基于显著区域优化的对抗样本攻击方法

doi:10.19678/j.issn.1000-3428.0065814

摘要/Abstract

摘要：

在计算机视觉任务中，以卷积神经网络为基础的图像分类模型得到广泛应用，但因其自身的脆弱性容易受到对抗样本的攻击。目前的攻击方法大多会对整张图像进行攻击，产生的全局扰动影响了对抗样本的视觉质量。针对这一问题，提出一种基于显著区域优化的对抗样本攻击方法，利用显著目标检测技术为每张原始图像生成显著图，并将其二值化为显著掩模，将该掩模与对抗扰动相结合，使显著区域内的对抗扰动保留下来，实现对抗扰动的局部添加。通过引入Nadam优化算法, 稳定损失函数更新方向并动态调整学习率，提高损失函数收敛速度，从而在保持较高黑盒攻击成功率的同时，有效降低对抗扰动的可察觉性。在ImageNet数据集上分别进行单模型和集成模型环境下的对抗攻击实验，并对各方法生成的对抗样本图像质量进行对比分析，结果表明，与基准方法相比，该方法在集成模型攻击中的隐蔽性指标实现了27.2%的性能提升，黑盒攻击成功率最高达到了92.7%的水平。

关键词: 卷积神经网络, 对抗样本, 黑盒攻击, 局部优化, 迁移性

Abstract:

Convolutional neural network-based image classification models are widely used in computer vision tasks. However, these models are susceptible to adversarial examples due to their inherent vulnerability. Many existing attack techniques target the entire image, resulting in a global disturbance that degrade the visual quality of adversarial examples. To address this issue, this study introduces an adversarial example attack technique based on salient region optimization. Initially, salient object detection technology is employed to create a saliency map for each original image. This map is then converted into a saliency mask. By combining this mask with adversarial perturbations, disturbances are confined to salient regions. Furthermore, the Nadam optimization algorithm is introduced to stabilize the update direction of the loss function and dynamically adjust the learning rate. This innovation accelerates the convergence of the loss function, effectively reducing the visibility of adversarial disturbances while maintaining a high success rate in black-box attacks. Adversarial attack experiments are conducted on the ImageNet dataset under single-model and ensemble-model settings. Comparative analysis of the image quality of adversarial examples generated by each method reveals that, compared to the benchmark method, this approach achieves a 27.2% improvement in the concealment index in ensemble-model attacks. Additionally, the black-box attack success rate reaches an impressive 92.7%.

Key words: convolutional neural network, adversarial examples, black-box attack, local optimization, transferability

李哲铭, 王晋东, 侯建中, 李伟, 张世华, 张恒巍. 基于显著区域优化的对抗样本攻击方法[J]. 计算机工程, 2023, 49(9): 246-255, 264.

Zheming LI, Jindong WANG, Jianzhong HOU, Wei LI, Shihua ZHANG, Hengwei ZHANG. Adversarial Example Attack Method Based on Salient Region Optimization[J]. Computer Engineering, 2023, 49(9): 246-255, 264.

http://www.ecice06.com/CN/Y2023/V49/I9/246

图/表 15

图1 对抗样本生成示例

Fig.1 Example of adversarial sample generation

图2 优化算法关系

Fig.2 Optimization algorithm relationship

图3 基于掩模Nadam迭代快速梯度法示意图

Fig.3 Schematic diagram of mask-based Nadam iterative fast gradient method

图4 原始图像、Adv-SR及Adv-non-SR对比示意图

Fig.4 Schematic diagram of the comparison of original image, Adv-SR and Adv-non-SR

图5 原始图像、Adv-SR及Adv-non-SR分类正确率对比

Fig.5 Comparison of classification accuracy of original image, Adv-SR and Adv-non-SR

图6 “降落伞”对抗样本特征相似度对比示意图

Fig.6 Schematic diagram of the "parachute" adversarial examples feature similarity comparison

图7 “熊猫”对抗样本特征相似度对比示意图

Fig.7 Schematic diagram of the "panda" adversarial examples feature similarity comparison

图8 不同方法生成的对抗样本与原始图像对比图

Fig.8 Comparison diagram between the antagonistic sample generated by different methods and the original image

图9 甲组人眼评测结果示意图

Fig.9 Schematic diagram of group A eye assessment results

图10 乙组人眼评测结果示意图

Fig.10 Schematic diagram of group B eye assessment results

参考文献 27

1	SADAK F, SAADAT M, HAJIYAVAND A M. Real-time deep learning-based image recognition for applications in automated positioning and injection of biological cells. Computers in Biology and Medicine, 2020, 125, 103976. doi: 10.1016/j.compbiomed.2020.103976
2	赖妍菱, 石峻峰, 陈继鑫, 等. 基于U-Net的对抗样本防御模型. 计算机工程, 2021, 47(12): 163- 170. URL
	LAI Y L, SHI J F, CHEN J X, et al. Adversarial example defense model based on U-Net. Computer Engineering, 2021, 47(12): 163- 170. URL
3	AKHTAR N, MIAN A, KARDAN N, et al. Advances in adversarial attacks and defenses in computer vision: a survey. IEEE Access, 2021, 9, 155161- 155196. doi: 10.1109/ACCESS.2021.3127960
4	姜妍, 张立国. 面向深度学习模型的对抗攻击与防御方法综述. 计算机工程, 2021, 47(1): 1- 11. URL
	JIANG Y, ZHANG L G. Survey of adversarial attacks and defense methods for deep learning model. Computer Engineering, 2021, 47(1): 1- 11. URL
5	陈晓楠, 胡建敏, 张本俊, 等. 基于模型间迁移性的黑盒对抗攻击起点提升方法. 计算机工程, 2021, 47(8): 162- 169. URL
	CHEN X N, HU J M, ZHANG B J, et al. Black box adversarial attack starting point promotion method based on mobility between models. Computer Engineering, 2021, 47(8): 162- 169. URL
6	ZHANG J W, WANG J W. A survey on adversarial example. Journal of Information Hiding and Privacy Protection, 2020, 2(1): 47- 57. doi: 10.32604/jihpp.2020.010462
7	丁佳, 许智武. 基于Rectified Adam和颜色不变性的对抗迁移攻击. 软件学报, 2022, 33(7): 2525- 2537.
	DING J, XU Z W. Transfer-based adversarial attack with Rectified Adam and color invariance. Journal of Software, 2022, 33(7): 2525- 2537.
8	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL]. [2022-08-10]. https://arxiv.org/abs/1412.6572.
9	DONG Y P, LIAO F Z, PANG T Y, et al. Boosting adversarial attacks with momentum[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2018: 9185-9193.
10	KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial examples in the physical world[EB/OL]. [2022-08-10]. https://arxiv.org/abs/1607.02533.
11	XIE C H, ZHANG Z S, ZHOU Y Y, et al. Improving transferability of adversarial examples with input diversity[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2020: 2725-2734.
12	DONG Y P, PANG T Y, SU H, et al. Evading defenses to transferable adversarial examples by translation-invariant attacks[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2020: 4307-4316.
13	LIN J D, SONG C B, HE K, et al. Nesterov accelerated gradient and scale invariance for adversarial attacks[EB/OL]. [2022-08-10]. https://arxiv.org/abs/1908.06281.
14	GUPTA A K, SEAL A, PRASAD M, et al. Salient object detection techniques in computer vision: a survey. Entropy, 2020, 22(10): 1174. doi: 10.3390/e22101174
15	BACH S, BINDER A, MONTAVON G, et al. On pixel-wise explanations for non-linear classifier decisions by layer-wise relevance propagation. PLoS One, 2015, 10(7): 0130140.
16	SMILKOV D, THORAT N, KIM B, et al. SmoothGrad: removing noise by adding noise[EB/OL]. [2022-08-10]. https://arxiv.org/abs/1706.03825.
17	ZHOU B L, KHOSLA A, LAPEDRIZA A, et al. Learning deep features for discriminative localization[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2016: 2921-2929.
18	ZHANG J M, SCLAROFF S, LIN Z, et al. Unconstrained salient object detection via proposal subset optimization[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2016: 5733-5742.
19	FENG M Y, LU H C, DING E R. Attentive feedback network for boundary-aware salient object detection[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2020: 1623-1632.
20	ZENG Y, ZHUGE Y Z, LU H C, et al. Multi-source weak supervision for saliency detection[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2020: 6067-6076.
21	ZHANG Z, MA J H, XU P P, et al. Saliency detection with deformable convolution and feature attention[C]//Proceedings of ECAI'20. Washington D. C., USA: IEEE Press, 2020: 2800-2807.
22	RUSSAKOVSKY O, DENG J, SU H, et al. ImageNet large scale visual recognition challenge. International Journal of Computer Vision, 2015, 115(3): 211- 252. doi: 10.1007/s11263-015-0816-y
23	SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the inception architecture for computer vision[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2016: 2818-2826.
24	SZEGEDY C, IOFFE S, VANHOUCKE V, et al. Inception-v4, Inception-ResNet and the impact of residual connections on learning[C]//Proceedings of the 31st AAAI Conference on Artificial Intelligence. New York, USA: ACM Press, 2017: 4278-4284.
25	HE K M, ZHANG X Y, REN S Q, et al. Identity mappings in deep residual networks[C]//Proceedings of ECCV'16. Berlin, Gwemany: Springer, 2016: 630-645.
26	TRAMÈR F, KURAKIN A, PAPERNOT N, et al. Ensemble adversarial training: attacks and defenses[EB/OL]. [2022-08-10]. https://arxiv.org/abs/1705.07204.
27	SETIADI D R I M. PSNR vs SSIM: imperceptibility quality assessment for image steganography. Multimedia Tools and Applications, 2021, 80(6): 8423- 8444.

[1]	朱孟栩, 张文豪, 李国洪, 顾行发, 余涛, 郑逢杰, 张丽丽, 吴俣, 邴芳飞, 唐健雄. 基于卷积神经网络的高分六号卫星多光谱图像压缩[J]. 计算机工程, 2023, 49(9): 287-294.
[2]	李现国, 李滨. 基于Transformer和多尺度CNN的图像去模糊[J]. 计算机工程, 2023, 49(9): 226-233, 245.
[3]	杜逸潇, 王红军, 李修和. 基于频谱地图的辐射源指纹定位方法研究[J]. 计算机工程, 2023, 49(9): 183-190, 198.
[4]	胡水. 基于深度强化学习的智能兵棋推演决策方法[J]. 计算机工程, 2023, 49(9): 303-312.
[5]	韩璐, 霍纬纲, 张永会, 刘涛. 基于多尺度特征融合与双注意力机制的多元时间序列预测[J]. 计算机工程, 2023, 49(9): 99-108.
[6]	杨燕燕, 谢明轩, 曹江峡, 王学宾, 柳厅文, 杜彦辉. 基于原型网络的中文分类模型对抗样本生成[J]. 计算机工程, 2023, 49(8): 54-62.
[7]	曹坪, 杨怀志, 薄一军, 尤嘉, 张淳杰, 李丹勇. 面向低质量裂缝图像的多知识蒸馏分类[J]. 计算机工程, 2023, 49(7): 204-213.
[8]	白明昌. 基于折叠路径聚合的属性网络节点嵌入方法[J]. 计算机工程, 2023, 49(7): 76-84.
[9]	代祖华, 刘园园, 狄世龙. 语义增强的图神经网络方面级文本情感分析[J]. 计算机工程, 2023, 49(6): 71-80.
[10]	沈学利, 田桂源, 姜彦吉, 马琳琳. 基于双阶段Conv-Transformer的时频域语音增强算法[J]. 计算机工程, 2023, 49(6): 123-130.
[11]	丁子轩, 俞雷, 张娟, 李想, 王新宇. 基于深度残差自适应注意力网络的图像超分辨率重建[J]. 计算机工程, 2023, 49(5): 231-238.
[12]	白祉旭, 王衡军. 基于改进遗传算法的对抗样本生成方法[J]. 计算机工程, 2023, 49(5): 139-149.
[13]	陈治旭, 靳雁霞, 芦烨, 杨晶, 刘亚变, 史志儒. 基于子图卷积神经网络的多精度服装建模方法[J]. 计算机工程, 2023, 49(4): 174-181.
[14]	徐康, 李霏, 姬东鸿. 结合依存图卷积与文本片段搜索的方面情感三元组抽取[J]. 计算机工程, 2023, 49(4): 61-67.
[15]	衡红军, 苗菁. 语义与句法信息加强的二元标记实体关系联合抽取[J]. 计算机工程, 2023, 49(4): 77-84.

选择文件类型/文献管理软件名称

选择包含的内容