基于PSO的路牌识别模型黑盒对抗攻击方法
CSTR:
作者:
作者单位:

作者简介:

陈晋音(1982-),女,博士,副教授,博士生导师,CCF专业会员,主要研究领域为人工智能安全,深度学习,图数据挖掘,进化计算;沈诗婧(1996-),女,硕士生,主要研究领域为计算机视觉,人工智能;陈治清(1998-),男,硕士生,主要研究领域为深度学习,数据挖掘;苏蒙蒙(1994-),女,硕士生,主要研究领域为深度学习,人工智能安全;郑海斌(1995-),男,博士生,CCF学生会员,主要研究领域为人工智能安全,深度学习应用,数字图像处理.

通讯作者:

陈晋音,E-mail:chenjinyin@zjut.edu.cn

中图分类号:

基金项目:

浙江省自然科学基金(LY19F020025);国家重点研发计划(2018AAA0100800);宁波市“科技创新2025”重大专项(2018B10063);浙江省认知医疗工程技术研究中心(2018KFJJ07)


Black-box Adversarial Attack Against Road Sign Recognition Model via PSO
Author:
Affiliation:

Fund Project:

Zhejiang Provincial Natural Science Foundation of China (LY19F020025); National Key Research and Development Program of China (2018AAA0100800); Major Special Funding for "Science and Technology Innovation 2025" in Ningbo (2018B10063); Engineering Research Center of Cognitive Healthcare of Zhejiang Province (2018KFJJ07)

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    随着深度学习在计算机视觉领域的广泛应用,人脸认证、车牌识别、路牌识别等也随之呈现商业化应用趋势.因此,针对深度学习模型的安全性研究至关重要.已有的研究发现:深度学习模型易受精心制作的包含微小扰动的对抗样本攻击,输出完全错误的识别结果.针对深度模型的对抗攻击是致命的,但同时也能帮助研究人员发现模型漏洞,并采取进一步改进措施.基于该思想,针对自动驾驶场景中的基于深度学习的路牌识别模型,提出一种基于粒子群优化的黑盒物理攻击方法(black-box physical attack via PSO,简称BPA-PSO).BPA-PSO在未知模型结构的前提下,不仅可以实现对深度模型的黑盒攻击,还能使得实际物理场景中的路牌识别模型失效.通过在电子空间的数字图像场景、物理空间的实验室及户外路况等场景下的大量实验,验证了所提出的BPA-PSO算法的攻击有效性,可发现模型漏洞,进一步提高深度学习的应用安全性.最后,对BPA-PSO算法存在的问题进行分析,对未来的研究可能面临的挑战进行了展望.

    Abstract:

    With the wider application of deep learning in the field of computer vision, face authentication, license plate recognition, and road sign recognition have also presented commercial application trends. Therefore, research on the security of deep learning models is of great importance. Previous studies have found that deep learning models are vulnerable to carefully crafted adversarial examples that contains small perturbations, leading completely incorrect recognition results. Adversarial attacks against deep learning models are fatal, but they can also help researchers find vulnerabilities of models and make further improvements. Motivated by that, this study proposes a black box physical attack method based on particle swarm optimization (BPA-PSO) for deep learning road sign recognition model in scenario of autonomous vehicles. Under the premise of unknown model structure, BPA-PSO can not only realize the black box attack on deep learning models, but also invalidate the road sign recognition models in the physical scenario. The attack effectiveness of BPA-PSO algorithm is verified through a large number of experiments in the digital images of electronic space, laboratory environment, and outdoor road conditions. Besides, the abilities of discovering models' vulnerabilities and further improving the application security of deep learning are also demonstrated. Finally, the problems existing in the BPA-PSO algorithm are analyzed and possible challenges of future research are proposed.

    参考文献
    相似文献
    引证文献
引用本文

陈晋音,陈治清,郑海斌,沈诗婧,苏蒙蒙.基于PSO的路牌识别模型黑盒对抗攻击方法.软件学报,2020,31(9):2785-2801

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2019-07-03
  • 最后修改日期:2019-08-18
  • 录用日期:
  • 在线发布日期: 2020-01-17
  • 出版日期: 2020-09-06
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号