基于改进遗传算法的对抗样本生成方法

doi:10.19678/j.issn.1000-3428.0065260

摘要/Abstract

摘要： 对抗样本是评估模型安全性和鲁棒性的有效工具，对模型进行对抗训练能有效提升模型的安全性。现有对抗攻击按主流分类方法可分为白盒攻击和黑盒攻击两类，其中黑盒攻击方法普遍存在攻击效率低、隐蔽性差等问题。提出一种基于改进遗传算法的黑盒攻击方法，通过在对抗样本进化过程中引入类间激活热力图解释方法，并对原始图像进行区域像素划分，将扰动进化限制在图像关键区域，以提升所生成对抗样本的隐蔽性。在算法中使用自适应概率函数与精英保留策略，提高算法的攻击效率，通过样本初始化、选择、交叉、变异等操作，在仅掌握模型输出标签及其置信度的情况下实现黑盒攻击。实验结果表明，与同是基于遗传算法的POBA-GA黑盒攻击方法相比，该方法在相同攻击成功率下生成的对抗样本隐蔽性更好,且生成过程中模型访问次数更少，隐蔽性平均提升7.14%，模型访问次数平均降低6.43%。

关键词: 对抗样本, 遗传算法, 热力图, 白盒攻击, 黑盒攻击

Abstract: The adversarial example is an effective tool to evaluate the security and robustness of a model.Conducting antagonism training on the model can effectively improve the model's security.The mainstream classification methods divide the existing counterattacks into white-box attack and black-box attack.Black-box attack methods generally have problems of low attack efficiency and poor concealment.Thus，a black-box attack method based on an improved Genetic Algorithm（GA） is proposed.a Class Activation Mapping（CAM） interpretation method is introduced in the process of adversarial sample evolution.In addition，the original image is divided into regional pixels to restrict the perturbation evolution to essential regions of the image to improve the concealment of the generated adversarial examples.An adaptive probability function is introduced with an elite retention strategy to improve the algorithm's attack efficiency and achieve black-box attacks by sample initialization，selection，crossover，and mutation operations with only the model output labels and their confidence levels.The experimental results show that，compared with the POBA-GA black-box attack method that also uses a genetic algorithm，the adversarial examples generated by the improved genetic algorithm-based adversarial sample generation method have better steganography and fewer model visits for the same attack success rate.The average increase of 7.14% and the average decrease of 6.43% in the number of model visits validate the method's effectiveness.

Key words: adversarial example, Genetic Algorithm（GA）, heat map, white-box attack, black-box attack

中图分类号:

TP393

白祉旭, 王衡军. 基于改进遗传算法的对抗样本生成方法[J]. 计算机工程, 2023, 49(5): 139-149.

BAI Zhixu, WANG Hengjun. Adversarial Example Generation Method Based on Improved Genetic Algorithm[J]. Computer Engineering, 2023, 49(5): 139-149.

http://www.ecice06.com/CN/Y2023/V49/I5/139

图/表 11

20230515185731

20230515185734

20230515185738

20230515185742

20230515185747

20230515185752

20230515185755

20230515185758

20230515185802

20230515185805

20230515185808

参考文献

[1] SZEGEDY C,LIU W,JIA Y Q,et al.Going deeper with convolutions[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2015:1-9.
[2] KRIZHEVSKY A,SUTSKEVER I,HINTON G E.ImageNet classification with deep convolutional neural networks[J].Communications of the ACM,2017,60(6):84-90.
[3] REDMON J,FARHADI A.YOLOv3:an incremental improvement[EB/OL].[2022-07-22].https://arxiv.org/abs/1804.02767.
[4] SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[EB/OL].[2022-07-22].https://scholar.cnki.net/zn/Detail/index/GARJ2014/DBLP6D88B9E289B257B44613EA4BE1000161.
[5] SUTSKEVER I,VINYALS O,LE Q V.Sequence to sequence learning with neural networks[C]//Proceedings of the 27th International Conference on Neural Information Processing Systems.New York,USA:ACM Press,2014:3104-3112.
[6] XIONG W,DROPPO J,HUANG X,et al.Achieving human parity in conversational speech recognition[EB/OL].[2022-07-22].https://arxiv.org/abs/1610.05256.
[7] ZHANG Z X,GEIGER J,POHJALAINEN J,et al.Deep learning for environmentally robust speech recognition:an overview of recent developments[J].ACM Transactions on Intelligent Systems and Technology,2018,9(5):1-28.
[8] 马玉琨,毋立芳,简萌,等.一种面向人脸活体检测的对抗样本生成算法[J].软件学报,2019,30(2):469-480. MA Y K,WU L F,JIAN M,et al.Algorithm to generate adversarial examples for face-spoofing detection[J].Journal of Software,2019,30(2):469-480.(in Chinese)
[9] MADRY A,MAKELOV A,SCHMIDT L,et al.Towards deep learning models resistant to adversarial attacks[EB/OL].[2022-07-22].https://arxiv.org/abs/1706.06083.
[10] GUO C,RANA M,CISSE M,et al.Countering adversarial images using input transformations[EB/OL].[2022-07-22].https://arxiv.org/abs/1711.00117.
[11] SAMANGOUEI P,KABKAB M,CHELLAPPA R.Defense-GAN:protecting classifiers against adversarial attacks using generative models[EB/OL].[2022-07-22].https://arxiv.org/abs/1805.06605.
[12] SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.Intriguing properties of neural networks[EB/OL].[2022-07-22].https://arxiv.org/abs/1312.6199.
[13] GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[EB/OL].[2022-07-22].https://arxiv.org/abs/1412.6572.
[14] DONG Y P,LIAO F Z,PANG T Y,et al.Boosting adversarial attacks with momentum[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2018:9185-9193.
[15] CARLINI N,WAGNER D.Towards evaluating the robustness of neural networks[C]//Proceedings of IEEE Symposium on Security and Privacy.Washington D.C.,USA:IEEE Press,2017:39-57.
[16] BRENDEL W,RAUBER J,BETHGE M.Decision-based adversarial attacks:reliable attacks against black-box machine learning models[EB/OL].[2022-07-22].https://arxiv.org/abs/1712.04248.
[17] CHEN P Y,ZHANG H,SHARMA Y,et al.ZOO:zeroth order optimization based black-box attacks to deep neural networks without training substitute models[C]//Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security.New York,USA:ACM Press,2017:15-26.
[18] TU C C,TING P S,CHEN P Y,et al.AutoZOOM:autoencoder-based zeroth order optimization method for attacking black-box neural networks[J].Proceedings of the AAAI Conference on Artificial Intelligence,2019,33(1):742-749.
[19] DONG Y P,SU H,WU B Y,et al.Efficient decision-based black-box adversarial attacks on face recognition[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2020:7706-7714.
[20] XIE C H,ZHANG Z S,ZHOU Y Y,et al.Improving transferability of adversarial examples with input diversity[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2020:2725-2734.
[21] CHEN J Y,SU M M,SHEN S J,et al.POBA-GA:perturbation optimized black-box adversarial attacks via genetic algorithm[J].Computers & Security,2019,85:89-106.
[22] KOZA J R.Automatic discovery of reusable programs[M].Cambridge,USA:MIT Press,1994
[23] ZHOU B L,KHOSLA A,LAPEDRIZA A,et al.Learning deep features for discriminative localization[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2016:2921-2929.
[24] SELVARAJU R R,COGSWELL M,DAS A,et al.Grad-CAM:visual explanations from deep networks via gradient-based localization[C]//Proceedings of IEEE International Conference on Computer Vision.Washington D.C.,USA:IEEE Press,2017:618-626.
[25] SRINIVAS M,PATNAIK L M.Adaptive probabilities of crossover and mutation in genetic algorithms[J].IEEE Transactions on Systems,Man,and Cybernetics,1994,24(4):656-667.
[26] SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[EB/OL].[2022-07-22].https://arxiv.org/abs/1409.1556.
[27] HE K M,ZHANG X Y,REN S Q,et al.Deep residual learning for image recognition[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2016:770-778.
[28] SZEGEDY C,VANHOUCKE V,IOFFE S,et al.Rethinking the inception architecture for computer vision[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.Washington D.C.,USA:IEEE Press,2016:2818-2826.

选择文件类型/文献管理软件名称

选择包含的内容