Computer Science

Computer Science ›› 2023, Vol. 50 ›› Issue (11A): 230100036-6.doi: 10.11896/jsjkx.230100036

• Information Security • Previous Articles     Next Articles

Batch Zeroth Order Gradient Symbol Method Based on Substitution Model

LI Yanda, FAN Chunlong, TENG Yiping, YU Kaibo   

  1. School of Computer Science,Shenyang Aerospace University,Shenyang 110136,China
  • Published:2023-11-09
  • About author:LI Yanda,born in 1999,postgraduate.His main research interests include neural network counterattack and reinforcement learning.
    FAN Chunlong,born in 1973,Ph.D,professor,postgraduate supervisor.His main research interests include interpretability of neural networks,complex network analysis and intelligent system verification.
  • Supported by:
    National Natural Science Foundation of China(61902260) and Scientific Research Project of Education Department of Liaoning Province(JYT2020026).

PDF (PC)

468

Abstract: In the field of adversarial attacks for neural networks,for universal attacks on black-box model,how to generate universal perturbation which can cause most sample output errors is an urgent problem to be solved.However,existing black-box universal perturbation generation methods have poor attack effects and the generated perturbations are easy to be detected by the naked eye.To solve this problem,this paper takes the typical convolutional neural networks as the research object and proposed batch zeroth order gradient symbol method based on substitution model.This method initializes universal perturbation with white-box attacks on a set of alternative models,then realizes the stable and efficient updating of the universal perturbation by querying the target model under the black-box condition.Experimental results on two image retrieval datasets(CIFAR-10 and SVHN) show that the attack capability of this method is significantly improved,and the performance of generating universal perturbation is increased by 3 times.

Key words: Convolutional neural network, Universal perturbation, Adversarial attack, Black-box attack, Substitution model

CLC Number: 

  • TP391
[1]DENG J,DONG W,SOCHER R,et al.Imagenet:A large-scale hierarchical image database[C]//2009 IEEE Conference on Computer Vision and Pattern Recognition.IEEE,2009:248-255.
[2]SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.Intriguing properties of neural networks[EB/OL].https://doi.org/10.48550/arXiv.1312.6199.
[3]KOGA K,TAKEMOTO K.Simple Black-Box Universal Adversarial Attacks on Deep Neural Networks for Medical Image Classification[J].Algorithms,2022,15(5):144.
[4]HAO Z R,CHEN L,HUANG J C.Class Discriminative Universal Adversarial Attack for Text Classification[J].Computer Science,2022,49(8):323-329.
[5]MADRY A,MAKELOV A,SCHMIDT L,et al.Towards deep learning models resistant to adversarial attacks[EB/OL].https://doi.org/10.48550/arXiv.1706.06083.
[6]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[EB/OL].https://doi.org/10.48550/arXiv.1412.6572.
[7]PAPERNOT N,MCDANIEL P,GOODFELLOW I,et al.Practical black-box attacks against machine learning[C]//Procee-dings of the 2017 ACM on Asia Conference on Computer and Communications Security.2017:506-519.
[8]MOOSAVI-DEZFOOLI S M,FAWZI A,FAWZI O,et al.Universal adversarial perturbations[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2017:1765-1773.
[9]KURAKIN A,GOODFELLOW I J,BENGIO S.Adversarial examples in the physical world[J].arXiv:1611.01236,2016.
[10]MOOSAVI-DEZFOOLI S M,FAWZI A,FROSSARD P.Deepfool:a simple and accurate method to fool deep neural networks[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:2574-2582.
[11]ZHOU M,WU J,LIU Y,et al.Dast:Data-free substitute training for adversarial attacks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2020:234-243.
[12]CHEN P Y,ZHANG H,SHARMA Y,et al.Zoo:Zeroth order optimization based black-box attacks to deep neural networks without training substitute models[C]//Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security.2017:15-26.
[13]SU J,VARGAS D V,SAKURAI K.One pixel attack for fooling deep neural networks[J].IEEE Transactions on Evolutionary Computation,2019,23(5):828-841.
[14]ZHANG C,BENZ P,IMTIAZ T,et al.Cd-uap:Class discriminative universal adversarial perturbation[C]//Proceedings of the AAAI Conference on Artificial Intelligence.2020:6754-6761.
[15]SARKAR S,BANSAL A,MAHBUB U,et al.UPSET and ANGRI:Breaking high performance image classifiers[EB/OL].https://doi.org/10.48550/arXiv.1707.01159.
[16]MOPURI K R,OJHA U,GARG U,et al.Nag:Network for adversary generation[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2018:742-751.
[17]FAN C L,LI Y D,XIA X F,et al.A general adversarial attack method based on random gradient Ascent and spherical projection[J].Journal of Northeastern University:Natural Science,2022,43(2):168-175.
[18]ZHANG C,BENZ P,KARJAUV A,et al.Data-free universaladversarial perturbation and black-box attack[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision.2021:7868-7877.
[19]WU J,ZHOU M,LIU S,et al.Decision-based universal adversarial attack[EB/OL].https://doi.org/10.48550/arXiv.2009.07024.
[20]SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[EB/OL].https://doi.org/10.48550/arXiv.1409.1556.
[21]LIN M,CHEN Q,YAN S.Network in network[EB/OL].https://doi.org/10.48550/arXiv.1312.4400.
[22]HE K,ZHANG X,REN S,et al.Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:770-778.
[1] ZHU Ye, HAO Yingguang, WANG Hongyu. Deep Learning Based Salient Object Detection in Infrared Video [J]. Computer Science, 2023, 50(9): 227-234.
[2] YI Liu, GENG Xinyu, BAI Jing. Hierarchical Multi-label Text Classification Algorithm Based on Parallel Convolutional Network Information Fusion [J]. Computer Science, 2023, 50(9): 278-286.
[3] ZHOU Fengfan, LING Hefei, ZHANG Jinyuan, XIA Ziwei, SHI Yuxuan, LI Ping. Facial Physical Adversarial Example Performance Prediction Algorithm Based on Multi-modal Feature Fusion [J]. Computer Science, 2023, 50(8): 280-285.
[4] LI Kun, GUO Wei, ZHANG Fan, DU Jiayu, YANG Meiyue. Adversarial Malware Generation Method Based on Genetic Algorithm [J]. Computer Science, 2023, 50(7): 325-331.
[5] ZHAO Ran, YUAN Jiabin, FAN Lili. Medical Ultrasound Image Super-resolution Reconstruction Based on Video Multi-frame Fusion [J]. Computer Science, 2023, 50(7): 143-151.
[6] HUANG Yujiao, CHEN Mingkai, ZHENG Yuan, FAN Xinggang, XIAO Jie, LONG Haixia. Text Classification Based on Weakened Graph Convolutional Networks [J]. Computer Science, 2023, 50(6A): 220700039-5.
[7] LUO Ruiqi, YAN Jinlin, HU Xinrong, DING Lei. EEG Emotion Recognition Based on Multiple Directed Weighted Graph and ConvolutionalNeural Network [J]. Computer Science, 2023, 50(6A): 220600128-8.
[8] LI Han, HOU Shoulu, TONG Qiang, CHEN Tongtong, YANG Qimin, LIU Xiulei. Entity Relation Extraction Method in Weapon Field Based on DCNN and GLU [J]. Computer Science, 2023, 50(6A): 220200112-7.
[9] XU Changqian, WANG Dong, SU Feng, ZHANG Jun, BIAN Haifeng, LI Long. Image Recognition Method of Transmission Line Safety Risk Assessment Based on MultidimensionalData Coupling [J]. Computer Science, 2023, 50(6A): 220500032-6.
[10] LUO Huilan, LONG Jun, LIANG Miaomiao. Attentional Feature Fusion Approach for Siamese Network Based Object Tracking [J]. Computer Science, 2023, 50(6A): 220300237-9.
[11] XIONG Haojie, WEI Yi. Study on Multibeam Sonar Elevation Data Prediction Based on Improved CNN-BP [J]. Computer Science, 2023, 50(6A): 220100161-4.
[12] WANG Jinwei, ZENG Kehui, ZHANG Jiawei, LUO Xiangyang, MA Bin. GAN-generated Face Detection Based on Space-Frequency Convolutional Neural Network [J]. Computer Science, 2023, 50(6): 216-224.
[13] ZHANG Xue, ZHAO Hui. Sentiment Analysis Based on Multi-event Semantic Enhancement [J]. Computer Science, 2023, 50(5): 238-247.
[14] WANG Lin, MENG Zuqiang, YANG Lina. Chinese Sentiment Analysis Based on CNN-BiLSTM Model of Multi-level and Multi-scale Feature Extraction [J]. Computer Science, 2023, 50(5): 248-254.
[15] YE Han, LI Xin, SUN Haichun. Convolutional Network Entity Missing Detection Method Combined with Gated Mechanism [J]. Computer Science, 2023, 50(5): 262-269.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.