基于输入通道拆分的对抗攻击迁移性增强算法

doi:10.19678/j.issn.1000-3428.0064362

计算机工程 ›› 2023, Vol. 49 ›› Issue (1): 130-137. doi: 10.19678/j.issn.1000-3428.0064362

基于输入通道拆分的对抗攻击迁移性增强算法

郑德生¹, 陈继鑫¹, 周静¹, 柯武平¹, 陆超², 周永¹, 仇钎^2,3

1. 西南石油大学计算机科学学院, 成都 610500;
2. 中国航发四川燃气涡轮研究院航空发动机高空模拟技术重点实验室, 四川绵阳 621000;
3. 西北工业大学动力与能源学院, 西安 710072

收稿日期:2022-04-01 修回日期:2022-06-20 发布日期:2023-01-06
作者简介:郑德生(1983-),男,副研究员、博士,主研方向为网络空间安全、人工智能;陈继鑫(通信作者)、周静、柯武平,硕士研究生;陆超,副研究员;周永,副教授;仇钎,副研究员。
基金资助:
四川省科技计划重点研发项目“基于量子生成对抗网络的复杂图像处理关键技术研究”（2022YFG0315）；四川省科技计划重点研发项目“面向航空发动机多源试验数据智能编目与推理融合的研究与应用”（2022YFG0174）；中国航空发动机集团有限公司四川燃气涡轮研究院稳定支持项目（GJCZ-2019-59）；成都市重点示范项目“基于B2T的智能物流云平台的建设及应用示范项目”（2019-YF09-00044-CG）。

Adversarial Attack Transferability Enhancement Algorithm Based on Input Channel Splitting

ZHENG Desheng¹, CHEN Jixin¹, ZHOU Jing¹, KE Wuping¹, LU Chao², ZHOU Yong¹, QIU Qian^2,3

1. School of Computer Science, Southwest Petroleum University, Chengdu 610500, China;
2. Key Laboratory on Aero-Engine Altitude Simulation Technology, Sichuan Gas Turbine Establishment, AECC, Mianyang, Sichuan 621000, China;
3. School of Power and Energy, Northwestern Polytechnical University, Xi'an 710072, China

Received:2022-04-01 Revised:2022-06-20 Published:2023-01-06

摘要/Abstract

摘要： 深度神经网络已被应用于人脸识别、自动驾驶等场景中，但容易受到对抗样本的攻击。对抗样本的生成方法被分为白盒攻击和黑盒攻击，当对抗攻击算法攻击白盒模型时存在过拟合问题，导致生成对抗样本的迁移性降低。提出一种用于生成高迁移性对抗样本的对抗攻击算法CSA。在每次迭代过程中，通过对输入RGB图片的通道进行拆分，得到三张具有一个通道的输入图片，并对其进行零值填充，获得三张具有三个通道的输入图片。将最终得到的图片与原始RGB输入图片共同传入到模型中进行梯度计算，调整原始梯度的更新方向，避免出现局部最优。在此基础上，通过符号法生成对抗样本。在ImageNet数据集上的实验验证该算法的有效性，结果表明，CSA算法能够有效提高对抗攻击的迁移性，在四种常规训练模型上的攻击成功率平均为84.2%，与DIM、TIM结合所得DI-TI-CSA算法在三种对抗训练黑盒模型上的攻击成功率平均为94.7%，对七种防御模型的攻击成功率平均为91.8%。

关键词: 对抗攻击, 迁移性增强, 对抗样本, 白盒模型, ImageNet数据集

Abstract: The Deep Neural Network(DNN) has been widely used in face recognition, automatic driving, and other scenarios;however, it is vulnerable to attacks by adversarial samples.Methods by which adversarial samples are generated can be classified into white-box and black-box attacks.When the adversarial attack algorithm attacks the white-box model, overfitting occurs, which reduces the transferability of the generated adversarial samples.Herein, an adversarial attack algorithm CSA is proposed to generate high transferability adversarial samples.During the iteration of each attack, three input pictures with one channel are obtained by splitting the channels of the input RGB pictures, and zero filling is performed to obtain three input pictures with three channels.The final image and the original RGB input image are transferred to the model for gradient calculation, and the update direction of the original gradient is adjusted to avoid local optimization.Subsequently, adversarial samples are generated symbolically.An experiment performed on the ImageNet dataset verifies the effectiveness of the proposed algorithm.In particular, the results show that the proposed algorithm can effectively improve the transferability of adversarial attacks.The average attack success rate on four conventional training models is 84.2%, whereas the DI-TI-CSA algorithm based on the combination of CSA, DIM and TIM is 94.7% on three adversarial training black-box models and 91.8% on seven defense models.

Key words: adversarial attack, transferability enhancement, adversarial sample, white-box model, ImageNet dataset

中图分类号:

TP391

郑德生, 陈继鑫, 周静, 柯武平, 陆超, 周永, 仇钎. 基于输入通道拆分的对抗攻击迁移性增强算法[J]. 计算机工程, 2023, 49(1): 130-137.

ZHENG Desheng, CHEN Jixin, ZHOU Jing, KE Wuping, LU Chao, ZHOU Yong, QIU Qian. Adversarial Attack Transferability Enhancement Algorithm Based on Input Channel Splitting[J]. Computer Engineering, 2023, 49(1): 130-137.

http://www.ecice06.com/CN/Y2023/V49/I1/130

图/表 13

20230701175636

20230701175639

20230701175642

20230701175646

20230701175649

20230701175652

20230701175656

20230701175700

20230701175703

20230701175707

20230701175710

20230701175713

20230701175717

参考文献

[1] ZHONG Y Y, DENG W H.Towards transferable adversarial attack against deep face recognition[J].IEEE Transactions on Information Forensics and Security, 2021, 16:1452-1466.
[2] WANG L, CHO W, YOON K J.Deceiving image-to-image translation networks for autonomous driving with adversarial perturbations[J].IEEE Robotics and Automation Letters, 2020, 5(2):1421-1428.
[3] 柴梦婷, 朱远平.生成式对抗网络研究与应用进展[J]. 计算机工程, 2019, 45(9):222-234. CHAI M T, ZHU Y P.Research and application progress of generative adversarial networks[J].Computer Engineering, 2019, 45(9):222-234.(in Chinese)
[4] 陈晓楠, 胡建敏, 张本俊, 等.基于模型间迁移性的黑盒对抗攻击起点提升方法[J].计算机工程, 2021, 47(8):162-169. CHEN X N, HU J M, ZHANG B J, et al.Black box adversarial attack starting point promotion method based on mobility between models[J].Computer Engineering, 2021, 47(8):162-169.(in Chinese)
[5] 黄立峰, 庄文梓, 廖泳贤, 等.一种基于进化策略和注意力机制的黑盒对抗攻击算法[J].软件学报, 2021, 32(11):3512-3529. HUANG L F, ZHUANG W Z, LIAO Y X, et al.Black-box adversarial attack method based on evolution strategy and attention mechanism[J].Journal of Software, 2021, 32(11):3512-3529.(in Chinese)
[6] MAO X F, CHEN Y F, WANG S H, et al.Composite adversarial attacks[J].Proceedings of the AAAI Conference on Artificial Intelligence, 2021, 35(10):8884-8892.
[7] ZHENG H Z, ZHANG Z Q, GU J C, et al.Efficient adversarial training with transferable adversarial examples[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2020:1178-1187.
[8] ZHOU W, HOU X, CHEN Y J, et al.Transferable adversarial perturbations[C]//Proceedings of European Conference on Computer Vision.Berlin, Germany:Springer, 2018:452-467.
[9] MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P.DeepFool:a simple and accurate method to fool deep neural networks[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2016:2574-2582.
[10] CHEN P Y, ZHANG H, SHARMA Y, et al.ZOO:zeroth order optimization based black-box attacks to deep neural networks without training substitute models[C]//Proceedings of the 10th Workshop on Artificial Intelligence and Security.New York, USA:ACM Press, 2017:15-26.
[11] BRENDEL W, RAUBER J, BETHGE M.Decision-based adversarial attacks:reliable attacks against black-box machine learning models[EB/OL].[2022-02-25].https://arxiv.org/pdf/1712.04248.pdf.
[12] GOODFELLOW I J, SHLENS J, SZEGEDY C.Explaining and harnessing adversarial examples[EB/OL].[2022-02-25].https://arxiv.org/pdf/1412.6572.pdf.
[13] KURAKIN A, GOODFELLOW I J, BENGIO S.Adversarial examples in the physical world[EB/OL].[2022-02-25].https://arxiv.org/pdf/1607.02533.pdf.
[14] DONG Y P, LIAO F Z, PANG T Y, et al.Boosting adversarial attacks with momentum[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2018:9185-9193.
[15] XIE C H, ZHANG Z S, ZHOU Y Y, et al.Improving transferability of adversarial examples with input diversity[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2019:2725-2734.
[16] DONG Y P, PANG T Y, SU H, et al.Evading defenses to transferable adversarial examples by translation-invariant attacks[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2019:4307-4316.
[17] LIN J D, SONG C B, HE K, et al.Nesterov accelerated gradient and scale invariance for adversarial attacks[EB/OL].[2022-02-25].https://arxiv.org/abs/1908.06281.
[18] MADRY A, MAKELOV A, SCHMIDT L, et al.Towards deep learning models resistant to adversarial attacks[EB/OL].[2022-02-25].https://arxiv.org/pdf/1706.06083.pdf.
[19] TRAMÈR F, KURAKIN A, PAPERNOT N, et al. Ensemble adversarial training:attacks and defenses[EB/OL].[2022-02-25].https://arxiv.org/pdf/1705.07204.pdf.
[20] COHEN J, ROSENFELD E, KOLTER Z J.Certified adversarial robustness via randomized smoothing[EB/OL].[2022-02-25].https://arxiv.org/pdf/1902.02918.pdf.
[21] CIHANG X, ZHANG Z S, YUILLE A L, et al.Mitigating adversarial effects through randomization[EB/OL].[2022-02-25].https://arxiv.org/pdf/1711.01991.pdf.
[22] GUO C, RANA M, CISSÉ M, et al.Countering adversarial images using input transformations[EB/OL].[2022-02-25].https://arxiv.org/pdf/1711.00117.pdf.
[23] LIAO F Z, LIANG M, DONG Y P, et al.Defense against adversarial attacks using high-level representation guided denoiser[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2018:1778-1787.
[24] GU S C, YI P, ZHU T, et al.Detecting adversarial examples in deep neural networks using normalizing filters[C]//Proceedings of the 11th International Conference on Agents and Artificial Intelligence.Prague, Czech Republic:Science and Technology Publications, 2019:164-173.
[25] JIA X J, WEI X X, CAO X C, et al.ComDefend:an efficient image compression model to defend adversarial examples[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2019:6077-6085.
[26] 赖妍菱, 石峻峰, 陈继鑫, 等.基于U-Net的对抗样本防御模型[J].计算机工程, 2021, 47(12):163-170. LAI Y L, SHI J F, CHEN J X, et al.Adversarial example defense model based on U-Net[J].Computer Engineering, 2021, 47(12):163-170.(in Chinese)
[27] HU J, SHEN L, SUN G.Squeeze-and-excitation networks[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2018:7132-7141.
[28] NASEER M, KHAN S, HAYAT M, et al.A self-supervised approach for adversarial robustness[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2020:259-268.
[29] LIU Y P, CHEN X Y, LIU C, et al.Delving into transferable adversarial examples and black-box attacks[EB/OL].[2022-02-25].https://arxiv.org/pdf/1611.02770.pdf.
[30] RUSSAKOVSKY O, DENG J, SU H, et al.ImageNet large scale visual recognition challenge[J].International Journal of Computer Vision, 2015, 115(3):211-252.
[31] SZEGEDY C, VANHOUCKE V, IOFFE S, et al.Rethinking the inception architecture for computer vision[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2016:2818-2826.
[32] SZEGEDY C, IOFFE S, VANHOUCKE V, et al.Inception-v4, inception-ResNet and the impact of residual connections on learning[J].Proceedings of the AAAI Conference on Artificial Intelligence, 2017, 31(1):4278-4284.
[33] HE K M, ZHANG X Y, REN S Q, et al.Deep residual learning for image recognition[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2016:770-778.

选择文件类型/文献管理软件名称

选择包含的内容

基于输入通道拆分的对抗攻击迁移性增强算法

Adversarial Attack Transferability Enhancement Algorithm Based on Input Channel Splitting

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献

相关文章 11

编辑推荐

Metrics

本文评价

[1]	杨燕燕, 谢明轩, 曹江峡, 王学宾, 柳厅文, 杜彦辉. 基于原型网络的中文分类模型对抗样本生成[J]. 计算机工程, 2023, 49(8): 54-62.
[2]	白祉旭, 王衡军. 基于改进遗传算法的对抗样本生成方法[J]. 计算机工程, 2023, 49(5): 139-149.
[3]	王春东, 孙嘉琪, 杨文军. 基于矫正理解的中文文本对抗样本生成方法[J]. 计算机工程, 2023, 49(2): 37-45.
[4]	杨文雪, 吴非, 郭桐, 肖利民. 基于噪声溶解的对抗样本防御方法[J]. 计算机工程, 2022, 48(4): 158-164.
[5]	李哲铭, 张恒巍, 马军强, 王晋东, 杨博. 基于平移随机变换的对抗样本生成方法[J]. 计算机工程, 2022, 48(11): 152-160,183.
[6]	陈晓楠, 胡建敏, 张本俊, 陈爱玲. 基于模型间迁移性的黑盒对抗攻击起点提升方法[J]. 计算机工程, 2021, 47(8): 162-169.
[7]	廖俊帆, 顾益军, 张培晶, 廖茜. 端到端说话人辨认的对抗样本应用比较研究[J]. 计算机工程, 2021, 47(6): 132-141.
[8]	赖妍菱, 石峻峰, 陈继鑫, 白汉利, 唐晓澜, 邓碧颖, 郑德生. 基于U-Net的对抗样本防御模型[J]. 计算机工程, 2021, 47(12): 163-170.
[9]	黄静琪, 贾西平, 陈道鑫, 柏柯嘉, 廖秀秀. 基于双对抗机制的图像攻击算法[J]. 计算机工程, 2021, 47(11): 150-157.
[10]	王晓鹏, 罗威, 秦克, 杨锦涛, 王敏. 一种针对快速梯度下降对抗攻击的防御方法[J]. 计算机工程, 2021, 47(11): 121-128.
[11]	姜妍, 张立国. 面向深度学习模型的对抗攻击与防御方法综述[J]. 计算机工程, 2021, 47(1): 1-11.

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

基于输入通道拆分的对抗攻击迁移性增强算法

Adversarial Attack Transferability Enhancement Algorithm Based on Input Channel Splitting

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献

相关文章 11

编辑推荐

Metrics

本文评价