作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2024, Vol. 50 ›› Issue (2): 308-316. doi: 10.19678/j.issn.1000-3428.0066455

• 开发研究与工程应用 • 上一篇    下一篇

结合高斯滤波与MASK的G-MASK人脸对抗攻击

李倩, 向海昀*(), 张玉婷, 甘昀, 廖浩德   

  1. 西南石油大学计算机科学学院, 四川 成都 610500
  • 收稿日期:2022-12-07 出版日期:2024-02-15 发布日期:2023-04-18
  • 通讯作者: 向海昀
  • 基金资助:
    国家自然科学基金青年科学基金(61503312)

G-MASK Facial Adversarial Attack Combining Gaussian Filtering and MASK

Qian LI, Haiyun XIANG*(), Yuting ZHANG, Yun GAN, Haode LIAO   

  1. School of Computer Science, Southwest Petroleum University, Chengdu 610500, Sichuan, China
  • Received:2022-12-07 Online:2024-02-15 Published:2023-04-18
  • Contact: Haiyun XIANG

摘要:

深度神经网络的快速发展使其在计算机视觉和自然语言处理等领域取得较大成功,但是对抗攻击会导致神经网络的表现性能降低,对各类系统的安全保密性造成严重威胁。现有黑盒攻击方法在人脸识别中性能表现较差,攻击成功率较低且生成对抗样本迁移性不高。为此,提出一种结合高斯滤波与掩码的对抗攻击方法G-MASK。利用Grad-CAM输出的热力图确定对抗样本的掩码区域,使其只在掩码区域施加扰动,提高黑盒攻击成功率,采用扰动集成方法提高黑盒迁移能力,增强黑盒攻击鲁棒性,对生成的扰动进行高斯平滑处理,降低集成模型之间干扰噪声的差异,提高图像质量且增强扰动掩蔽性。实验结果表明,针对不同的人脸识别模型,G-MASK方法在保证白盒攻击成功率较高的条件下能够显著提升黑盒攻击效果,并具有更优的掩蔽性,经过模型扰动集成的对抗样本白盒攻击成功率均提高至98.5%以上,黑盒攻击成功率最高达到75.9%,与快速梯度符号法(FGSM)、迭代快速梯度符号法(Ⅰ-FGSM)和动量迭代梯度符号法(MI-FGSM)相比分别平均提升12.1、10.6和8.2个百分点,充分验证了该方法的有效性。

关键词: 对抗样本, 黑盒攻击, 人脸识别, 高斯滤波, 掩码

Abstract:

The rapid development of deep neural networks has led to significant success in fields such as computer vision and natural language processing. However, adversarial attacks may inhibit the performance of neural networks, posing a serious threat to the security and confidentiality of various systems. Existing black-box attack methods perform poorly in facial recognition, with a low success rate and low transferability of generated adversarial samples. To this end, a G-MASK adversarial attack method combining Gaussian filtering and mask is proposed. Using the heat map output by Grad-CAM to determine the mask area of adversarial samples, the mask area is perturbed to improve the success rate of black-box attacks. The perturbation integration method is used to improve the black-box migration ability and enhance attack robustness. Gaussian smoothing is applied to the generated perturbations to reduce the difference in interference noise between integrated models, improve image quality, and enhance disturbance masking. Experimental results show that for different facial recognition models, the G-MASK method significantly improves the effectiveness of black-box attacks while ensuring a high success rate of white-box attacks and a better masking ability. Following model perturbation integration, the success rate of white-box attacks on adversarial samples exceeds 98.5%, while the success rate of black-box attacks reaches 75.9%, which is consistent with the fast gradient sign method. Compared with Fast Gradient Symbolic Method(FGSM), Iteration-Fast Gradient Symbolic Method(Ⅰ-FGSM), Moenttum Iteration-Fast Gradient Symbolic Method(MI-FGSM) yields average improvements of 12.1, 10.6, and 8.2 percentage points.

Key words: adversarial sample, black-box attack, facial recognition, Gaussian filtering, mask