基于模型间迁移性的黑盒对抗攻击起点提升方法

doi:10.19678/j.issn.1000-3428.0059105

计算机工程 ›› 2021, Vol. 47 ›› Issue (8): 162-169. doi: 10.19678/j.issn.1000-3428.0059105

基于模型间迁移性的黑盒对抗攻击起点提升方法

陈晓楠¹, 胡建敏¹, 张本俊², 陈爱玲³

1. 国防大学联合勤务学院, 北京 100089;
2. 南京航空航天大学电子信息工程学院, 南京 211100;
3. 山东省烟台市实验中学, 山东烟台 265500

收稿日期:2020-07-30 修回日期:2020-09-16 发布日期:2020-09-16
作者简介:陈晓楠(1991-),男,硕士研究生,主研方向为联合勤务管理、智能后勤;胡建敏,教授、博士生导师;张本俊,硕士研究生;陈爱玲,学士。
基金资助:
全军军事类研究生重点资助课题（JY2019B041，JY2020B037）；全军军事理论重点课题（20GDJ2651B）。

Black Box Adversarial Attack Starting Point Promotion Method Based on Mobility Between Models

CHEN Xiaonan¹, HU Jianmin¹, ZHANG Benjun², CHEN Ailing³

1. Joint Logistics College, National Defense University, Beijing 100089, China;
2. College of Electronic Information Engineering, Nanjing University of Aeronautics and Astronautics, Nanjing 211100, China;
3. Yantai Experimental Middle School of Shandong Province, Yantai, Shandong 265500, China

Received:2020-07-30 Revised:2020-09-16 Published:2020-09-16

摘要/Abstract

摘要： 为高效地寻找基于决策的黑盒攻击下的对抗样本，提出一种利用模型之间的迁移性提升对抗起点的方法。通过模型之间的迁移性来循环叠加干扰图像，生成初始样本作为新的攻击起点进行边界攻击，实现基于决策的无目标黑盒对抗攻击和有目标黑盒对抗攻击。实验结果表明，无目标攻击节省了23%的查询次数，有目标攻击节省了17%的查询次数，且整个黑盒攻击算法所需时间低于原边界攻击算法所耗费的时间。

关键词: 黑盒攻击, 对抗样本, 迁移性, 初始样本, 边界攻击, 无目标攻击, 有目标攻击

Abstract: In order to efficiently find the adversarial samples under the decision-based black box attacks, a method using the mobility between models is proposed to enhance the adversarial starting point. The mobility is used to circularly superimpose interference images, and samples are generated as a new starting point for boundary attacks. Thus the decision making-based non-target adversarial black box attacks and targeted adversarial black box attacks are realized. Experimental results show that the query times required for the non-target attacks is reduced by 23%, and that required for the targeted attacks is reduced by 17%. Moreover, the whole black box attack algorithm takes less time than the original boundary attack algorithm.

Key words: black box attack, adversarial sample, mobility, initial sample, boundary attack, non-target attack, targeted attack

中图分类号:

TP183

陈晓楠, 胡建敏, 张本俊, 陈爱玲. 基于模型间迁移性的黑盒对抗攻击起点提升方法[J]. 计算机工程, 2021, 47(8): 162-169.

CHEN Xiaonan, HU Jianmin, ZHANG Benjun, CHEN Ailing. Black Box Adversarial Attack Starting Point Promotion Method Based on Mobility Between Models[J]. Computer Engineering, 2021, 47(8): 162-169.

http://www.ecice06.com/CN/Y2021/V47/I8/162

图/表 8

20210819200321

20210819200327

20210819200331

20210819200337

20210819200344

20210819200349

20210819200356

20210819200403

参考文献

[1] BOJARSKI M, DEL TESTA D, DWORAKOWSKI D, et al. End to end learning for self-driving cars[EB/OL]. [2020-06-20]. https://arxiv.org/abs/1604.07316.
[2] PARKHI O M, SIMONYAN K, VEDALDI A, et al. A compact and discriminative face track descriptor[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.Columbus, USA:IEEE Computer Society, 2014:1693-1700.
[3] DONG Y P, SU H, WU B Y, et al. Efficient decision-based black-box adversarial attacks on face recognition[EB/OL]. [2020-06-20]. https://arxiv.org/abs/1904.04433.
[4] SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. [2019-06-20]. https://arxiv.org//abs/1312.6199.
[5] GOODFELLOW I J, SHLENS J, SZEGEDY C.Explaining and Harnessin adversarial examples[EB/OL]. [2020-06-20]. https://arxiv.org/abs/1412.6572.
[6] CHENG M H, SINGH S, CHEN P, et al. Sign-OPT:a query-efficient hard-label adversarial attack[EB/OL]. [2020-06-20]. https://arxiv.org//abs/1909.10773.
[7] CHEN J B, JORDAN M I.Boundary attack++:query-efficient decision-based adversarial attack[EB/OL]. [2020-06-20]. https://arxiv.org/abs/1904.02144.
[8] DONG Y, LIAO F, PANG T, et al. Boosting adversarial attacks with momentum[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition.Long Beach, USA:IEEE Press, 2018:9185-9193.
[9] SARKAR S, BANSAL A, MAHBUB U, et al. UPSET and ANGRI:breaking high performance image classifiers[EB/OL]. [2020-06-20]. https://arxiv.org/abs/1707.01159.
[10] AKHTAR N, MIAN A.Threat of adversarial attacks on deep learning in computer vision:a survey[J]. IEEE Access, 2018, 6:14410-14430.
[11] 张嘉楠, 王逸翔, 刘博, 等. 深度学习的对抗攻击方法综述[J]. 网络空间安全, 2019, 10(7): 87-96. ZHANG J N, WANG Y X, LIU B, et al. Survey of adversarial attacks of deep learning[J]. Information Security and Technology, 2019, 10(7): 87-96.(in Chinese)
[12] BRENDEL W, RAUBER J.Decision-based adversarial attacks:reliable attacks against black-box machine learning models[EB/OL]. [2020-06-20]. https://arxiv.org//abs/1712.04248.
[13] LIU Y, MOOSAVI-DEZFOOLI S M, FROSSARD P.A geometry-inspired decision-based attack[C]//Proceedings of 2019 IEEE/CVF International Conference on Computer Vision.Seoul, South Korea:IEEE Press, 2019:4889-4897.
[14] PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al. Practical black-box attacks against machine learning[EB/OL]. [2020-06-20]. https://arxiv.org/abs/1602.02697.
[15] TRAMÈR F, PAPERNOT N, GOODFELLOW I, et al. The space of transferable adversarial examples[EB/OL]. [2020-06-20]. https://arxiv.org//abs/1704.03453.
[16] KURAKIN A, GOODFELLOW I, BENGIO S.Adversarial examples in the physical world[EB/OL]. [2020-06-20]. https://arxiv.org//abs/1607.02533.
[17] XIE C, ZHANG Z, ZHOU Y, et al. Improving transferability of adversarial examples with input diversity[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.Long Beach, USA:IEEE Press, 2019:2730-2739.
[18] KURAKIN A, GOODFELLOW I, BENGIO S.Adversarial machine learning at scale[EB/OL]. [2020-06-20]. https://arxiv.org//abs/1611.01236.
[19] ZHENG T, CHEN C, REN K.Distributionally adversarial attack[C]//Proceedings of AAAI Conference on Artificial Intelligence.Palo Alto, USA:AAAI Press, 2019:2253-2260.
[20] MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[EB/OL]. [2020-06-20]. https://arxiv.org/abs/1706.06083.

选择文件类型/文献管理软件名称

选择包含的内容

基于模型间迁移性的黑盒对抗攻击起点提升方法

Black Box Adversarial Attack Starting Point Promotion Method Based on Mobility Between Models

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献

相关文章 11

编辑推荐

Metrics

本文评价

[1]	杨燕燕, 谢明轩, 曹江峡, 王学宾, 柳厅文, 杜彦辉. 基于原型网络的中文分类模型对抗样本生成[J]. 计算机工程, 2023, 49(8): 54-62.
[2]	白祉旭, 王衡军. 基于改进遗传算法的对抗样本生成方法[J]. 计算机工程, 2023, 49(5): 139-149.
[3]	王春东, 孙嘉琪, 杨文军. 基于矫正理解的中文文本对抗样本生成方法[J]. 计算机工程, 2023, 49(2): 37-45.
[4]	郑德生, 陈继鑫, 周静, 柯武平, 陆超, 周永, 仇钎. 基于输入通道拆分的对抗攻击迁移性增强算法[J]. 计算机工程, 2023, 49(1): 130-137.
[5]	杨文雪, 吴非, 郭桐, 肖利民. 基于噪声溶解的对抗样本防御方法[J]. 计算机工程, 2022, 48(4): 158-164.
[6]	李哲铭, 张恒巍, 马军强, 王晋东, 杨博. 基于平移随机变换的对抗样本生成方法[J]. 计算机工程, 2022, 48(11): 152-160,183.
[7]	廖俊帆, 顾益军, 张培晶, 廖茜. 端到端说话人辨认的对抗样本应用比较研究[J]. 计算机工程, 2021, 47(6): 132-141.
[8]	赖妍菱, 石峻峰, 陈继鑫, 白汉利, 唐晓澜, 邓碧颖, 郑德生. 基于U-Net的对抗样本防御模型[J]. 计算机工程, 2021, 47(12): 163-170.
[9]	王晓鹏, 罗威, 秦克, 杨锦涛, 王敏. 一种针对快速梯度下降对抗攻击的防御方法[J]. 计算机工程, 2021, 47(11): 121-128.
[10]	黄静琪, 贾西平, 陈道鑫, 柏柯嘉, 廖秀秀. 基于双对抗机制的图像攻击算法[J]. 计算机工程, 2021, 47(11): 150-157.
[11]	姜妍, 张立国. 面向深度学习模型的对抗攻击与防御方法综述[J]. 计算机工程, 2021, 47(1): 1-11.

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

基于模型间迁移性的黑盒对抗攻击起点提升方法

Black Box Adversarial Attack Starting Point Promotion Method Based on Mobility Between Models

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献

相关文章 11

编辑推荐

Metrics

本文评价