基于生成对抗网络的目标检测黑盒迁移攻击算法
作者:
作者简介:

陆宇轩(1997-),男,硕士,主要研究领域为机器学习,计算机视觉,对抗攻击;刘泽禹(2001-),男,本科生,主要研究领域为机器学习,计算机视觉;罗咏刚(1992-),男,博士,主要研究领域为人工智能;邓森友(1990-),男,硕士,主要研究领域为机器学习,计算机视觉,对抗攻击;江天(1987-),女,硕士,主要研究领域为计算机视觉,算法安全性;马金燕(1996-),女,硕士,主要研究领域为计算机视觉,目标检测;董胤蓬(1995-),男,博士,主要研究领域为机器学习,计算机视觉,对抗攻击

通讯作者:

董胤蓬, E-mail: dongyinpeng@mail.tsinghua.edu.cn

中图分类号:

TP391


Black-box Transferable Attack Method for Object Detection Based on GAN
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [63]
  • |
  • 相似文献 [20]
  • | | |
  • 文章评论
    摘要:

    目标检测被广泛应用到自动驾驶、工业、医疗等各个领域. 利用目标检测算法解决不同领域中的关键任务逐渐成为主流. 然而基于深度学习的目标检测模型在对抗样本攻击下, 模型的鲁棒性存在严重不足, 通过加入微小扰动构造的对抗样本很容易使模型预测出错. 这极大地限制了目标检测模型在关键安全领域的应用. 在实际应用中的模型普遍是黑盒模型, 现有的针对目标检测模型的黑盒攻击相关研究不足, 存在鲁棒性评测不全面, 黑盒攻击成功率较低, 攻击消耗资源较高等问题. 针对上述问题, 提出基于生成对抗网络的目标检测黑盒攻击算法, 所提算法利用融合注意力机制的生成网络直接输出对抗扰动, 并使用替代模型的损失和所提的类别注意力损失共同优化生成网络参数, 可以支持定向攻击和消失攻击两种场景. 在Pascal VOC数据集和MS COCO数据集上的实验结果表明, 所提方法比目前攻击方法的黑盒迁移攻击成功率更高, 并且可以在不同数据集之间进行迁移攻击.

    Abstract:

    Object detection is widely used in various fields such as autonomous driving, industry, and medical care. Using the object detection algorithm to solve key tasks in different fields has gradually become the main method. However, the robustness of the object detection model based on deep learning is seriously insufficient under the attack of adversarial samples. It is easy to make the model prediction wrong by adding the adversarial samples constructed by small perturbations, which greatly limits the application of the object detection model in key security fields. In practical applications, the models are black-box models. Related research on black-box attacks against object detection models is relatively lacking, and there are many problems such as incomplete robustness evaluation, low attack success rate of black-box, and high resource consumption. To address the aforementioned issues, this study proposes a black-box object detection attack algorithm based on a generative adversarial network. The algorithm uses the generative network fused with an attention mechanism to output the adversarial perturbations and employs the alternative model loss and the category attention loss to optimize the generated network parameters, which can support two scenarios of target attack and vanish attack. A large number of experiments are conducted on the Pascal VOC and the MSCOCO datasets. The results demonstrate that the proposed method has a higher black-box transferable attack success rate and can perform transferable attacks between different datasets.

    参考文献
    [1] Li JZ, Su H, Zhu J, Wang SY, Zhang B. Textbook question answering under instructor guidance with memory networks. In: Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Salt Lake City: IEEE, 2018. 3655–3663.
    [2] Gong ZQ, Zhong P, Yu Y, Hu WD, Li ST. A CNN with multiscale convolution and diversified metric for hyperspectral image classification. IEEE Transactions on Geoscience and Remote Sensing, 2019, 57(6): 3599–3618. [doi: 10.1109/TGRS.2018.2886022]
    [3] Gong ZQ, Zhong P, Hu WD. Statistical loss and analysis for deep learning in hyperspectral image classification. IEEE Transactions on Neural Networks and Learning Systems, 2021, 32(1): 322–333. [doi: 10.1109/TNNLS.2020.2978577]
    [4] Albert A, Kaur J, Gonzalez MC. Using convolutional networks and satellite imagery to identify patterns in urban environments at a large scale. In: Proc. of the 23rd ACM SIGKDD Int’l Conf. on Knowledge Discovery and Data Mining. Halifax: Association for Computing Machinery, 2017. 1357–1366.
    [5] Pritt M, Chern G. Satellite image classification with deep learning. In: Proc. of the 2017 IEEE Applied Imagery Pattern Recognition Workshop (AIPR). Washington: IEEE, 2017. 1–7.
    [6] Zhao ZQ, Zheng P, Xu ST, Wu XD. Object detection with deep learning: A review. IEEE Transactions on Neural Networks and Learning Systems, 2019, 30(11): 3212–3232. [doi: 10.1109/TNNLS.2018.2876865]
    [7] Joseph KJ, Khan S, Khan FS, Balasubramanian VN. Towards open world object detection. In: Proc. of the 2021 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Nashville: IEEE, 2021. 5826–5836.
    [8] Ren SP, He KM, Girshick R, Sun J. Faster R-CNN: Towards real-time object detection with region proposal networks. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2017, 39(6): 1137–1149. [doi: 10.1109/TPAMI.2016.2577031]
    [9] Liu W, Anguelov D, Erhan D, Szegedy C, Reed S, Fu CY, Berg AC. SSD: Single shot multibox detector. In: Proc. of the 14th European Conf. on Computer Vision. Amsterdam: Springer, 2016. 21–37.
    [10] Redmon J, Farhadi A. YOLOv3: An incremental improvement. arXiv:1804.02767, 2018.
    [11] Yuan XH, Shi JF, Gu LC. A review of deep learning methods for semantic segmentation of remote sensing imagery. Expert Systems with Applications, 2021, 169: 114417. [doi: 10.1016/j.eswa.2020.114417]
    [12] Eykholt K, Evtimov I, Fernandes E, Li B, Rahmati A, Xiao CW, Prakash A, Kohno T, Song D. Robust physical-world attacks on deep learning visual classification. In: Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Salt Lake City: IEEE, 2018. 1625–1634.
    [13] Grigorescu S, Trasnea B, Cocias T, Macesanu G. A survey of deep learning techniques for autonomous driving. Journal of Field Robotics, 2020, 37(3): 362–386. [doi: 10.1002/rob.21918]
    [14] Hu Y, Yang A, Li H, Sun YY, Sun LM. A survey of intrusion detection on industrial control systems. Int’l Journal of Distributed Sensor Networks, 2018, 14(8): 1–14.
    [15] Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow IJ, Fergus R. Intriguing properties of neural networks. In: Proc. of the 2nd Int’l Conf. on Learning Representations. Banff, 2013.
    [16] Jia XJ, Zhang Y, Wu BY, Wang J, Cao XC. Boosting fast adversarial training with learnable adversarial initialization. IEEE Transactions on Image Processing, 2022, 31: 4417–4430. [doi: 10.1109/TIP.2022.3184255]
    [17] Bai JW, Chen B, Li YM, Wu DX, Guo WW, Xia ST, Yang EH. Targeted attack for deep hashing based retrieval. In: Proc. of the 16th European Conf. on Computer Vision. Glasgow: Springer, 2020. 618–634.
    [18] Jia XJ, Zhang Y, Wu BY, Ma K, Wang J, Cao XC. LAS-AT: Adversarial training with learnable attack strategy. In: Proc. of the 2022 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. New Orleans: IEEE, 2022. 13388–13398.
    [19] Wei XX, Liang SY, Chen N, Cao XC. Transferable adversarial attacks for image and video object detection. In: Proc. of the 28th Int’l Joint Conf. on Artificial Intelligence. Macao: AAAI Press, 2019. 954–960.
    [20] Dong YP, Pang TY, Su H, Zhu J. Evading defenses to transferable adversarial examples by translation-invariant attacks. In: Proc. of the 2019 IEEE/CVF Conf. on Computer Vision and Pattern Recognition (CVPR). Long Beach: IEEE, 2019. 4307–4316.
    [21] Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. In: Proc. of the 3rd Int’l Conf. on Learning Representations. San Diego, 2015.
    [22] Moosavi-Dezfooli SM, Fawzi A, Frossard P. DeepFool: A simple and accurate method to fool deep neural networks. In: Proc. of the 2016 IEEE Conf. on Computer Vision and Pattern Recognition. Las Vegas: IEEE, 2016. 2574–2582.
    [23] Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In: Proc. of the 2017 IEEE Symp. on Security and Privacy. San Jose: IEEE, 2017. 39–57.
    [24] Dong YP, Liao FZ, Pang TY, Su H, Zhu J, Hu XL, Li JG. Boosting adversarial attacks with momentum. In: Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Salt Lake City: IEEE, 2018. 9185–9193.
    [25] Xie CH, Wang JY, Zhang ZS, Zhou YY, Xie LX, Yuille A. Adversarial examples for semantic segmentation and object detection. In: Proc. of the 2017 IEEE Int’l Conf. on Computer Vision. Venice: IEEE, 2017. 1378–1387.
    [26] Li YZ, Tian D, Chang MC, Bian X, Lyu S. Robust adversarial perturbation on deep proposal-based models. In: Proc. of the 2018 British Machine Vision Conf. Newcastle: BMVA Press, 2018. 231.
    [27] Chow KH, Liu L, Loper M, Bae J, Gursoy ME, Truex S, Wei WQ, Wu YZ. Adversarial objectness gradient attacks in real-time object detection systems. In: Proc. of the 2nd IEEE Int’l Conf. on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA). Atlanta: IEEE, 2020. 263–272.
    [28] Baluja S, Fischer I. Adversarial transformation networks: Learning to generate adversarial examples. arXiv:1703.09387, 2017.
    [29] Poursaeed O, Katsman I, Gao BC, Belongie S. Generative adversarial perturbations. In: Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Salt Lake City: IEEE, 2018. 4422–4431.
    [30] Naseer M, Khan S, Khan MH, Khan FS, Porikli F. Cross-domain transferability of adversarial perturbations. In: Proc. of the 33rd Int’l Conf. on Neural Information Processing Systems. Vancouver: Curran Associates Inc., 2019. 1156.
    [31] Han JF, Dong XY, Zhang RM, Chen DD, Zhang WM, Yu NH, Luo P, Wang XG. Once a MAN: Towards multi-target attack via learning multi-target adversarial network once. In: Proc. of the 2019 IEEE/CVF Int’l Conf. on Computer Vision. Seoul: IEEE, 2019. 5157–5166.
    [32] Yang X, Dong Y, Pang T, et al. Boosting transferability of targeted adversarial examples via hierarchical generative networks. In: Proc. of the 17th European Conf. on Computer Vision. Tel Aviv: Springer, 2022. 725–742.
    [33] Lin TY, Maire M, Belongie S, Hays J, Perona P, Ramanan D, Dollár P, Zitnick CL. Microsoft COCO: Common objects in context. In: Proc. of the 13th European Conf. on Computer Vision. Zurich: Springer, 2014. 740–755.
    [34] Everingham M, Van Gool L, Williams C, Winn J, Zisserman A. The PASCAL visual object classes challenge 2007 (VOC2007) results. 2007. http://host.robots.ox.ac.uk/pascal/VOC/voc2007/
    [35] Kurakin A, Goodfellow IJ, Bengio S. Adversarial examples in the physical world. Artificial Intelligence Safety and Security. Chapman and Hall/CRC, 2018. 99–112.
    [36] Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. In: Proc. of the 6th Int’l Conf. on Learning Representations (ICLR). Vancouver: OpenReview.net, 2018.
    [37] Chen SZ, He ZB, Sun CJ, Yang J, Huang XL. Universal adversarial attack on attention and the resulting dataset DAmagenet. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022, 44(4): 2188–2197. [doi: 10.1109/TPAMI.2020.3033291]
    [38] Wu WB, Su YX, Chen XX, Zhao SL, King I, Lyu MR, Tai YW. Boosting the transferability of adversarial samples via attention. In: Proc. of the 2020 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Seattle: IEEE, 2020. 1161–1170.
    [39] Huang Q, Katsman I, Gu ZQ, He H, Belongie S, Lim SN. Enhancing adversarial example transferability with an intermediate level attack. In: Proc. of the 2019 IEEE/CVF Int’l Conf. on Computer Vision. Seoul, Korea (South): IEEE, 2019. 4732–4741.
    [40] Huang Y, Kong AWK. Transferable adversarial attack based on Integrated Gradients. In: Proc. of the 10th Int’l Conf. on Learning Representations. OpenReview.net, 2022.
    [41] Lin JD, Song CB, He K, Wang LW, Hopcroft JE. Nesterov accelerated gradient and scale invariance for adversarial attacks. In: Proc. of the 8th Int’l Conf. on Learning Representations. Addis Ababa: OpenReview.net, 2020.
    [42] Xie CH, Zhang ZS, Zhou YY, Bai S, Wang JY, Ren Z, Yuille AL. Improving transferability of adversarial examples with input diversity. In: Proc. of the 2019 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Long Beach: IEEE, 2019. 2725–2734.
    [43] Wang GQ, Wei XX, Yan HQ. Improving adversarial transferability with spatial momentum. arXiv:2203.13479, 2022.
    [44] Bhagoji AN, He W, Li B, Song D. Practical black-box attacks on deep neural networks using efficient query mechanisms. In: Proc. of the 15th European Conf. on Computer Vision. Munich: Springer, 2018. 158–174.
    [45] Chen PY, Zhang H, Sharma Y, Yi JF, Hsieh CJ. Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proc. of the 10th ACM Workshop on Artificial Intelligence and Security. Dallas: ACM, 2017. 15–26.
    [46] Tu CC, Ting PS, Chen PY, Liu SJ, Zhang H, Yi JF, Hsieh CJ, Cheng SM. AutoZOOM: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: Proc. of the 33rd AAAI Conf. on Artificial Intelligence and the 31st Innovative Applications of Artificial Intelligence Conf. and the 9th AAAI Symp. on Educational Advances in Artificial Intelligence. Honolulu: AAAI Press, 2019. 92.
    [47] Ilyas A, Engstrom L, Athalye A, Lin J. Black-box adversarial attacks with limited queries and information. In: Proc. of the 35th Int’l Conf. on Machine Learning. Stockholm: PMLR, 2018. 2142–2151.
    [48] Girshick R. Fast R-CNN. In: Proc. of the 2015 IEEE Int’l Conf. on Computer Vision. Santiago: IEEE, 2015. 1440–1448.
    [49] He KM, Gkioxari G, Dollár P, Girshick R. Mask R-CNN. In: Proc. of the 2017 IEEE Int’l Conf. on Computer Vision. Venice: IEEE, 2017. 2980–2988.
    [50] Carion N, Massa F, Synnaeve G, Usunier N, Kirillov A, Zagoruyko S. End-to-end object detection with transformers. In: Proc. of the 16th European Conf. on Computer Vision. Glasgow: Springer, 2020. 213–229.
    [51] Zhu XZ, Su WJ, Lu LW, Li B, Wang XG, Dai JF. Deformable DETR: Deformable transformers for end-to-end object detection. In: Proc. of the 9th Int’l Conf. on Learning Representations. OpenReview.net, 2021.
    [52] 黄立峰, 庄文梓, 廖泳贤, 刘宁. 一种基于进化策略和注意力机制的黑盒对抗攻击算法. 软件学报, 2021, 32(11): 3512–3529. http://www.jos.org.cn/1000-9825/6084.htm
    Huang LF, Zhuang WZ, Liao YX, Liu N. Black-box adversarial attack method based on evolution strategy and attention mechanism. Ruan Jian Xue Bao/Journal of Software, 2021, 32(11): 3512–3529 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6084.htm
    [53] Woo S, Park J, Lee JY, Kweon IS. CBAM: Convolutional block attention module. In: Proc. of the 15th European Conf. on Computer Vision (ECCV). Munich: Springer, 2018. 3–19.
    [54] Zhang HT, Zhou WG, Li HQ. Contextual adversarial attacks for object detection. In: Proc. of the 2020 IEEE Int’l Conf. on Multimedia and Expo (ICME). London: IEEE, 2020. 1–6.
    [55] Zhou BL, Khosla A, Lapedriza A, Oliva A, Torralba A. Learning deep features for discriminative localization. In: Proc. of the 2016 IEEE Conf. on Computer Vision and Pattern Recognition. Las Vegas: IEEE, 2016. 2921–2929.
    [56] Selvaraju RR, Cogswell M, Das A, Vedantam R, Parikh D, Batra D. Grad-CAM: Visual explanations from deep networks via gradient-based localization. In: Proc. of the 2017 IEEE Int’l Conf. on Computer Vision. Venice: IEEE, 2017. 618–626.
    [57] Chattopadhay A, Sarkar A, Howlader P, Balasubramanian VN. Grad-CAM++: Generalized gradient-based visual explanations for deep convolutional networks. In: Proc. of the 2018 IEEE Winter Conf. on Applications of Computer Vision. Lake Tahoe: IEEE, 2018. 839–847.
    [58] Ultralytics. YOLOv5. 2020. https://github.com/ultralytics/yolov5
    [59] Lin TY, Goyal P, Girshick R, He KM, Dollár P. Focal loss for dense object detection. In: Proc. of the 2017 IEEE Int’l Conf. on Computer Vision. Venice: IEEE, 2017. 2999–3007.
    [60] Li X, Wang WH, Hu XL, Yang J. Selective kernel networks. In: Proc. of the 2019 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Long Beach: IEEE, 2019. 510–519.
    [61] Kingma DP, Ba J. Adam: A method for stochastic optimization. In: Proc. of the 3rd Int’l Conf. on Learning Representations. San Diego, 2015.
    [62] Benesty J, Chen JD, Huang YT, Cohen I. Pearson correlation coefficient. In: Cohen I, Huang YT, Chen JD, Benesty J, eds. Noise Reduction in Speech Processing. Berlin: Springer, 2009. 1–4.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

陆宇轩,刘泽禹,罗咏刚,邓森友,江天,马金燕,董胤蓬.基于生成对抗网络的目标检测黑盒迁移攻击算法.软件学报,2024,35(7):3531-3550

复制
分享
文章指标
  • 点击次数:926
  • 下载次数: 1993
  • HTML阅读次数: 821
  • 引用次数: 0
历史
  • 收稿日期:2022-11-27
  • 最后修改日期:2023-01-14
  • 在线发布日期: 2023-08-23
  • 出版日期: 2024-07-06
文章二维码
您是第19983382位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号