

106

摘要: 基于数据驱动的深度学习模型由于无法覆盖所有可能样本数据,导致面临着精心设计的对抗样本的攻击问题。现有主流的基于RGB像素值的Lp范数扰动攻击方法虽然达到了很好的攻击成功率和迁移性,但是所生成的对抗样本存在极易被人眼感知的高频噪声,而基于扩散模型的攻击方法兼顾了迁移性和不可察觉性,但是其优化策略主要从对抗模型的角度展开,缺乏从代理模型的角度对可迁移性和不可察觉性的深入探讨和分析。为了进一步探索分析可迁移性和不可察觉性的控制来源,以基于代理模型的攻击方法为框架,提出了一种新的基于潜在扩散模型的对抗样本生成方法。该方法中,在基本的对抗损失约束条件下,设计了可迁移注意力约束损失和不可察觉一致性约束损失,实现了对可迁移性与不可察觉性的平衡。在ImageNet-Compatible,CUB-200-2011和Stanford Cars这3个公开数据集上,与已有方法相比,所提方法生成的对抗样本具有很强的跨模型迁移攻击能力和人眼不易觉察扰动的效果。

关键词: 对抗攻击, 扩散模型, 可迁移性, 不可察觉性, 注意力机制

Abstract: Data-driven deep learning models face the problem of well-designed adversarial attacks due to their inability to cover all possible sample data.The existing main Lp-norm perturbation attack methods based on RGB pixel space have achieved great attack success rates and transferability,but the generated adversarial samples have high-frequency noise that is easily perceived by the human eye.The attack methods based on diffusion models balance transferability and imperceptibility,but their optimization strategies mainly focus on the perspective of adversarial models.Those researches lack deep exploration and analysis of transfer-ability and imperceptibility from the perspective of surrogate model.In order to further explore and analyze the control sources of transferability and imperceptibility,a new adversarial sample generation method based on latent diffusion model is proposed within the framework of an attack method based on surrogate model.In this method,under the constraint of basic adversarial loss,transferable attention constraint loss and imperceptible consistency constraint loss are designed to achieve a balance between transferability and imperceptibility.On three publicly available datasets,ImageNet Compatible,CUB-200-2011,and Stanford Cars,compared with existing methods,the proposed method generates adversarial samples with strong cross-model transferable attack ability and the effect of imperceptible disturbance to the human eye.

Key words: Adversarial attacks, Diffusion model, Transferability, Imperceptibility, Attention mechanism

中图分类号: 

  • TP391
[1]LI Y,LI J,JIANG J,et al.P-transformer:Towards better document-to-document neural machine translation[J].IEEE/ACM Transactions on Audio,Speech,and Language Processing,2023,31:3859-3870.
[2]FENG S,SUN H,YAN X,et al.Dense reinforcement learning for safety validation of autonomous vehicles[J].Nature,2023,615:620-627.
[3]ZHANG Y,XIE F,SONG X,et al.Dermoscopic image retrieval based on rotation-invariance deep hashing[J].Medical Image Analysis,2022,77:102301.
[4]CHEN J,CHEN K,CHEN H,et al.Contrastive learning for fine-grained ship classification in remote sensing images[J].IEEE Transactions on Geoscience and Remote Sensing,2022,60:1-16.
[5]ZHANG Q,LI X,CHEN Y,et al.Beyond ImageNet Attack:Towards Crafting Adversarial Examples for Black-box Domains[C]//Proceedings of the International Conference on Learning Representations,2022.
[6]CHEN J,CHEN H,CHEN K,et al.Diffusion Models for Imperceptible and Transferable Adversarial Attack[C]//Proceedings of the International Conference on Learning Representations.2024.
[7]BRENDEL W,RAUBER J,BETHGE M.Decision-Based Ad-versarial Attacks:Reliable Attacks Against Black-Box Machine Learning Models[C]//Proceedings of the International Conference on Learning Representations,2018.
[8]WU Y,LIU J.A Survey on Black-box adversarial attack in image analysis[J].Journal of Computer Science,2024(5):1138-1178.
[9]WANG X,HEX,WANG J,et al.Admix:Enhancing the Transferability of Adversarial Attacks Through Variance Tuning[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2021:16138-16147.
[10]ZHU Y,CHEN Y,LI X,et al.Toward understanding and boosting adversarial transferability from a distribution perspective[J].IEEE Transactions on Image Processing,2022,31:6487-6501.
[11]NASEER M M,KHAN S H,KHAN M H,et al.Cross-domainTransferability of Adversarial Perturbations[C]//Advances in Neural Information Processing Systems.2019:12885-12895.
[12]SOHL-DICKSTEIN J,WEISS E,MAHESWARANATHANN,et al.Deep Unsupervised Learning using Nonequilibrium Thermodynamics[C]//Proceedings of the International Confe-rence on Machine Learning.2015:2256-2265.
[13]HO J,JAIN A,ABBEEL P.Denoising Diffusion Probabilistic Models[C]//Advances in Neural Information Processing Systems.2020:6840-6851.
[14]YUAN Z,ZHANG J,JIA Y,et al.Meta Gradient Adversarial Attack[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision.2021:7728-7737.
[15]XIONG Y,LIN J,ZHANG M,et al.Stochastic Variance Reduced Ensemble Adversarial Attack for Boosting the Adversa-rial Transferability[C]//Proceedings of the IEEE/CVF Confe-rence on Computer Vision and Pattern Recognition.2022:14963-14972.
[16]ZHU J,DAI F,YU L,et al.Attention-guided transformation-invariant attack for black-box adversarial examples[J].International Journal of Intelligent Systems,2022,37(5):3142-3165.
[17]HUANG L,WEI S,GAO C,et al.Cyclical adversarial attack pierces black-box deep neural networks[J].Pattern Recognition,2022,131:108831.
[18]HUAN Z,WANG Y,ZHANG X,et al.Data-free AdversarialPerturbations for Practical Black-box Attack[C]//Advances in Knowledge Discovery and Data Mining.2020:127-138.
[19]DUAN M,LI K,DENG J,et al.A novel multi-sample generation method for adversarial attacks[J].ACM Transactions on Multimedia Computing,Communications,and Applications(TOMM),2022,18(4):1-21.
[20]QIU H,XIAO C,YANG L,et al.Semanticadv:Generating Adversarial Examples via Attribute-Conditioned Image Editing[C]//Proceedings of the European Conference on Computer Vision.2020:19-37.
[21]JIA S,YIN B,YAO T,et al.Adv-attribute:Inconspicuous and Transferable Adversarial Attack on Face Recognition[C]//Proceedings of the 36rh Conference onNeural Information Proces-sing Systems.2022.
[22]YUAN S,ZHANG Q,GAO L,et al.Natural Color Fool:Towards Boosting Black-box Unrestricted Attacks[C]//NeurIPS 2022.2022.
[23]SAHARIA C,HO J,CHAN W,et al.Image super-resolution via iterative refinement[J].IEEE Transactions on Pattern Analysis and Machine Intelligence,2022,45(4):4713-4726.
[24]PARMAR G,SINGH K K,ZHANG R,et al.Zero-shot Image-to-image Translation[C]//Proceedings of the ACM SIGGRAPH Conference.2023:1-11.
[25]NIE W,GUO B,HUANG Y,et al.Diffusion Models for Adversarial Purification[C]//Proceedings of the International Confe-rence on Machine Learning.2022:16805-16827.
[26]LIU D,WANG X,PENG C,et al.Adv-Diffusion:Imperceptible Adversarial Face Identity Attack via Latent Diffusion Model[C]//Proceedings of the Conference on Artificial Intelligence.2024:3585-3593.
[27]ROMBACH R,BLATTMANN A,LORENZ D,et al.High-resolution Image Synthesis with Latent Diffusion Models[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2022:10674-10685.
[28]JOHNSON J,ALAHI A,FEI-FEI L.Perceptual Losses for Real-time Style Transfer and Super-resolution[C]//Proceedings of the European Conference on Computer Vision.2016:694-711.
[29]WAH C,BRANSON S,WELINDER P,et al.The caltech-ucsd birds-200-2011 dataset:Tech.Rep.CNS-TR-2011-001[R].California Institute of Technology,2011.
[30]KRAUSE J,STARK M,DENG J,et al.3d Object Representations for Fine-grained Categorization[C]//Proceedings of the IEEE International Conference on Computer Vision Workshops.2013:554-561.
[31]HE K,ZHANG X,REN S,et al.Deep Residual Learning forImage Recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:770-778.
[32]SIMONYAN K,ZISSERMAN A.Very Deep Convolutional Networks for Large-scale Image Recognition[C]//Proceedings of the International Conference on Learning Representations.2015.
[33]SZEGEDY C,VANHOUCKE V,IOFFE S,et al.Rethinking the Inception Architecture for Computer Vision[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:2818-2826.
[34]SANDLER M,HOWARD A,ZHU M,et al.Mobilenetv2:Inverted Residuals and Linear Bottlenecks[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2018:4510-4520.
[35]LIU Z,MAO H,WU C Y,et al.A Convnet for the 2020s[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2022:11966-11976.
[36]DOSOVITSKIY A,BEYER L,KOLESNIKOV A,et al.AnImage is Worth 16×16 Words:Transformers for Image Recognition at Scale[C]//Proceedings of the International Conference on Learning Representations.2020.
[37]LIU Z,LIN Y,CAO Y,et al.Swin Transformer:Hierarchical Vision Transformer using Shifted Windows[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision.2021:9992-10002.
[38]TOUVRON H,CORD M,DOUZE M,et al.Training Data-efficient Image Transformers & Distillation through Attention[C]//Proceedings of the International Conference on Machine Learning.2021:10347-10357.
[39]KURAKIN A,GOODFELLOW I,BENGIO S,et al.Adversarial Attacks and Defences Competition[C]//Advances in Neural Information Processing Systems.2018:195-231.
[40]TRAMÉR F,KURAKIN A,PAPERNOT N,et al.EnsembleAdversarial Training:Attacks and Defenses[C]//Proceedings of the International Conference on Learning Representations.2018.
[41]SONG J,MENG C,ERMON S.Denoising Diffusion Implicit Models[C]//Proceedings of the International Conference on Learning Representations.2021.
[42]HEUSEL M,RAMSAUER H,UNTERTHINER T,et al.GANsTrained by a Two Time-Scale Update Rule Converge to a Local Nash Equilibrium[C]//Advances in Neural Information Processing Systems.2017:6626-6637.
[43]DONG Y,LIAO F,PANG T,et al.Boosting Adversarial Attacks with Momentum[C]//Proceedings of the IEEE Confe-rence on Computer Vision and Pattern Recognition.2018:9185-9193.
[44]XIE C,ZHANG Z,ZHOU Y,et al.Improving Transferability of Adversarial Examples with Input Diversity[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2019:2730-2739.
[45]DONG Y,PANG T,SU H,et al.Evading Defenses to Transfe-rable Adversarial Examples by Translation-invariant Attacks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2019:4312-4321.
[46]GAO L,ZHANG Q,SONG J,et al.Patch-wise Attack for Fooling Deep Neural Network[C]//Proceedings of the European Conference on Computer Vision.2020:307-322.
[47]LONG Y,ZHANG Q,ZENG B,et al.Frequency Domain Model Augmentation for Adversarial Attack[C]//Proceedings of the European Conference on Computer Vision.2022:549-566.
[48]ZHAO Z,LIU Z,LARSON M.Towards Large Yet Imperceptible Adversarial Image Perturbations with Perceptual Color Distance[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2020:1036-1045.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发