空频域联合优化的通用对抗扰动生成方法

doi:10.19678/j.issn.1000-3428.0069619

计算机工程 ›› 2026, Vol. 52 ›› Issue (1): 176-187. doi: 10.19678/j.issn.1000-3428.0069619

• 计算机视觉与图形图像处理 • 上一篇下一篇

空频域联合优化的通用对抗扰动生成方法

耿荣¹, 孙钦东¹^,²^,*(), 曹晗¹^,³, 王艳¹

1. 西安理工大学网络计算与安全技术陕西省重点实验室, 陕西西安 710048
2. 西安交通大学网络空间安全学院, 陕西西安 710049
3. 四川数字经济产业发展研究院, 四川成都 610036

收稿日期:2024-03-19 修回日期:2024-07-25 出版日期:2026-01-15 发布日期:2024-10-10
通讯作者: 孙钦东
作者简介:
耿荣, 男, 博士研究生, 主研方向为机器学习、网络安全
孙钦东(通信作者), 教授、博士、博士生导师
曹晗, 博士研究生
王艳, 博士研究生
基金资助:
国家自然科学基金(62272378); 四川省自然科学基金(2023NSFSC0502); 四川省自然科学基金(2022NSFSC0554); 四川省自然科学基金(2022NSFSC0549); 陕西省高校青年创新团队(2019-38)

Generalized Method for Universal Adversarial Perturbations Using Joint Optimization in Spatial-Frequency Domains

GENG Rong¹, SUN Qindong¹^,²^,*(), CAO Han¹^,³, WANG Yan¹

1. Shaanxi Key Laboratory of Network Computing and Security, Xi'an University of Technology, Xi'an 710048, Shaanxi, China
2. School of Cyber Science and Engineering, Xi'an Jiaotong University, Xi'an 710049, Shaanxi, China
3. Sichuan Digital Economy Industry Development Research Institute, Chengdu 610036, Sichuan, China

Received:2024-03-19 Revised:2024-07-25 Online:2026-01-15 Published:2024-10-10
Contact: SUN Qindong

摘要/Abstract

摘要：

通用对抗扰动(UAP)的空域信息直观表示了扰动的视觉特征, 频域信息包含了扰动的结构和纹理, 联合分析扰动的空域和频域信息, 有助于理解UAP的生成机制及其对图像分类模型鲁棒性的影响。已有研究大多关注扰动空域信息的分布和变化, 忽略了频率分量的作用, 限制了UAP的泛化能力。针对此问题, 提出一种空频域联合优化的图像UAP生成方法, 使用对抗样本置信度损失、扰动空域距离损失和扰动频率引导损失, 从空域和频域角度训练模型, 生成具有高攻击性和迁移性的UAP。其中, 对抗样本置信度损失用于增强扰动的攻击性, 扰动空域距离损失优化扰动的空域大小, 扰动频率引导损失控制扰动中频率分量的比重。实验结果表明, UAP的低频分量对攻击效果影响较大, 在相同扰动空域内, 低频分量越多, 扰动攻击成功率越高; 与基线方法对比, 通过联合优化空域和频域生成的UAP具有较强的攻击性和迁移性, 在生成速度方面也有显著的优势。

关键词: 通用对抗扰动, 空频域联合优化, 对抗样本置信度, 频率引导, 频率分量

Abstract:

The spatial information of a Universal Adversarial Perturbation (UAP) intuitively represents the visual characteristics of perturbations, whereas the frequency domain information includes the structure and texture of perturbations. Joint analysis of the spatial and frequency domain information of perturbations helps understand the generation mechanism of UAP and its impact on the robustness of image classification models. Most existing studies have focused on the distribution and changes in perturbed spatial information, neglecting the role of frequency components and limiting the generalization ability of the UAP. To address this issue, a joint optimization method for image UAP generation in the spatial and frequency domains is proposed. This method utilizes the adversarial sample confidence loss, perturbation spatial distance loss, and perturbation frequency guidance loss to train the model from both spatial and frequency perspectives, generating a UAP with high attack and transferability. The adversarial sample confidence loss is used to enhance the aggressiveness of disturbances, disturbance spatial distance loss optimizes the spatial size of disturbances, and disturbance frequency guided loss controls the proportion of the frequency components in disturbances. The experimental results indicate that the low-frequency components of the UAP have a significant impact on attack effectiveness. Within the same perturbation space, the more low-frequency components, the higher the success rate of perturbation attacks. Compared with the baseline method, the UAP generated by jointly optimizing the spatial and frequency domains has strong aggressiveness and transferability. Moreover, it has significant advantages in terms of generation speed.

Key words: Universal Adversarial Perturbations (UAP), joint optimization in spatial-frequency domains, adversarial sample confidence, frequency guided, frequency component

耿荣, 孙钦东, 曹晗, 王艳. 空频域联合优化的通用对抗扰动生成方法[J]. 计算机工程, 2026, 52(1): 176-187.

GENG Rong, SUN Qindong, CAO Han, WANG Yan. Generalized Method for Universal Adversarial Perturbations Using Joint Optimization in Spatial-Frequency Domains[J]. Computer Engineering, 2026, 52(1): 176-187.

https://www.ecice06.com/CN/Y2026/V52/I1/176

图/表 13

图1 SFUAN的结构

Fig.1 The structure of SFUAN

图2 通用对抗扰动生成模型的训练过程

Fig.2 The training process of UAP generation model

图3 高频优化的扰动目标攻击效果

Fig.3 The effect of high-frequency optimized perturbation target attack

图4 攻击成功率与扰动空域大小的关系

Fig.4 The relationship between attack success rate and disturbance airspace size

图5 不同扰动空域大小下的目标攻击效果

Fig.5 Target attack effectiveness under different disturbance airspace sizes

参考文献 29

1	SZEGEDY C, LIU W, JIA Y Q, et al. Going deeper with convolutions[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2015: 1-9.
2	REN H L , HUANG T , YAN H Y . Adversarial examples: attacks and defenses in the physical world. International Journal of Machine Learning and Cybernetics, 2021, 12 (11): 3325- 3336. doi: 10.1007/s13042-020-01242-z
3	冯博, 刘万平, 南海. 结合最大内接圆的图像对抗样本生成算法. 小型微型计算机系统, 2024, 45 (6): 1436- 1443.
	FENG B , LIU W P , NAN H . Image adversarial examples generation algorithm combined with maximum inscribed circle. Journal of Chinese Computer Systems, 2024, 45 (6): 1436- 1443.
4	TANG L, YE D, LV Y, et al. Once and for all: universal transferable adversarial perturbation against deep hashing-based facial image retrieval[C]//Proceedings of the AAAI Conference on Artificial Intelligence. [S. l. ]: AAAI Press, 2024: 5136-5144.
5	MOOSAVI-DEZFOOLI S M, FAWZI A, FAWZI O, et al. Universal adversarial perturbations[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2017: 86-94.
6	XU K, QIN M H, SUN F, et al. Learning in the frequency domain[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2020: 1737-1746.
7	JIA Z Y, LIN Y F, CAI X Y, et al. SST-EmotionNet: spatial-spectral-temporal based attention 3D dense network for EEG emotion recognition[C]//Proceedings of the 28th ACM International Conference on Multimedia. New York, USA: ACM Press, 2020: 2909-2917.
8	SONG X F , XU D H , PENG C , et al. A two-stage frequency-domain generation algorithm based on differential evolution for black-box adversarial samples. Expert Systems with Applications, 2024, 249, 123741. doi: 10.1016/j.eswa.2024.123741
9	陈宇飞, 沈超, 王骞, 等. 人工智能系统安全与隐私风险. 计算机研究与发展, 2019, 56 (10): 2135- 2150.
	CHEN Y F , SHEN C , WANG Q , et al. Security and privacy risks in artificial intelligence systems. Journal of Computer Research and Development, 2019, 56 (10): 2135- 2150.
10	WANG D H , YAO W , JIANG T S , et al. Improving transferability of universal adversarial perturbation with feature disruption. IEEE Transactions on Image Processing, 2024, 33, 722- 737. doi: 10.1109/TIP.2023.3345136
11	KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial examples in the physical world[EB/OL]. [2024-02-05]. https://arxiv.org/abs/1607.02533v3.
12	MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: a simple and accurate method to fool deep neural networks[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2016: 2574-2582.
13	CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]//Proceedings of the IEEE Symposium on Security and Privacy (SP). Washington D.C., USA: IEEE Press, 2017: 39-57.
14	SU J W , VARGAS D V , SAKURAI K . One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation, 2019, 23 (5): 828- 841. doi: 10.1109/TEVC.2019.2890858
15	MOPURI K R, GARG U, VENKATESH BABU R. Fast feature fool: a data independent approach to universal adversarial perturbations[EB/OL]. [2024-02-05]. https://arxiv.org/pdf/1707.05572.
16	MOPURI K R , GANESHAN A , BABU R V . Generalizable data-free objective for crafting universal adversarial perturbations. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019, 41 (10): 2452- 2465. doi: 10.1109/TPAMI.2018.2861800
17	ZHANG C N, BENZ P, KARJAUV A, et al. Data-free universal adversarial perturbation and black-box attack[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). Washington D.C., USA: IEEE Press, 2021: 7848-7857.
18	YE Z X, CHENG X W, HUANG X L. FG-UAP: feature-gathering universal adversarial perturbation[C]//Proceedings of the International Joint Conference on Neural Networks (IJCNN). Washington D.C., USA: IEEE Press, 2023: 1-8.
19	ZHANG Y H , RUAN W J , WANG F , et al. Generalizing universal adversarial perturbations for deep neural networks. Machine Learning, 2023, 112 (5): 1597- 1626. doi: 10.1007/s10994-023-06306-z
20	LIU X N, ZHONG Y Y, ZHANG Y H, et al. Enhancing generalization of universal adversarial perturbation through gradient aggregation[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). Washington D.C., USA: IEEE Press, 2023: 4412-4421.
21	LIU Y , LI C , WANG Z C , et al. Transferable adversarial attack based on sensitive perturbation analysis in frequency domain. Information Sciences, 2024, 678, 120971. doi: 10.1016/j.ins.2024.120971
22	WANG H H, WU X D, HUANG Z Y, et al. High-frequency component helps explain the generalization of convolutional neural networks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2020: 8681-8691.
23	YIN D, LOPES R G, SHLENS J, et al. A Fourier perspective on model robustness in computer vision[C]//Proceedings of the 33rd International Conference on Neural Information Processing Systems. Washington D.C., USA: IEEE Press, 2019: 13276-13286.
24	WANG Y , SUN Q D , RONG D Z , et al. Multi-domain awareness for compressed deepfake videos detection over social networks guided by common mechanisms between artifacts. Computer Vision and Image Understanding, 2024, 247, 104072. doi: 10.1016/j.cviu.2024.104072
25	GUO C, FRANK J S, WEINBERGER K Q. Low frequency adversarial perturbation[EB/OL]. [2024-02-05]. https://arxiv.org/abs/1809.08758.
26	CAO H , SUN Q D , LI Y Q , et al. Efficient history-driven adversarial perturbation distribution learning in low frequency domain. ACM Transactions on Privacy and Security, 2024, 27 (1): 1- 25.
27	WENG J J , LUO Z M , LIN D Z , et al. Comparative evaluation of recent universal adversarial perturbations in image classification. Computers Security, 2024, 136, 103576. doi: 10.1016/j.cose.2023.103576
28	SHARMA Y, DING G W, BRUBAKER M A. On the effectiveness of low frequency perturbations[C]//Proceedings of the 28th International Joint Conference on Artificial Intelligence. New York, USA: ACM Press, 2019: 3389-3396.
29	DENG Y P , KARAM L J . Frequency-tuned universal adversarial attacks on texture recognition. IEEE Transactions on Image Processing, 2022, 31, 5856- 5868. doi: 10.1109/TIP.2022.3202366

选择文件类型/文献管理软件名称

选择包含的内容

空频域联合优化的通用对抗扰动生成方法

Generalized Method for Universal Adversarial Perturbations Using Joint Optimization in Spatial-Frequency Domains

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 29

相关文章 0

编辑推荐

Metrics

本文评价

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

空频域联合优化的通用对抗扰动生成方法

Generalized Method for Universal Adversarial Perturbations Using Joint Optimization in Spatial-Frequency Domains

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 29

相关文章 0

编辑推荐

Metrics

本文评价