基于Rectified Adam和颜色不变性的对抗迁移攻击
作者:
作者单位:

作者简介:

丁佳(1997-),女,硕士生,CCF学生会员,主要研究领域为机器学习,对抗攻击;
许智武(1983-),男,博士,副教授,博士生导师,CCF专业会员,主要研究领域为程序分析与验证,程序语言理论,形式化方法,机器学习.

通讯作者:

许智武,E-mail:xuzhiwu@szu.edu.cn

中图分类号:

TP18

基金项目:

国家自然科学基金(61836005,61972260,61772347);广东省基础与应用基础研究基金(2019A1515011577);深圳市高校稳定支持计划(20200810150421002)


Transfer-based Adversarial Attack with Rectified Adam and Color Invariance
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    深度神经网络在物体检测、图像分类、自然语言处理、语音识别等众多领域上得到广泛应用.然而,深度神经网络很容易受到对抗样本(即在原有样本上施加人眼无法察觉的微小扰动)的攻击,而且相同的扰动可以跨模型、甚至跨任务地欺骗多个分类器.对抗样本这种跨模型迁移特性,使得深度神经网络在实际生活的应用受到了很大限制.对抗样本对神经网络的威胁,激发了研究者对对抗攻击的研究兴趣.虽然研究者们已提出了不少对抗攻击方法,但是大多数这些方法(特别是黑盒攻击方法)的跨模型的攻击能力往往较差,尤其是对经过对抗训练、输入变换等的防御模型.为此,提出了一种提高对抗样本可迁移性的方法:RLI-CI-FGSM.RLI-CI-FGSM是一种基于迁移的攻击方法,在替代模型上,使用基于梯度的白盒攻击RLI-FGSM生成对抗样本,同时使用CIM扩充源模型,使RLI-FGSM能够同时攻击替代模型和扩充模型.具体而言,RLI-FGSM算法将Radam优化算法与迭代快速符号下降法相结合,并利用目标函数的二阶导信息来生成对抗样本,避免优化算法陷入较差的局部最优.基于深度神经网络具有一定的颜色变换不变性,CIM算法通过优化对颜色变换图像集合的扰动,针对防御模型生成更多可迁移的对被攻击的白盒模型不那么敏感的对抗样本.实验结果表明,该方法在一般网络和对抗网络模型上都取得了更高的成功率.

    Abstract:

    Deep neural networks have been widely used in object detection, image classification, natural language processing, speech recognition, and so on. Nevertheless, deep neural networks are vulnerable to adversarial examples which could misclassify deep neural network classifiers by adding imperceptible perturbations to the input. Moreover, the same perturbation can deceive multiple classifiers across models and even across tasks. The cross-model transfer characteristics of adversarial examples limit the application of deep neural network in real life. The threat of adversarial examples to deep neural networks has stimulated researchers' interest in adversarial attack. Recently, researchers have proposed several adversarial attacks, but the cross-model ability of adversarial examples generated by the existing attacks is often poor, especially for the defense models via adversarial training or input transformation. To improve the transferability of adversarial examples in black box environment, this study proposes a method, namely, RLI-CI-FGSM. RLI-CI-FGSM is a transfer-based attack, which employs the gradient-based white-box attack RLI-FGSM to generate adversarial examples on the substitute model, as well as CIM to expand the substitute model so that RLI-FGSM is able to attack the substitute model and the extended model at the same time. Specifically, RLI-FGSM integrates the RAdam optimization algorithm into iterative fast gradient sign method, and makes use of the second-derivative information of objective function to generate adversarial examples, which prevents optimization algorithm from falling into poor local optimum. Based on the color transformation-invariant property of deep neural networks, CIM optimizes the perturbations of the color transform image sets to generate adversarial examples that are less sensitive to the defense models. The experimental results show that the proposed method has a higher success rate in both normal and adversarial network models.

    参考文献
    相似文献
    引证文献
引用本文

丁佳,许智武.基于Rectified Adam和颜色不变性的对抗迁移攻击.软件学报,2022,33(7):2525-2537

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2021-09-05
  • 最后修改日期:2021-10-14
  • 录用日期:
  • 在线发布日期: 2022-01-28
  • 出版日期: 2022-07-06
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号