基于生成对抗网络的目标检测黑盒迁移攻击算法

doi:10.13328/j.cnki.jos.006937

微信服务号

微信订阅号

2025年5月30日 14:53 星期五

首页 > 过刊浏览>2024年第35卷第7期 >3531-3550. DOI:10.13328/j.cnki.jos.006937

PDF HTML阅读 XML下载导出引用引用提醒

基于生成对抗网络的目标检测黑盒迁移攻击算法
DOI:
                        10.13328/j.cnki.jos.006937
                    
CSTR:
                        
                    
作者:
                        陆宇轩陆宇轩
北京瑞莱智慧科技有限公司, 北京 100089
在期刊界中查找
在百度中查找
在本站中查找
刘泽禹刘泽禹
清华大学 计算机科学与技术系, 北京 100084
在期刊界中查找
在百度中查找
在本站中查找
罗咏刚罗咏刚
重庆长安汽车软件科技有限公司, 重庆 400021
在期刊界中查找
在百度中查找
在本站中查找
邓森友邓森友
北京瑞莱智慧科技有限公司, 北京 100089
在期刊界中查找
在百度中查找
在本站中查找
江天江天
重庆长安汽车软件科技有限公司, 重庆 400021
在期刊界中查找
在百度中查找
在本站中查找
马金燕马金燕
重庆长安汽车软件科技有限公司, 重庆 400021
在期刊界中查找
在百度中查找
在本站中查找
董胤蓬董胤蓬
北京瑞莱智慧科技有限公司, 北京 100089;清华大学 计算机科学与技术系, 北京 100084
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:陆宇轩(1997-),男,硕士,主要研究领域为机器学习,计算机视觉,对抗攻击;刘泽禹(2001-),男,本科生,主要研究领域为机器学习,计算机视觉;罗咏刚(1992-),男,博士,主要研究领域为人工智能;邓森友(1990-),男,硕士,主要研究领域为机器学习,计算机视觉,对抗攻击;江天(1987-),女,硕士,主要研究领域为计算机视觉,算法安全性;马金燕(1996-),女,硕士,主要研究领域为计算机视觉,目标检测;董胤蓬(1995-),男,博士,主要研究领域为机器学习,计算机视觉,对抗攻击
通讯作者:董胤蓬, E-mail: dongyinpeng@mail.tsinghua.edu.cn
中图分类号:TP391
基金项目:

Black-box Transferable Attack Method for Object Detection Based on GAN

Author:

LU Yu-Xuan
LU Yu-Xuan
Beijing RealAI Intelligent Technology Co. Ltd., Beijing 100089, China
在期刊界中查找
在百度中查找
在本站中查找
LIU Ze-Yu
LIU Ze-Yu
Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
在期刊界中查找
在百度中查找
在本站中查找
LUO Yong-Gang
LUO Yong-Gang
Chongqing Changan Automobile Software Technology Co. Ltd., Chongqing 400021, China
在期刊界中查找
在百度中查找
在本站中查找
DENG Sen-You
DENG Sen-You
Beijing RealAI Intelligent Technology Co. Ltd., Beijing 100089, China
在期刊界中查找
在百度中查找
在本站中查找
JIANG Tian
JIANG Tian
Chongqing Changan Automobile Software Technology Co. Ltd., Chongqing 400021, China
在期刊界中查找
在百度中查找
在本站中查找
MA Jin-Yan
MA Jin-Yan
Chongqing Changan Automobile Software Technology Co. Ltd., Chongqing 400021, China
在期刊界中查找
在百度中查找
在本站中查找
DONG Yin-Peng
DONG Yin-Peng
Beijing RealAI Intelligent Technology Co. Ltd., Beijing 100089, China;Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [63]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

目标检测被广泛应用到自动驾驶、工业、医疗等各个领域. 利用目标检测算法解决不同领域中的关键任务逐渐成为主流. 然而基于深度学习的目标检测模型在对抗样本攻击下, 模型的鲁棒性存在严重不足, 通过加入微小扰动构造的对抗样本很容易使模型预测出错. 这极大地限制了目标检测模型在关键安全领域的应用. 在实际应用中的模型普遍是黑盒模型, 现有的针对目标检测模型的黑盒攻击相关研究不足, 存在鲁棒性评测不全面, 黑盒攻击成功率较低, 攻击消耗资源较高等问题. 针对上述问题, 提出基于生成对抗网络的目标检测黑盒攻击算法, 所提算法利用融合注意力机制的生成网络直接输出对抗扰动, 并使用替代模型的损失和所提的类别注意力损失共同优化生成网络参数, 可以支持定向攻击和消失攻击两种场景. 在Pascal VOC数据集和MS COCO数据集上的实验结果表明, 所提方法比目前攻击方法的黑盒迁移攻击成功率更高, 并且可以在不同数据集之间进行迁移攻击.

关键词:对抗攻击;目标检测;黑盒迁移攻击;生成对抗网络;注意力损失

Abstract:

Object detection is widely used in various fields such as autonomous driving, industry, and medical care. Using the object detection algorithm to solve key tasks in different fields has gradually become the main method. However, the robustness of the object detection model based on deep learning is seriously insufficient under the attack of adversarial samples. It is easy to make the model prediction wrong by adding the adversarial samples constructed by small perturbations, which greatly limits the application of the object detection model in key security fields. In practical applications, the models are black-box models. Related research on black-box attacks against object detection models is relatively lacking, and there are many problems such as incomplete robustness evaluation, low attack success rate of black-box, and high resource consumption. To address the aforementioned issues, this study proposes a black-box object detection attack algorithm based on a generative adversarial network. The algorithm uses the generative network fused with an attention mechanism to output the adversarial perturbations and employs the alternative model loss and the category attention loss to optimize the generated network parameters, which can support two scenarios of target attack and vanish attack. A large number of experiments are conducted on the Pascal VOC and the MSCOCO datasets. The results demonstrate that the proposed method has a higher black-box transferable attack success rate and can perform transferable attacks between different datasets.

Key words:adversarial attack;object detection;black-box transferable attack;generative adversarial network (GAN);attention loss

参考文献

[1] Li JZ, Su H, Zhu J, Wang SY, Zhang B. Textbook question answering under instructor guidance with memory networks. In: Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Salt Lake City: IEEE, 2018. 3655–3663.

[2] Gong ZQ, Zhong P, Yu Y, Hu WD, Li ST. A CNN with multiscale convolution and diversified metric for hyperspectral image classification. IEEE Transactions on Geoscience and Remote Sensing, 2019, 57(6): 3599–3618. [doi: 10.1109/TGRS.2018.2886022]

[3] Gong ZQ, Zhong P, Hu WD. Statistical loss and analysis for deep learning in hyperspectral image classification. IEEE Transactions on Neural Networks and Learning Systems, 2021, 32(1): 322–333. [doi: 10.1109/TNNLS.2020.2978577]

[4] Albert A, Kaur J, Gonzalez MC. Using convolutional networks and satellite imagery to identify patterns in urban environments at a large scale. In: Proc. of the 23rd ACM SIGKDD Int’l Conf. on Knowledge Discovery and Data Mining. Halifax: Association for Computing Machinery, 2017. 1357–1366.

[5] Pritt M, Chern G. Satellite image classification with deep learning. In: Proc. of the 2017 IEEE Applied Imagery Pattern Recognition Workshop (AIPR). Washington: IEEE, 2017. 1–7.

[6] Zhao ZQ, Zheng P, Xu ST, Wu XD. Object detection with deep learning: A review. IEEE Transactions on Neural Networks and Learning Systems, 2019, 30(11): 3212–3232. [doi: 10.1109/TNNLS.2018.2876865]

[7] Joseph KJ, Khan S, Khan FS, Balasubramanian VN. Towards open world object detection. In: Proc. of the 2021 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Nashville: IEEE, 2021. 5826–5836.

[8] Ren SP, He KM, Girshick R, Sun J. Faster R-CNN: Towards real-time object detection with region proposal networks. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2017, 39(6): 1137–1149. [doi: 10.1109/TPAMI.2016.2577031]

[9] Liu W, Anguelov D, Erhan D, Szegedy C, Reed S, Fu CY, Berg AC. SSD: Single shot multibox detector. In: Proc. of the 14th European Conf. on Computer Vision. Amsterdam: Springer, 2016. 21–37.

[10] Redmon J, Farhadi A. YOLOv3: An incremental improvement. arXiv:1804.02767, 2018.

[11] Yuan XH, Shi JF, Gu LC. A review of deep learning methods for semantic segmentation of remote sensing imagery. Expert Systems with Applications, 2021, 169: 114417. [doi: 10.1016/j.eswa.2020.114417]

[12] Eykholt K, Evtimov I, Fernandes E, Li B, Rahmati A, Xiao CW, Prakash A, Kohno T, Song D. Robust physical-world attacks on deep learning visual classification. In: Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Salt Lake City: IEEE, 2018. 1625–1634.

[13] Grigorescu S, Trasnea B, Cocias T, Macesanu G. A survey of deep learning techniques for autonomous driving. Journal of Field Robotics, 2020, 37(3): 362–386. [doi: 10.1002/rob.21918]

[14] Hu Y, Yang A, Li H, Sun YY, Sun LM. A survey of intrusion detection on industrial control systems. Int’l Journal of Distributed Sensor Networks, 2018, 14(8): 1–14.

[15] Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow IJ, Fergus R. Intriguing properties of neural networks. In: Proc. of the 2nd Int’l Conf. on Learning Representations. Banff, 2013.

[16] Jia XJ, Zhang Y, Wu BY, Wang J, Cao XC. Boosting fast adversarial training with learnable adversarial initialization. IEEE Transactions on Image Processing, 2022, 31: 4417–4430. [doi: 10.1109/TIP.2022.3184255]

[17] Bai JW, Chen B, Li YM, Wu DX, Guo WW, Xia ST, Yang EH. Targeted attack for deep hashing based retrieval. In: Proc. of the 16th European Conf. on Computer Vision. Glasgow: Springer, 2020. 618–634.

[18] Jia XJ, Zhang Y, Wu BY, Ma K, Wang J, Cao XC. LAS-AT: Adversarial training with learnable attack strategy. In: Proc. of the 2022 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. New Orleans: IEEE, 2022. 13388–13398.

[19] Wei XX, Liang SY, Chen N, Cao XC. Transferable adversarial attacks for image and video object detection. In: Proc. of the 28th Int’l Joint Conf. on Artificial Intelligence. Macao: AAAI Press, 2019. 954–960.

[20] Dong YP, Pang TY, Su H, Zhu J. Evading defenses to transferable adversarial examples by translation-invariant attacks. In: Proc. of the 2019 IEEE/CVF Conf. on Computer Vision and Pattern Recognition (CVPR). Long Beach: IEEE, 2019. 4307–4316.

[21] Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. In: Proc. of the 3rd Int’l Conf. on Learning Representations. San Diego, 2015.

[22] Moosavi-Dezfooli SM, Fawzi A, Frossard P. DeepFool: A simple and accurate method to fool deep neural networks. In: Proc. of the 2016 IEEE Conf. on Computer Vision and Pattern Recognition. Las Vegas: IEEE, 2016. 2574–2582.

[23] Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In: Proc. of the 2017 IEEE Symp. on Security and Privacy. San Jose: IEEE, 2017. 39–57.

[24] Dong YP, Liao FZ, Pang TY, Su H, Zhu J, Hu XL, Li JG. Boosting adversarial attacks with momentum. In: Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Salt Lake City: IEEE, 2018. 9185–9193.

[25] Xie CH, Wang JY, Zhang ZS, Zhou YY, Xie LX, Yuille A. Adversarial examples for semantic segmentation and object detection. In: Proc. of the 2017 IEEE Int’l Conf. on Computer Vision. Venice: IEEE, 2017. 1378–1387.

[26] Li YZ, Tian D, Chang MC, Bian X, Lyu S. Robust adversarial perturbation on deep proposal-based models. In: Proc. of the 2018 British Machine Vision Conf. Newcastle: BMVA Press, 2018. 231.

[27] Chow KH, Liu L, Loper M, Bae J, Gursoy ME, Truex S, Wei WQ, Wu YZ. Adversarial objectness gradient attacks in real-time object detection systems. In: Proc. of the 2nd IEEE Int’l Conf. on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA). Atlanta: IEEE, 2020. 263–272.

[28] Baluja S, Fischer I. Adversarial transformation networks: Learning to generate adversarial examples. arXiv:1703.09387, 2017.

[29] Poursaeed O, Katsman I, Gao BC, Belongie S. Generative adversarial perturbations. In: Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Salt Lake City: IEEE, 2018. 4422–4431.

[30] Naseer M, Khan S, Khan MH, Khan FS, Porikli F. Cross-domain transferability of adversarial perturbations. In: Proc. of the 33rd Int’l Conf. on Neural Information Processing Systems. Vancouver: Curran Associates Inc., 2019. 1156.

[31] Han JF, Dong XY, Zhang RM, Chen DD, Zhang WM, Yu NH, Luo P, Wang XG. Once a MAN: Towards multi-target attack via learning multi-target adversarial network once. In: Proc. of the 2019 IEEE/CVF Int’l Conf. on Computer Vision. Seoul: IEEE, 2019. 5157–5166.

[32] Yang X, Dong Y, Pang T, et al. Boosting transferability of targeted adversarial examples via hierarchical generative networks. In: Proc. of the 17th European Conf. on Computer Vision. Tel Aviv: Springer, 2022. 725–742.

[33] Lin TY, Maire M, Belongie S, Hays J, Perona P, Ramanan D, Dollár P, Zitnick CL. Microsoft COCO: Common objects in context. In: Proc. of the 13th European Conf. on Computer Vision. Zurich: Springer, 2014. 740–755.

[34] Everingham M, Van Gool L, Williams C, Winn J, Zisserman A. The PASCAL visual object classes challenge 2007 (VOC2007) results. 2007. http://host.robots.ox.ac.uk/pascal/VOC/voc2007/

[35] Kurakin A, Goodfellow IJ, Bengio S. Adversarial examples in the physical world. Artificial Intelligence Safety and Security. Chapman and Hall/CRC, 2018. 99–112.

[36] Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. In: Proc. of the 6th Int’l Conf. on Learning Representations (ICLR). Vancouver: OpenReview.net, 2018.

[37] Chen SZ, He ZB, Sun CJ, Yang J, Huang XL. Universal adversarial attack on attention and the resulting dataset DAmagenet. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022, 44(4): 2188–2197. [doi: 10.1109/TPAMI.2020.3033291]

[38] Wu WB, Su YX, Chen XX, Zhao SL, King I, Lyu MR, Tai YW. Boosting the transferability of adversarial samples via attention. In: Proc. of the 2020 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Seattle: IEEE, 2020. 1161–1170.

[39] Huang Q, Katsman I, Gu ZQ, He H, Belongie S, Lim SN. Enhancing adversarial example transferability with an intermediate level attack. In: Proc. of the 2019 IEEE/CVF Int’l Conf. on Computer Vision. Seoul, Korea (South): IEEE, 2019. 4732–4741.

[40] Huang Y, Kong AWK. Transferable adversarial attack based on Integrated Gradients. In: Proc. of the 10th Int’l Conf. on Learning Representations. OpenReview.net, 2022.

[41] Lin JD, Song CB, He K, Wang LW, Hopcroft JE. Nesterov accelerated gradient and scale invariance for adversarial attacks. In: Proc. of the 8th Int’l Conf. on Learning Representations. Addis Ababa: OpenReview.net, 2020.

[42] Xie CH, Zhang ZS, Zhou YY, Bai S, Wang JY, Ren Z, Yuille AL. Improving transferability of adversarial examples with input diversity. In: Proc. of the 2019 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Long Beach: IEEE, 2019. 2725–2734.

[43] Wang GQ, Wei XX, Yan HQ. Improving adversarial transferability with spatial momentum. arXiv:2203.13479, 2022.

[44] Bhagoji AN, He W, Li B, Song D. Practical black-box attacks on deep neural networks using efficient query mechanisms. In: Proc. of the 15th European Conf. on Computer Vision. Munich: Springer, 2018. 158–174.

[45] Chen PY, Zhang H, Sharma Y, Yi JF, Hsieh CJ. Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proc. of the 10th ACM Workshop on Artificial Intelligence and Security. Dallas: ACM, 2017. 15–26.

[46] Tu CC, Ting PS, Chen PY, Liu SJ, Zhang H, Yi JF, Hsieh CJ, Cheng SM. AutoZOOM: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: Proc. of the 33rd AAAI Conf. on Artificial Intelligence and the 31st Innovative Applications of Artificial Intelligence Conf. and the 9th AAAI Symp. on Educational Advances in Artificial Intelligence. Honolulu: AAAI Press, 2019. 92.

[47] Ilyas A, Engstrom L, Athalye A, Lin J. Black-box adversarial attacks with limited queries and information. In: Proc. of the 35th Int’l Conf. on Machine Learning. Stockholm: PMLR, 2018. 2142–2151.

[48] Girshick R. Fast R-CNN. In: Proc. of the 2015 IEEE Int’l Conf. on Computer Vision. Santiago: IEEE, 2015. 1440–1448.

[49] He KM, Gkioxari G, Dollár P, Girshick R. Mask R-CNN. In: Proc. of the 2017 IEEE Int’l Conf. on Computer Vision. Venice: IEEE, 2017. 2980–2988.

[50] Carion N, Massa F, Synnaeve G, Usunier N, Kirillov A, Zagoruyko S. End-to-end object detection with transformers. In: Proc. of the 16th European Conf. on Computer Vision. Glasgow: Springer, 2020. 213–229.

[51] Zhu XZ, Su WJ, Lu LW, Li B, Wang XG, Dai JF. Deformable DETR: Deformable transformers for end-to-end object detection. In: Proc. of the 9th Int’l Conf. on Learning Representations. OpenReview.net, 2021.

[52] 黄立峰, 庄文梓, 廖泳贤, 刘宁. 一种基于进化策略和注意力机制的黑盒对抗攻击算法. 软件学报, 2021, 32(11): 3512–3529. http://www.jos.org.cn/1000-9825/6084.htm

Huang LF, Zhuang WZ, Liao YX, Liu N. Black-box adversarial attack method based on evolution strategy and attention mechanism. Ruan Jian Xue Bao/Journal of Software, 2021, 32(11): 3512–3529 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6084.htm

[53] Woo S, Park J, Lee JY, Kweon IS. CBAM: Convolutional block attention module. In: Proc. of the 15th European Conf. on Computer Vision (ECCV). Munich: Springer, 2018. 3–19.

[54] Zhang HT, Zhou WG, Li HQ. Contextual adversarial attacks for object detection. In: Proc. of the 2020 IEEE Int’l Conf. on Multimedia and Expo (ICME). London: IEEE, 2020. 1–6.

[55] Zhou BL, Khosla A, Lapedriza A, Oliva A, Torralba A. Learning deep features for discriminative localization. In: Proc. of the 2016 IEEE Conf. on Computer Vision and Pattern Recognition. Las Vegas: IEEE, 2016. 2921–2929.

[56] Selvaraju RR, Cogswell M, Das A, Vedantam R, Parikh D, Batra D. Grad-CAM: Visual explanations from deep networks via gradient-based localization. In: Proc. of the 2017 IEEE Int’l Conf. on Computer Vision. Venice: IEEE, 2017. 618–626.

[57] Chattopadhay A, Sarkar A, Howlader P, Balasubramanian VN. Grad-CAM++: Generalized gradient-based visual explanations for deep convolutional networks. In: Proc. of the 2018 IEEE Winter Conf. on Applications of Computer Vision. Lake Tahoe: IEEE, 2018. 839–847.

[58] Ultralytics. YOLOv5. 2020. https://github.com/ultralytics/yolov5

[59] Lin TY, Goyal P, Girshick R, He KM, Dollár P. Focal loss for dense object detection. In: Proc. of the 2017 IEEE Int’l Conf. on Computer Vision. Venice: IEEE, 2017. 2999–3007.

[60] Li X, Wang WH, Hu XL, Yang J. Selective kernel networks. In: Proc. of the 2019 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Long Beach: IEEE, 2019. 510–519.

[61] Kingma DP, Ba J. Adam: A method for stochastic optimization. In: Proc. of the 3rd Int’l Conf. on Learning Representations. San Diego, 2015.

[62] Benesty J, Chen JD, Huang YT, Cohen I. Pearson correlation coefficient. In: Cohen I, Huang YT, Chen JD, Benesty J, eds. Noise Reduction in Speech Processing. Berlin: Springer, 2009. 1–4.

引用本文

陆宇轩,刘泽禹,罗咏刚,邓森友,江天,马金燕,董胤蓬.基于生成对抗网络的目标检测黑盒迁移攻击算法.软件学报,2024,35(7):3531-3550

复制

文章指标

点击次数:926
下载次数: 1993
HTML阅读次数: 821
引用次数: 0

历史

收稿日期:2022-11-27
最后修改日期:2023-01-14
录用日期:
在线发布日期: 2023-08-23
出版日期: 2024-07-06

微信服务号

微信订阅号

引用本文

相关视频

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

相关视频

分享

微信扫一扫：分享

文章指标

历史

文章二维码