[关键词]
[摘要]
深度神经网络在许多领域中取得了显著的成果, 但相关研究结果表明, 深度神经网络很容易受到对抗样本的影响. 基于梯度的攻击是一种流行的对抗攻击, 引起了人们的广泛关注. 研究基于梯度的对抗攻击与常微分方程数值解法之间的关系, 并提出一种新的基于常微分方程数值解法-龙格库塔法的对抗攻击方法. 根据龙格库塔法中的预测思想, 首先在原始样本中添加扰动构建预测样本, 然后将损失函数对于原始输入样本和预测样本的梯度信息进行线性组合, 以确定生成对抗样本中需要添加的扰动. 不同于已有的方法, 所提出的方法借助于龙格库塔法中的预测思想来获取未来的梯度信息(即损失函数对于预测样本的梯度), 并将其用于确定所要添加的对抗扰动. 该对抗攻击具有良好的可扩展性, 可以非常容易地集成到现有的所有基于梯度的攻击方法. 大量的实验结果表明, 相比于现有的先进方法, 所提出的方法可以达到更高的攻击成功率和更好的迁移性.
[Key word]
[Abstract]
Deep neural networks (DNNs) have made remarkable achievements in many fields, but related studies show that they are vulnerable to adversarial examples. The gradient-based attack is a popular adversarial attack and has attracted wide attention. This study investigates the relationship between gradient-based adversarial attacks and numerical methods for solving ordinary differential equations (ODEs). In addition, it proposes a new adversarial attack based on Runge-Kutta (RK) method, a numerical method for solving ODEs. According to the prediction idea in the RK method, perturbations are added to the original examples first to construct predicted examples, and then the gradients of the loss functions with respect to the original and predicted examples are linearly combined to determine the perturbations to be added for the generation of adversarial examples. Different from the existing adversarial attacks, the proposed adversarial attack employs the prediction idea of the RK method to obtain the future gradient information (i.e., the gradient of the loss function with respect to the predicted examples) and uses it to determine the adversarial perturbations to be added. The proposed attack features good extensibility and can be easily applied to all available gradient-based attacks. Extensive experiments demonstrate that in contrast to the state-of-the-art gradient-based attacks, the proposed RK-based attack boasts higher success rates and better transferability.
[中图分类号]
[基金项目]
国家自然科学基金(62072481);广州市科技计划(202201011587);河南省网络空间态势感知重点实验室开放课题(HNTS2022014)