微信服务号

微信订阅号

2025年3月24日 11:42 星期一
首页 > 过刊浏览>2020年第31卷第9期 >2785-2801. DOI:10.13328/j.cnki.jos.005945
PDF HTML阅读 XML下载 导出引用 引用提醒
基于PSO的路牌识别模型黑盒对抗攻击方法
作者:
作者简介:

陈晋音(1982-),女,博士,副教授,博士生导师,CCF专业会员,主要研究领域为人工智能安全,深度学习,图数据挖掘,进化计算;沈诗婧(1996-),女,硕士生,主要研究领域为计算机视觉,人工智能;陈治清(1998-),男,硕士生,主要研究领域为深度学习,数据挖掘;苏蒙蒙(1994-),女,硕士生,主要研究领域为深度学习,人工智能安全;郑海斌(1995-),男,博士生,CCF学生会员,主要研究领域为人工智能安全,深度学习应用,数字图像处理.

通讯作者:

陈晋音,E-mail:chenjinyin@zjut.edu.cn

基金项目:

浙江省自然科学基金(LY19F020025);国家重点研发计划(2018AAA0100800);宁波市“科技创新2025”重大专项(2018B10063);浙江省认知医疗工程技术研究中心(2018KFJJ07)


Black-box Adversarial Attack Against Road Sign Recognition Model via PSO
Author:
Fund Project:

Zhejiang Provincial Natural Science Foundation of China (LY19F020025); National Key Research and Development Program of China (2018AAA0100800); Major Special Funding for "Science and Technology Innovation 2025" in Ningbo (2018B10063); Engineering Research Center of Cognitive Healthcare of Zhejiang Province (2018KFJJ07)

  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [45]
    • |
  • 相似文献 [20]
    • | | |
  • 文章评论
    摘要:

    随着深度学习在计算机视觉领域的广泛应用,人脸认证、车牌识别、路牌识别等也随之呈现商业化应用趋势.因此,针对深度学习模型的安全性研究至关重要.已有的研究发现:深度学习模型易受精心制作的包含微小扰动的对抗样本攻击,输出完全错误的识别结果.针对深度模型的对抗攻击是致命的,但同时也能帮助研究人员发现模型漏洞,并采取进一步改进措施.基于该思想,针对自动驾驶场景中的基于深度学习的路牌识别模型,提出一种基于粒子群优化的黑盒物理攻击方法(black-box physical attack via PSO,简称BPA-PSO).BPA-PSO在未知模型结构的前提下,不仅可以实现对深度模型的黑盒攻击,还能使得实际物理场景中的路牌识别模型失效.通过在电子空间的数字图像场景、物理空间的实验室及户外路况等场景下的大量实验,验证了所提出的BPA-PSO算法的攻击有效性,可发现模型漏洞,进一步提高深度学习的应用安全性.最后,对BPA-PSO算法存在的问题进行分析,对未来的研究可能面临的挑战进行了展望.

    Abstract:

    With the wider application of deep learning in the field of computer vision, face authentication, license plate recognition, and road sign recognition have also presented commercial application trends. Therefore, research on the security of deep learning models is of great importance. Previous studies have found that deep learning models are vulnerable to carefully crafted adversarial examples that contains small perturbations, leading completely incorrect recognition results. Adversarial attacks against deep learning models are fatal, but they can also help researchers find vulnerabilities of models and make further improvements. Motivated by that, this study proposes a black box physical attack method based on particle swarm optimization (BPA-PSO) for deep learning road sign recognition model in scenario of autonomous vehicles. Under the premise of unknown model structure, BPA-PSO can not only realize the black box attack on deep learning models, but also invalidate the road sign recognition models in the physical scenario. The attack effectiveness of BPA-PSO algorithm is verified through a large number of experiments in the digital images of electronic space, laboratory environment, and outdoor road conditions. Besides, the abilities of discovering models' vulnerabilities and further improving the application security of deep learning are also demonstrated. Finally, the problems existing in the BPA-PSO algorithm are analyzed and possible challenges of future research are proposed.

    参考文献
    [1] Chen CY, Seff A, Kornhauser A, Xiao JX. DeepDriving:Learning affordance for direct perception in autonomous driving. In:Agarwal S, ed. Proc. of the IEEE Int'l Conf. on Computer Vision. Santiago:IEEE, 2015.2722-2730.[doi:10.1109/ICCV.2015.312]
    [2] Schroff F, Kalenichenko D, Philbin J. FaceNet:A unified embedding for face recognition and clustering. In:Chadowitz C, ed. Proc. of the IEEE Conf. on Computer Vision and Pattern Recognition. Boston:CVPR, 2015.815-823.
    [3] Graves A, Jaitly N, Mohamed AR. Hybrid speech recognition with deep bidirectional LSTM. In:Cernocky H, ed. Proc. of the 2013 IEEE Workshop on Automatic Speech Recognition and Understanding. Olomouc:IEEE, 2013.273-278.[doi:10.1109/ASRU.2013.6707742]
    [4] Qing SH. Research progress on Android security. Ruan Jian Xue Bao/Journal of Software, 2016,27(1):45-71(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4914.htm[doi:10.13328/j.cnki.jos.004914]
    [5] Chen JY, Lin X, Wu YY, Chen YX, Zheng HB, Su MM, Yu SQ, Ruan ZY. Double layered recommendation algorithm based on fast density clustering:Case study on Yelp social networks dataset. In:Malavé CO, ed. Proc. of the 2017 Int'l Workshop on Complex Systems and Networks (IWCSN). Doha:IEEE, 2017.242-252.
    [6] Chen JY, Yang DY, Feng ZL. T-cell detector maturation algorithm based on cooperative co-evolution GA. In:Ding YS, ed. Proc. of the 7th Int'l Conf. on Natural Computation. Shanghai:IEEE, 2011.2295-2299.[doi:10.1109/ICNC.2011.6022387]
    [7] Wang L, Sng D. Deep learning algorithms with applications to video analytics for a smart city:A survey. arXiv Preprint arXiv:1512.03131, 2015.
    [8] Miao QG, Liu RY, Zhao PP, Li YN, Sun EQ. A semi-supervised image classification model based on improved ensemble projection algorithm. IEEE Access, 2018,6:1372-1379.
    [9] Liu RY, Song JF, Miao QG, Xu PF, Xue Q. Road centerlines extraction from high resolution images based on an improved directional segmentation and road probability. Neurocomputing, 2016,212:88-95.
    [10] Gong MG, Zhou ZQ, Ma JJ. Change detection in synthetic aperture radar images based on deep neural networks. IEEE Trans. on Image, 2012,21(4):2141-2151.[doi:10.1109/TIP.2011.2170702]
    [11] Bao RD, Yu H, Zhu DF, Huang SF, Sun Y, Liu Y. Automatic makeup with region sensitive generative adversarial networks. Ruan Jian Xue Bao/Journal of Software, 2019,30(4):896-913(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5666.htm[doi:10.13328/j.cnki.jos.005666]
    [12] Wan B, Wang Q, Gao YX. Error diffusion halftone algorithm based on image segmentation. Journal of Xidian University, 2009, 36(3):496-546(in Chinese with English abstract).
    [13] Wang Q, Dong BY, Tian YM. A motion object detection algorithm for MPEG-4 video. Journal of Xidian University, 2007,34(6):869-872(in Chinese with English abstract).
    [14] Chen JY, Wang Z, Cheng KH, Zheng HB, Pan AT. Out-of-Store object detection based on deep learning. In:Huang L, ed. Proc. of the 201911th Int'l Conf. on Machine Learning and Computing. New York:ACM, 2019.423-428.
    [15] Stallkamp J, Schlipsing M, Salmen J, Igel C. Man vs. computer:Benchmarking machine learning algorithms for traffic sign recognition. Neural Networks:The Official Journal of the Int'l Neural Network Society, 2012,32:323-332.
    [16] Baluja S, Fischer I. Adversarial transformation networks:Learning to generate adversarial examples. arXiv preprint arXiv:1703.09387, 2017.
    [17] Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
    [18] Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
    [19] Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In:Butler KRB, ed. Proc. of the 2017 IEEE Symp. on Security and Privacy (SP). San Jose:IEEE, 2017.39-57.[doi:10.1109/SP.2017.49]
    [20] Moosavi-Dezfooli SM, Fawzi A, Frossard P. Deepfool:A simple and accurate method to fool deep neural networks. In:Bajcsy R, ed. Proc. of the IEEE Conf. on Computer Vision and Pattern Recognition. Las Vegas:CVPR, 2016.2574-2582.
    [21] Moosavi-Dezfooli SM, Fawzi A, Fawzi O, Frossard P. Universal adversarial perturbations. In:Chellappa R, ed. Proc. of the IEEE Conf. on Computer Vision and Pattern Recognition. Honolulu:CVPR, 2017.1765-1773.
    [22] Su JW, Vargas DV, Sakurai K. One pixel attack for fooling deep neural networks. IEEE Trans. on Evolutionary Computation, 2019, 23(5):828-841.[doi:10.1109/TEVC.2019.2890858]
    [23] Brendel W, Rauber J, Bethge M. Decision-Based adversarial attacks:Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248, 2017.
    [24] Chen PY, Zhang H, Sharma Y, Yi JF, Hsieh CJ. Zoo:Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In:Thuraisingham B, ed. Proc. of the 10th ACM Workshop on Artificial Intelligence and Security (AISec 2017). New York:ACM, 2017.15-26.[doi:10.1145/3128572.3140448]
    [25] Chen JY, Su MM, Shen SJ, Xiong H, Zheng HB. POBA-GA:Perturbation optimized black-box adversarial attacks via genetic algorithm. arXiv preprint arXiv:1906.03181, 2019.[doi:10.1016/j.cose.2019.04.014]
    [26] Kurakin A, Goodfellow I, Bengio S. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533, 2016.
    [27] Sharif M, Bhagavatula S, Bauer L, Reiter MK. Accessorize to a crime:Real and stealthy attacks on state-of-the-art face recognition. In:Weippl E, ed. Proc. of the ACM Sigsac Conf. on Computer & Communications Security. New York:ACM, 2016.1528-1540.[doi:10.1145/2976749.2978392]
    [28] Ma YK, Wu LF, Jian M, Liu FH, Yang Z. Approach to generate adversarial examples for face-spoofing detection. Ruan Jian Xue Bao/Journal of Software, 2019,30(2):469-480(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5568.htm[doi:10.13328/j.cnki.jos.005568]
    [29] Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A. The limitations of deep learning in adversarial settings. In:Zeller A, ed. Proc. of the 2016 IEEE European Symp. on Security and Privacy (EuroS&P). Saarbrucken:IEEE, 2016.372-387.[doi:10.1109/EuroSP.2016.36]
    [30] Cisse M, Adi Y, Neverova N, Keshet J. Houdini:Fooling deep structured prediction models. arXiv preprint arXiv:1707.05373, 2017.
    [31] Dong YP, Liao FZ, Pang TY, Su H, Zhu J, Hu XL, Li JG. Boosting adversarial attacks with momentum. In:Brown M, ed. Proc. of the IEEE Conf. on Computer Vision and Pattern Recognition (CVPR). Salt Lake City:IEEE, 2018.9185-9193.
    [32] Sarkar S, Bansal A, Mahbub U, Chellappa R. UPSET and ANGRI:Breaking high performance image classifiers. arXiv preprint arXiv:1707.01159, 2017.
    [33] Dorigo M, Stützle T. Ant colony optimization:Overview and recent advances. Handbook of Metaheuristics, 2010,146(5):227-263.
    [34] Kennedy J, Eberhart R. Particle swarm optimization. In:Si J, ed. Proc. of the Int'l Conf. on Neural Networks (ICNN'95). Perth:IEEE, 1995.1942-1948.[doi:10.1109/ICNN.1995.488968]
    [35] Li XL, Shao ZJ, Qian JX. An optimizing method based on autonomous animats:Fish-swarm algorithm. Systems Engineering-Theory & Practice, 2002,22(11):32-38(in Chinese with English abstract).
    [36] Jiang JG, Zhou JW, Zheng YC, Zhou RS. A double flora bacteria foraging optimization algorithm. Journal of Shenzhen University Science and Engineering, 2014,31(1):43-51.
    [37] Karaboga D. Artificial bee colony algorithm. Scholarpedia, 2010,5(3):6915.[doi:10.4249/scholarpedia.6915]
    [38] Eusuff MM, Lansey KE. Optimization of water distribution network design using the shuffled frog leaping algorithm. Journal of Water Resources Planning & Management, 2003,129(3):210-225.[doi:10.1061/(ASCE)0733-9496(2003)129:3(210)]
    附中文参考文献:
    [4] 卿斯汉.Android安全研究进展.软件学报,2016,27(1):45-71. http://www.jos.org.cn/1000-9825/4914.htm[doi:10.13328/j.cnki.jos. 004914]
    [11] 包仁达,庾涵,朱德发,黄少飞,孙瑶,刘偲.基于区域敏感生成对抗网络的自动上妆算法.软件学报,2019,30(4):896-913. http://www.jos.org.cn/1000-9825/5666.htm[doi:10.13328/j.cnki.jos.005666]
    [12] 万波,王泉,高有行.图像分割的误差分散半调算法.西安电子科技大学学报(自然科学版),2009,36(3):496-546.
    [13] 王泉,董宝鸳,田玉敏.一种MPEG-4视频流的运动目标检测算法.西安电子科技大学学报,2007,34(6):869-872.
    [28] 马玉琨,毋立芳,简萌,刘方昊,杨洲.一种面向人脸活体检测的对抗样本生成算法.软件学报,2019,30(2):469-480. http://www.jos.org.cn/1000-9825/5568.htm[doi:10.13328/j.cnki.jos.005568]
    [35] 李晓磊,邵之江,钱积新.一种基于动物自治体的寻优模式:鱼群算法.系统工程理论与实践,2002,22(11):32-38.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

陈晋音,陈治清,郑海斌,沈诗婧,苏蒙蒙.基于PSO的路牌识别模型黑盒对抗攻击方法.软件学报,2020,31(9):2785-2801

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2019-07-03
  • 最后修改日期:2019-08-18
  • 在线发布日期: 2020-01-17
  • 出版日期: 2020-09-06
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19727699位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号