基于双对抗机制的图像攻击算法

doi:10.19678/j.issn.1000-3428.0059405

计算机工程 ›› 2021, Vol. 47 ›› Issue (11): 150-157. doi: 10.19678/j.issn.1000-3428.0059405

基于双对抗机制的图像攻击算法

黄静琪, 贾西平, 陈道鑫, 柏柯嘉, 廖秀秀

广东技术师范大学计算机科学学院, 广州 510665

收稿日期:2020-09-01 修回日期:2020-11-26 发布日期:2020-12-09
作者简介:黄静琪(1996-),女,硕士研究生,主研方向为模式识别、智能系统;贾西平,副教授、博士;陈道鑫,学士;柏柯嘉(通信作者),副教授、博士;廖秀秀,讲师、博士。
基金资助:
国家自然科学基金（61872096）；广东省普通高校重点科研项目（2019KZDXM063）；广东省教育厅青年创新人才项目（2016KQNCX092）。

Image Attack Algorithm Based on Bi-Adversary Mechanism

HUANG Jingqi, JIA Xiping, CHEN Daoxin, BAI Kejia, LIAO Xiuxiu

School of Computer Science, Guangdong Polytechnic Normal University, Guangzhou 510665, China

Received:2020-09-01 Revised:2020-11-26 Published:2020-12-09

摘要/Abstract

摘要： 图像攻击是指通过对图像添加小幅扰动使深度神经网络产生误分类。针对现有图像攻击算法在变分自编码器（VAE）防御下攻击性能不稳定的问题，在AdvGAN算法的基础上，提出基于对抗机制的AntiVAEGAN算法获取对VAE防御的稳定攻击效果。为应对AntiVAEGAN算法防御能力提升时攻击性能不稳定的问题，结合生成器与鉴别器、生成器与VAE的双对抗机制提出改进的图像攻击算法VAEAdvGAN。在MNIST和GTSRB数据集上的实验结果表明，在无防御的情况下，AntiVAEGAN和VAEAdvGAN算法几乎能达到与AdvGAN算法相同的图像分类准确率和攻击成功率，而在VAE防御的情况下，VAEAdvGAN相比AdvGAN和AntiVAEGAN算法整体攻击效果更优。

关键词: 生成对抗网络, 图像攻击, 对抗样本, 变分自编码器防御, 防御模型

Abstract: Image attack can disable a deep neural network in image classification by adding a small amount of interference to the input image.However,most of the existing image attack algorithms are relatively fragile against Variational Auto-Encoder(VAE) defense.Based on the AdvGAN algorithm,an algorithm named AntiVAEGAN is proposed,which employs the adversary mechanism to penetrate VAE defenses persistent,but AntiVAEGAN suffers from a loss of attack performance when improving the defense performance.To address the problem,this paper proposes an improved image attack algorithm,VAEAdvGAN,by combining both the generator-discriminator defense mechanism and the generator-VAE defense mechanism.Experimental results on the MNIST dataset and GTSRB dataset show that without defense,AntiVAEGAN and VAEAdvGAN can achieve almost the same classification accuracy and attack success rate as AdvGAN.In the case of VAE defense,VAEAdvGAN exhibits better overall attack effect than AdvGAN and AntiVAEGAN.

Key words: Generative Adversarial Network(GAN), image attack, adversarial sample, Variational Auto-Encoder(VAE) defense, defense model

中图分类号:

TP391

黄静琪, 贾西平, 陈道鑫, 柏柯嘉, 廖秀秀. 基于双对抗机制的图像攻击算法[J]. 计算机工程, 2021, 47(11): 150-157.

HUANG Jingqi, JIA Xiping, CHEN Daoxin, BAI Kejia, LIAO Xiuxiu. Image Attack Algorithm Based on Bi-Adversary Mechanism[J]. Computer Engineering, 2021, 47(11): 150-157.

https://www.ecice06.com/CN/Y2021/V47/I11/150

图/表 12

20211113144317

20211113144320

20211113144323

20211113144326

20211113144329

20211113144332

20211113144334

20211113144337

20211113144340

20211113144343

20211113144346

20211113144349

参考文献

[1] BENGIO Y,COURVILLE A,VINCENT P.Representation learning:a review and new perspectives[J].IEEE Transactions on Pattern Analysis and Machine Intelligence,2013,35(8):1798-1828.
[2] AKHTAR N,MIAN A.Threat of adversarial attacks on deep learning in computer vision:a survey[J].IEEE Access,2018,6:14410-14430.
[3] 何英哲,胡兴波,何锦雯,等.机器学习系统的隐私和安全问题综述[J].计算机研究与发展,2019,56(10):2049-2070. HE Y Z,HU X B,HE J W,et al.Privacy and security issues in machine learning systems:a survey[J].Journal of Computer Research and Development,2019,56(10):2049-2070.(in Chinese)
[4] GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[EB/OL].[2020-08-05].https://arxiv.org/abs/1412.6572.
[5] SU J W,VARGAS D V,SAKURAI K.One pixel attack for fooling deep neural networks[J].IEEE Transactions on Evolutionary Computation,2019,23(5):828-841.
[6] MOOSAVI-DEZFOOLI S M,FAWZI A,FAWZI O,et al.Universal adversarial perturbations[C]//Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2017:86-94.
[7] SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.Intriguing properties of neural networks[EB/OL].[2020-08-05].https://arxiv.org/abs/1312.6199.
[8] XIAO C W,LI B,ZHU J Y,et al.Generating adversarial examples with adversarial networks[EB/OL].[2020-08-05].https://www.researchgate.net/publication/322328780_Generating_adversarial_examples_with_adversarial_networks.
[9] XU H,MA Y,LIU H C,et al.Adversarial attacks and defenses in images,graphs and text:a review[J].International Journal of Automation and Computing,2020,17(2):151-178.
[10] DZIUGAITE G K,GHAHRAMANI Z,ROY D M.A study of the effect of JPG compression on adversarial images[EB/OL].[2020-08-05].https://arxiv.org/abs/1608.00853.
[11] LUO Y,BOIX X,ROIG G,et al.Foveation-based mechanisms alleviate adversarial examples[EB/OL].[2020-08-05].https://arxiv.org/abs/1511.06292v1.
[12] ROSS A S,DOSHI-VELEZ F.Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients[EB/OL].[2020-08-05].https://arxiv.org/abs/1711.09404v1.
[13] LI X,JI S H.Defense-VAE:A fast and accurate defense against adversarial attacks[C]//Proceedings of 2019 Joint European Conference on Machine Learning and Knowledge Discovery in Databases.Berlin,Germany:Springer,2019:191-207.
[14] DUBEY A,VAN DER MAATEN L,YALNIZ Z,et al.Defense against adversarial images using Web-scale nearest-neighbor search[C]//Proceedings of 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2019:8767-8776.
[15] LIU C R,YE D P,SHANG Y Y,et al.Defend against adversarial samples by using perceptual hash[J].Computers,Materials & Continua,2020,62(3):1365-1386.
[16] SUN B,TSAI N H,LIU F C,et al.Adversarial defense by stratified convolutional sparse coding[C]//Proceedings of 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2019:11439-11448.
[17] 吴立人,刘政浩,张浩,等.聚焦图像对抗攻击算法PS-MIFGSM[J].计算机应用,2020,40(5):1348-1353 WU L R,LIU Z H,ZHANG H,et al.PS-MIFGSM:focus image adversarial attack algorithm[J].Journal of Computer Applications,2020,40(5):1348-1353.(in Chinese)
[18] DONG Y P,LIAO F Z,PANG T,et al.Boosting adversarial attacks with momentum[C]//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2018:9185-9193.
[19] YAN X D,CUI B J,XU Y,et al.A method of information protection for collaborative deep learning under GAN model attack[J].IEEE/ACM Transactions on Computational Biology and Bioinformatics,2021,18(3):871-881.
[20] DENG L.The MNIST database of handwritten digit images for machine learning research[J].IEEE Signal Processing Magazine,2012,29(6):141-142.
[21] STALLKAMP J,SCHLIPSING M,SALMEN J,et al.The German traffic sign recognition benchmark:a multi-class classification competition[C]//Proceedings of 2011 International Joint Conference on Neural Networks.Washington D.C.,USA:IEEE Press,2011:1453-1460.
[22] SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[EB/OL].[2020-08-05].https://arxiv.org/abs/1409.1556v4.

选择文件类型/文献管理软件名称

选择包含的内容

基于双对抗机制的图像攻击算法

Image Attack Algorithm Based on Bi-Adversary Mechanism

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	王夙喆, 张雪英, 陈晓玉, 李凤莲, 吴泽林. 基于有效注意力和GAN结合的脑卒中EEG增强算法[J]. 计算机工程, 2024, 50(8): 336-344.
[2]	胡庆. 多尺度融合与双输出U-Net网络的行人重识别[J]. 计算机工程, 2024, 50(6): 102-109.
[3]	张慧妍, 梁勇, 兰景宏, 赵强. 基于记忆模块与过滤式生成对抗网络的入侵检测方法[J]. 计算机工程, 2024, 50(6): 197-207.
[4]	李田芳, 普园媛, 赵征鹏, 徐丹, 钱文华. 基于CLIP和双空间自适应归一化的图像翻译[J]. 计算机工程, 2024, 50(5): 229-240.
[5]	刘帅威, 李智, 王国美, 张丽. 基于Transformer和GAN的对抗样本生成算法[J]. 计算机工程, 2024, 50(2): 180-187.
[6]	何银银, 胡静, 陈志泊, 张荣国. 融合门控变换机制和GAN的低光照图像增强方法[J]. 计算机工程, 2024, 50(2): 247-255.
[7]	李倩, 向海昀, 张玉婷, 甘昀, 廖浩德. 结合高斯滤波与MASK的G-MASK人脸对抗攻击[J]. 计算机工程, 2024, 50(2): 308-316.
[8]	张美美, 秦品乐, 柴锐, 曾建潮, 翟双姣, 闫俊义, 冯二燕. 面向急性缺血性脑卒中的CT生成MRI算法[J]. 计算机工程, 2024, 50(2): 317-326.
[9]	戴磊, 曹林, 郭亚男, 张帆, 杜康宁. 基于生成对抗网络的深度伪造跨模型防御方法[J]. 计算机工程, 2024, 50(10): 100-109.
[10]	张学军, 席阿友, 加小红, 张斌, 李梅, 杜晓刚, 黄海燕. 基于深度学习的指纹室内定位对抗样本攻击研究[J]. 计算机工程, 2024, 50(10): 228-239.
[11]	罗偲, 李凯扬, 吴吉花, 任鹏. 基于对抗注意力机制的水下遮挡目标检测算法[J]. 计算机工程, 2024, 50(10): 313-321.
[12]	张玉婷, 向海昀, 李倩, 廖浩德. 基于稳定Adam和空间域变换的对抗样本生成算法[J]. 计算机工程, 2024, 50(1): 251-258.
[13]	李哲铭, 王晋东, 侯建中, 李伟, 张世华, 张恒巍. 基于显著区域优化的对抗样本攻击方法[J]. 计算机工程, 2023, 49(9): 246-255, 264.
[14]	杨燕燕, 谢明轩, 曹江峡, 王学宾, 柳厅文, 杜彦辉. 基于原型网络的中文分类模型对抗样本生成[J]. 计算机工程, 2023, 49(8): 54-62.
[15]	沈梦强, 于文年, 易黎, 宋南. 基于GAN的全时间尺度语音增强方法[J]. 计算机工程, 2023, 49(6): 115-122,130.

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

基于双对抗机制的图像攻击算法

Image Attack Algorithm Based on Bi-Adversary Mechanism

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献

相关文章 15

编辑推荐

Metrics

本文评价