基于平移随机变换的对抗样本生成方法

doi:10.19678/j.issn.1000-3428.0063075

摘要/Abstract

摘要： 基于深度神经网络的图像分类模型能够以达到甚至高于人眼的识别度识别图像，但是因模型自身结构的脆弱性，导致其容易受对抗样本的攻击。现有的对抗样本生成方法具有较高的白盒攻击率，而在黑盒条件下对抗样本的攻击成功率较低。将数据增强技术引入到对抗样本生成过程中，提出基于平移随机变换的对抗样本生成方法。通过构建概率模型对原始图像进行随机平移变换，并将变换后的图像用于生成对抗样本，有效缓解对抗样本生成过程中的过拟合现象。在此基础上，采用集成模型攻击的方式生成可迁移性更强的对抗样本，从而提高黑盒攻击成功率。在ImageNet数据集上进行单模型和集成模型攻击的实验结果表明，该方法的黑盒攻击成功率高达80.1%，与迭代快速梯度符号方法和动量迭代快速梯度符号方法相比，该方法的白盒攻击成功率虽然略有降低，但仍保持在97.8%以上。

关键词: 深度神经网络, 对抗样本, 黑盒攻击, 平移随机变换, 迁移性

Abstract: The image classification model based on Deep Neural Network(DNN) can recognize images with a recognition degree that is even higher than that of human eyes.However, it is vulnerable to attacks from adversarial examples because of the fragility of the model's structure.Existing methods for generating adversarial examples have high white-box attack rates, whereas the attack success rate of adversarial examples is low under the black-box condition.The data enhancement technique is introduced into the generation process of adversarial examples.This study proposes a method for generating adversarial examples, TT-MI-FGSM, based on random translation transformation.The random translation transformation of the original image is performed by establishing a probability model, and the transformed image is used to generate adversarial examples, which effectively alleviates over-fitting during the generation of adversarial examples. On this basis, model diversification is achieved by integrating model attacks to generate more transferability adversarial to improve the success rate of black-box attacks.The experiments of single and integrated model attacks on the ImageNet dataset show that the success rate of the black-box attack for the proposed method can be as high as 80.1%.Compared with the iterative fast gradient sign method and momentum iterative fast gradient sign method, it still exceeds 97.8%, although the success rate of the white-box attack for the proposed method is slightly reduced.

Key words: Deep Neural Network(DNN), adversarial examples, black-box attack, random translation transformation, transferability

中图分类号:

TP391

李哲铭, 张恒巍, 马军强, 王晋东, 杨博. 基于平移随机变换的对抗样本生成方法[J]. 计算机工程, 2022, 48(11): 152-160,183.

LI Zheming, ZHANG Hengwei, MA Junqiang, WANG Jindong, YANG Bo. Adversarial Examples Generation Method Based on Random Translation Transformation[J]. Computer Engineering, 2022, 48(11): 152-160,183.

http://www.ecice06.com/CN/Y2022/V48/I11/152

图/表 11

20230211175935

20230211175938

20230211175941

20230211175944

20230211175947

20230211175952

20230211175955

20230211175959

20230211180002

20230211180005

20230211180008

参考文献

[1] SADAK F, SAADAT M, HAJIYAVAND A M.Real-time deep learning-based image recognition for applications in automated positioning and injection of biological cells[J].Computers in Biology and Medicine, 2020, 125(10):103976.
[2] GUO G D, ZHANG N.A survey on deep learning based face recognition[J].Computer Vision and Image Understanding, 2019, 189:102805.
[3] MOPURI K R, GANESHAN A, BABU R V.Generalizable data-free objective for crafting universal adversarial perturbations[J].IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019, 41(10):2452-2465.
[4] 陈晓楠, 胡建敏, 张本俊, 等.基于模型间迁移性的黑盒对抗攻击起点提升方法[J].计算机工程, 2021, 47(8):162-169. CHEN X N, HU J M, ZHANG B J, et al.Black box attack adversarial starting point promotion method based on mobility between models[J].Computer Engineering, 2021, 47(8):162-169.(in Chinese)
[5] PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al.Practical black-box attacks against machine learning[C]//Proceedings of ACM on Asia Conference on Computer and Communications Security.New York, USA:ACM Press, 2017:506-519.
[6] SHARIF M, BHAGAVATULA S, BAUER L, et al.Accessorize to a crime:real and stealthy attacks on state-of-the-art face recognition[C]//Proceedings of ACM SIGSAC Conference on Computer and Communications Security.New York, USA:ACM Press, 2016:1528-1540.
[7] EYKHOLT K, EVTIMOV I, FERNANDES E, et al.Robust physical-world attacks on deep learning model[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2018:1-10.
[8] 姜妍, 张立国.面向深度学习模型的对抗攻击与防御方法综述[J].计算机工程, 2021, 47(1):1-11. JIANG Y, ZHANG L G.Survey of adversarial attacks and defense methods for deep learning model[J].Computer Engineering, 2021, 47(1):1-11.(in Chinese)
[9] LIU Y P, CHEN X Y, LIU C, et al.Delving into transferable adversarial examples and black-box attacks[EB/OL].[2021-09-20]:https://arxiv.org/abs/1611.02770.
[10] DONG Y P, LIAO F Z, PANG T Y, et al.Boosting adversarial attacks with momentum[EB/OL].[2021-09-20].https://arxiv.org/pdf/1710.06081v2.pdf.
[11] WANG X S, HE X R, WANG J D, et al.Admix:enhancing the transferability of adversarial attacks[EB/OL].[2021-09-20].http://arxiv.org/abs/2102.00436V3.
[12] KURAKIN A, GOODFELLOW I, BENGIO S.Adversarial examples in the physical world[EB/OL].[2021-09-20].https://arxiv.org/abs/1607.02533v4.
[13] BIGGIO B, CORONA I, MAIORCA D, et al.Evasion attacks against machine learning at test time[C]//Proceedings of European Conference on Machine Learning and Knowledge Discovery in Databases.New York, USA:ACM Press, 2013:387-402.
[14] SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al.Intriguing properties of neural networks[C]//Proceedings of International Conference on Learning Representations.Banff, Canada:[s.n.], 2014:1-10.
[15] GOODFELLOW I J, SHLENS J, SZEGEDY C.Explaining and harnessing adversarial examples[EB/OL].[2021-09-20].https://arxiv.org/pdf/1412.6572.pdf.
[16] EYKHOLT K, EVTIMOV I, FERNANDES E, et al.Robust physical-world attacks on deep learning visual classification[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2018:1625-1634.
[17] DONG Y P, PANG T Y, SU H, et al.Evading defenses to transferable adversarial examples by translation-invariant attacks[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2019:4312-4321.
[18] KURAKIN A, GOODFELLOW I J, SAMY B.Adversarial machine learning at scale[EB/OL].[2021-09-20].https://arxiv.org/pdf/1611.01236.pdf.
[19] TRAMER F, KURAKIN A, PAPERNOT N, et al.Ensemble adversarial training:attacks and defenses[EB/OL].[2021-09-20].https://arxiv.org/abs/1705.07204v5.
[20] LIU G X, KHALIL I, KHREISHAH A.Using single-step adversarial training to defend iterative adversarial examples[C]//Proceedings of the 7th ACM Conference on Data and Application Security and Privacy.New York, USA:ACM Press, 2021:17-27.
[21] XIE C H, WU Y X, MAATEN L V D, et al.Feature denoising for improving adversarial robustness[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2019:1-10.
[22] METZEN J H, GENEWEIN T, FISCHER V, et al.On detecting adversarial perturbations[EB/OL].[2021-09-20].https://arxiv.org/abs/1702.04267v1.
[23] RUSSAKOVSKY O, DENG J, SU H, et al.ImageNet large scale visual recognition challenge[J].International Journal of Computer Vision, 2015, 115(3):211-252.
[24] SZEGEDY C, SHNATHON J, IOFFE S, et al.Rethinking the inception architecture for computer vision[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2016:2818-2826.
[25] SZEGEDY C, IOFFE S, VANHOUCKE V, et al.Inception-v4, inception-ResNet and the impact of residual connections on learning[C]//Proceedings of the 31st AAAI Conference on Artificial Intelligence.San Francisco, USA:AAAI Press, 2017:4278-4284.
[26] HE K M, ZHANG X Y, REN S Q, et al.Identity mappings in deep residual networks[C]//Proceedings of European Conference on Computer Vision.Berlin, Germany:Springer, 2016:630-645.

选择文件类型/文献管理软件名称

选择包含的内容