基于SE-AdvGAN的图像对抗样本生成方法研究

doi:10.19678/j.issn.1000-3428.0068481

摘要/Abstract

摘要：

对抗样本是评估深度神经网络(DNN)鲁棒性和揭示其潜在安全隐患的重要手段。基于生成对抗网络(GAN)的对抗样本生成方法(AdvGAN)在生成图像对抗样本方面取得显著进展, 但该方法生成的扰动稀疏性不足且幅度较大, 导致对抗样本的真实性较低。为解决这一问题, 基于AdvGAN提出一种改进的图像对抗样本生成方法(SE-AdvGAN)。SE-AdvGAN通过构造SE注意力生成器和SE残差判别器来提高扰动的稀疏性。SE注意力生成器用于提取图像关键特征, 限制扰动生成位置, SE残差判别器指导生成器避免生成无关扰动。同时, 在SE注意力生成器的损失函数中加入以l₂范数为基准的边界损失以限制扰动的幅度, 从而提高对抗样本的真实性。实验结果表明, 在白盒攻击场景下, SE-AdvGAN相较于现有方法生成的对抗样本扰动稀疏性更高、幅度更小, 并且在不同目标模型上均取得了更好的攻击效果, 说明SE-AdvGAN生成的高质量对抗样本可以更有效地评估DNN模型的鲁棒性。

关键词: 对抗样本, 生成对抗网络, 稀疏扰动, 深度神经网络, 鲁棒性

Abstract:

Adversarial examples are crucial for evaluating the robustness of Deep Neural Network (DNN) and revealing their potential security risks. The adversarial example generation method based on a Generative Adversarial Network (GAN), AdvGAN, has made significant progress in generating image adversarial examples; however, the sparsity and amplitude of the perturbation generated by this method are insufficient, resulting in lower authenticity of adversarial examples. To address this issue, this study proposes an improved image adversarial example generation method based on AdvGAN, Squeeze-and-Excitation (SE)-AdvGAN. SE-AdvGAN improves the sparsity of perturbation by constructing an SE attention generator and an SE residual discriminator. The SE attention generator is used to extract the key features of an image and limit the position of perturbation generation. The SE residual discriminator guides the generator to avoid generating irrelevant perturbation. Moreover, a boundary loss based on l₂ norm is added to the loss function of the SE attention generator to limit the amplitude of perturbation, thereby improving the authenticity of adversarial examples. The experimental results indicate that in the white box attack scenario, the SE-AdvGAN method has higher sparsity and smaller amplitude of adversarial example perturbation compared to existing methods and achieves better attack performance on different target models. This indicates that the high-quality adversarial examples generated by SE-AdvGAN can more effectively evaluate the robustness of DNN.

Key words: adversarial example, Generative Adversarial Network (GAN), sparse perturbation, Deep Neural Network (DNN), robustness

赵宏, 宋馥荣, 李文改. 基于SE-AdvGAN的图像对抗样本生成方法研究[J]. 计算机工程, 2025, 51(2): 300-311.

ZHAO Hong, SONG Furong, LI Wengai. Research on Image Adversarial Example Generation Method Based on SE-AdvGAN[J]. Computer Engineering, 2025, 51(2): 300-311.

https://www.ecice06.com/CN/Y2025/V51/I2/300

图/表 16

图1 GAN的模型结构

Fig.1 The model structure of GAN

图2 SE模型结构

Fig.2 SE model structure

图3 SE-AdvGAN模型结构

Fig.3 SE-AdvGAN model structure

图4 防御背景下SE-AdvGAN对目标模型的攻击成功率

Fig.4 The success rate of SE-AdvGAN attacks on target models under defense background

图5 不同方法生成的对抗样本

Fig.5 Adversarial examples generated by different methods

图6 原始图像与SE-AdvGAN生成的对抗样本

Fig.6 The adversarial examples generated by the original image and SE-AdvGAN

图7 MNIST数据集和CIFAR-10数据集上l₀范数的变化趋势

Fig.7 The trend of l₀ norm variation on the MNIST dataset and CIFAR-10 dataset

图8 MNIST数据集和CIFAR-10数据集上l₁、l₂范数的变化趋势

Fig.8 The trend of l₁、l₂ norm variation on the MNIST dataset and CIFAR-10 dataset

参考文献 26

1	HAUSLER S, GARG S, XU M, et al. Patch-NetVLAD: multi-scale fusion of locally-global descriptors for place recognition[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D.C., USA: IEEE Press, 2021: 14136-14147.
2	MA X J , NIU Y H , GU L , et al. Understanding adversarial attacks on deep learning based medical image analysis systems. Pattern Recognition, 2021, 110, 107332. doi: 10.1016/j.patcog.2020.107332
3	WANG F, CHEN L R, LI C, et al. The devil of face recognition is in the noise[EB/OL]. [2023-08-05]. https://arxiv.org/abs/1807.11649.
4	AKHTAR N , MIAN A . Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access, 2018, 6, 14410- 14430. doi: 10.1109/ACCESS.2018.2807385
5	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. [2023-08-05]. https://arxiv.org/abs/1312.6199.
6	GOODFELLOW I J, SHLENS J, SZEGEDY C, et al. Explaining and harnessing adversarial examples[EB/OL]. [2023-08-05]. http://arxiv.org/abs/1412.6572v3.
7	KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial examples in the physical world[EB/OL]. [2023-08-05]. https://arxiv.org/abs/1607.02533.
8	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[EB/OL]. [2023-08-05]. http://arxiv.org/abs/1706.06083v4.
9	MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: a simple and accurate method to fool deep neural networks[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Washington D.C., USA: IEEE Press, 2016: 2574-2582.
10	CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]//Proceedings of the IEEE Symposium on Security and Privacy. Washington D.C., USA: IEEE Press, 2017: 39-57.
11	GOODFELLOW I , POUGET-ABADIE J , MIRZA M , et al. Generative adversarial networks. Communications of the ACM, 2020, 63 (11): 139- 144. doi: 10.1145/3422622
12	JANDIAL S, MANGLA P, VARSHNEY S, et al. AdvGAN++: harnessing latent layers for adversary generation[EB/OL]. [2023-08-05]. https://arxiv.org/abs/1908.00706.
13	XIAO C W, LI B, ZHU J Y, et al. Generating adversarial examples with adversarial networks[EB/OL]. [2023-08-05]. https://arxiv.org/abs/1801.02610.
14	李建, 郭延明, 于天元, 等. 基于生成对抗网络的多目标类别对抗样本生成算法. 计算机科学, 2022, 49 (2): 83- 91.
	LI J , GUO Y M , YU T Y , et al. Multi-target category adversarial example generating algorithm based on GAN. Computer Science, 2022, 49 (2): 83- 91.
15	HU J , SHEN L , ALBANIE S , et al. Squeeze-and-excitation networks. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2020, 42 (8): 2011- 2023. doi: 10.1109/TPAMI.2019.2913372
16	潘文雯, 王新宇, 宋明黎, 等. 对抗样本生成技术综述. 软件学报, 2019, 31 (1): 67- 81.
	PAN W W , WANG X Y , SONG M L , et al. Survey on generating adversarial examples. Journal of Software, 2019, 31 (1): 67- 81.
17	王晓鹏, 罗威, 秦克, 等. 一种针对快速梯度下降对抗攻击的防御方法. 计算机工程, 2021, 47 (11): 121- 128. URL
	WANG X P , LUO W , QIN K , et al. A defense method against FGSM adversarial attack. Computer Engineering, 2021, 47 (11): 121- 128. URL
18	VADILLO J, SANTANA R, LOZANO J A. Exploring gaps in DeepFool in search of more effective adversarial perturbations[EB/OL]. [2023-08-05]. https://link.springer.com/content/pdf/10.1007/978-3-030-64580-9_18.
19	王伟, 董晶, 何子文, 等. 视觉对抗样本生成技术概述. 信息安全学报, 2020, 5 (2): 39- 48.
	WANG W , DONG J , HE Z W , et al. A brief introduction to visual adversarial samples. Journal of Cyber Security, 2020, 5 (2): 39- 48.
20	NOWROOZI E , MEKDAD Y , BERENJESTANAKI M H , et al. Demystifying the transferability of adversarial attacks in computer networks. IEEE Transactions on Network and Service Management, 2022, 19 (3): 3387- 3400. doi: 10.1109/TNSM.2022.3164354
21	罗鑫, 夏学知. 面向图像识别的对抗样本与攻击研究. 舰船电子工程, 2023, 43 (2): 22-29, 33.
	LUO X , XIA X Z . Research on adversarial samples and attacks for image recognition. Ship Electronic Engineering, 2023, 43 (2): 22-29, 33.
22	ZHAO Z L, DUA D, SINGH S. Generating natural adversarial examples[EB/OL]. [2023-08-05]. https://arxiv.org/abs/1710.11342.
23	WANG B L, FAN X X, JING Q L, et al. AdvCGAN: an elastic and covert adversarial examples generating framework[EB/OL]. [2023-08-05]. https://ieeexplore.ieee.org/abstract/document/9533901.
24	ZHANG W J . Generating adversarial examples in one shot with image-to-image translation GAN. IEEE Access, 2019, 7, 151103- 151119. doi: 10.1109/ACCESS.2019.2946461
25	TRAMÈR F, KURAKIN A, PAPERNOT N, et al. Ensemble adversarial training: attacks and defenses[EB/OL]. [2023-08-05]. http://arxiv.org/abs/1705.07204v5.
26	HE K M, ZHANG X Y, REN S Q, et al. Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Washington D.C., USA: IEEE Press, 2016: 770-778.

[1]	张肇鑫, 黄世泽, 张兵杰, 沈拓. 面向交通场景的运动模糊伪装对抗样本生成方法[J]. 计算机工程, 2025, 51(3): 45-53.
[2]	卢鹏, 仲闯. 改进CycleGAN的半监督建筑物提取算法[J]. 计算机工程, 2025, 51(3): 241-251.
[3]	黄舒怡, 谭光. 基于分区的高效视频目标检测[J]. 计算机工程, 2025, 51(2): 65-77.
[4]	喻勇涛, 孙奥, 李昂, 朱琳琳. 基于孪生网络的分类器输出重复性优化方法[J]. 计算机工程, 2025, 51(1): 118-127.
[5]	郑秋梅, 赵丹, 牛薇薇, 林超. 基于多通道的彩色图像多重水印算法[J]. 计算机工程, 2024, 50(9): 246-254.
[6]	李维刚, 厉许昌, 田志强, 李金灵. 基于自蒸馏框架的点云分类及其鲁棒性研究[J]. 计算机工程, 2024, 50(9): 72-81.
[7]	王夙喆, 张雪英, 陈晓玉, 李凤莲, 吴泽林. 基于有效注意力和GAN结合的脑卒中EEG增强算法[J]. 计算机工程, 2024, 50(8): 336-344.
[8]	胡庆. 多尺度融合与双输出U-Net网络的行人重识别[J]. 计算机工程, 2024, 50(6): 102-109.
[9]	顾永跟, 高凌轩, 吴小红, 陶杰. 非独立同分布下联邦半监督学习的数据分享研究[J]. 计算机工程, 2024, 50(6): 188-196.
[10]	张慧妍, 梁勇, 兰景宏, 赵强. 基于记忆模块与过滤式生成对抗网络的入侵检测方法[J]. 计算机工程, 2024, 50(6): 197-207.
[11]	李田芳, 普园媛, 赵征鹏, 徐丹, 钱文华. 基于CLIP和双空间自适应归一化的图像翻译[J]. 计算机工程, 2024, 50(5): 229-240.
[12]	宫阿娟, 潘天荣. 多病种眼底疾病诊断的深度学习策略讨论[J]. 计算机工程, 2024, 50(5): 363-372.
[13]	曾嘉忻, 张卫明, 张荣. 基于后门的鲁棒后向模型水印方法[J]. 计算机工程, 2024, 50(2): 132-139.
[14]	刘帅威, 李智, 王国美, 张丽. 基于Transformer和GAN的对抗样本生成算法[J]. 计算机工程, 2024, 50(2): 180-187.
[15]	何银银, 胡静, 陈志泊, 张荣国. 融合门控变换机制和GAN的低光照图像增强方法[J]. 计算机工程, 2024, 50(2): 247-255.

选择文件类型/文献管理软件名称

选择包含的内容