基于双对抗机制的图像攻击方法研究

doi:10.19678/j.issn.1000-3428.0059405

摘要/Abstract

摘要： 图像攻击是指通过对图像添加小幅扰动而使深度神经网络失效。现有图像攻击算法大多较为脆弱，只需对攻击样本做少量预处理就可能使其失去攻击能力。本文针对现有图像攻击方法在 VAE 防御下攻击性能不稳定的问题，在现有的 AdvGAN 算法基础上，提出一种基于对抗机制的 AntiVAEGAN 模型以获取对 VAE 防御的稳定攻击效果。针对 AntiVAEGAN 在防御模型防御能力提升时攻击性能不稳定的问题，进一步提出通过生成器与鉴别器、生成器与 VAE 的双对抗机制得到一种新的图像攻击模型 VAEAdvGAN。对 MNIST 数据集和 GTSRB 数据集的实验结果表明，在无防御的情况下，AntiVAEGAN 和 VAEAdvGAN 几乎能达到和 AdvGAN 一样的分类准确率和攻击成功率；在 VAE 防御下，VAEAdvGAN 效果比 AdvGAN 更好，也在大部分情况下优于 AntiVAEGAN。

Abstract: Image attack refers to adding a small degree of disturbance to the input images, which can cause the deep neural network to misclassify the image. Recent researches have shown that most image attack algorithms are relatively fragile. A very small change of the image causing by the attack disturbance can make the image lose its attack capability. Aiming at this problem, this paper proposes an image attack model, AntiVAEGAN, which has anti-VAE defense characteristics and is able to make the attack more robust. On the basis of AntiVAEGAN, the paper also proposes a VAEAdvGAN model which dynamically updates both VAEAdvGAN and VAE defense model. The attack model is based on attack sample generation network and VAE defense network countermeasure training method. Experiment results on MNIST dataset and GTSRB dataset show that AntiVAEGAN and VAEAdvGAN can achieve almost the same classification accuracy and attack success rate as AdvGAN without defense. In the case of VAE defense, VAEAdvGAN is better than AdvGAN, and in most cases is better than AntiVAEGAN.

黄静琪, 贾西平, 陈道鑫, 柏柯嘉, 廖秀秀. 基于双对抗机制的图像攻击方法研究[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0059405.

HUANG Jing-Qi , JIA Xi-Ping , CHEN Dao-Xin , BAI Ke-Jia , LIAO Xiu-Xiu. Research on an Image Attack Method Based on Bi-Adversary[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0059405.

参考文献

[1] Akhtar N, Mian A. Threat of adversarial attacks on deep learning in computer vision: A survey [J]. IEEE Access, 2018, 6: 14410-14430.
[2] 何英哲, 胡兴波, 何锦雯, 孟国柱, 陈恺. 机器学习系统的隐私和安全问题综述 [J]. 计算机研究与发展, 2019, 56(10): 2049-2070. He Yingzhe, Hu Xingbo, He Jinwen, Meng Guozhu, Chen kai. Privacy and Security Issues in Machine Learning Systems: A Survey [J]. Journal of Computer Research and Development, 2019, 56(10): 2049-2070.
[3] Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples [J]. arXiv preprint arXiv:1412.6572, 2014.
[4] Su Jiawei, Vargas D V, Sakurai K. One pixel attack for fooling deep neural networks [J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828-841.
[5] Moosavi-Dezfooli S M, Fawzi A, Fawzi O, et al. Universal adversarial perturbations [C] // Proceedings of the IEEE conference on computer vision and pattern recognition, 2017: 1765-1773.
[6] Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks [J]. arXiv preprint arXiv:1312.6199, 2013.
[7] Xiao Chaowei, Li Bo, Zhu Junyan， He Warren, Liu Mingyan, Song Dawn. Generating adversarial examples with adversarial networks [J]. arXiv preprint arXiv:1801.02610, 2018.
[8] Xu han, Ma Yao, Liu Haochen, et al. Adversarial attacks and defenses in images, graphs and text: A review [J]. International Journal of Automation and Computing, 2020, 17(2): 151-178.
[9] Dziugaite G K, Ghahramani Z, Roy D M. A study of the effect of jpg compression on adversarial images [J]. arXivpreprint arXiv:1608.00853, 2016.
[10] Luo Yan, Boix X, Roig G, et al. Foveation-based mechanisms alleviate adversarial examples [J]. arXiv preprint arXiv:1511.06292, 2015.
[11] Ross A S, Doshi-Velez F. Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients [J]. arXiv preprint arXiv:1711.09404, 2017.
[12] Li Xiang, Ji Shihao. Defense-vae: A fast and accurate defense against adversarial attacks [C] // Proceedings of the Joint European Conference on Machine Learning and Knowledge Discovery in Databases. Springer, Cham, 2019: 191-207.
[13] Dubey A, Maaten L, Yalniz Z, et al. Defense against adversarial images using web-scale nearest-neighbor search[C] // Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2019: 8767-8776.
[14] Liu Changrui, Ye Dengpan, Shang Yueyun, et al. Defend Against Adversarial Samples by Using Perceptual Hash [J]. CMC-Computers, Materials & Continua, 2020, 62(3), 1365–1386.
[15] Sun Bo, Tsai N, Liu Fangchen, et al. Adversarial defense by stratified convolutional sparse coding [C] // Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2019: 11447-11456.
[16] 吴立人，刘政浩，张浩，岑悦亮，周维 [J]. 计算机应用, 2020, 40(5):1348-1353 Wu Liren, Liu Zhenghao, Zhang Hao, Cen Yueliang, Zhou Wei [J]. Journal of Computer Applications, 2020, 40(5):1348-1353
[17] Dong Yinpeng, Liao Fangzhou, Pang Tianyu, Su hang, Zhu Jun, Hu Xiaolin, Li Jianguo. Boosting Adversarial Attacks With Momentum [C] // Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018: 9185-9193.
[18] Yan Xiaodan, Cui Baojiang, Xu Yang, et al. A method of information protection for collaborative deep learning under gan model attack [J]. IEEE/ACM Transactions on Computational Biology and Bioinformatics, 2019:1-12.
[19] Deng Li. The mnist database of handwritten digit images for machine learning research [J]. IEEE Signal Processing Magazine, 2012, 29(6): 141-142.
[20] Stallkamp J, Schlipsing M, Salmen J, et al. The German traffic sign recognition benchmark: a multi-class classification competition [C] // Proceedings of the IEEE International joint conference on neural networks, 2011: 1453-1460.
[21] Simonyan K, Zisserman A. Very deep convolutional networks for large-scale image recognition [J]. arXiv preprint arXiv:1409.1556, 2014.