局部可视对抗扰动生成方法

doi:10.16451/j.cnki.issn1003-6059.202001002

摘要
图/表
参考文献
相关文章 (2)

全文: PDF (3581 KB) HTML (1 KB)
输出: BibTeX | EndNote (RIS)

摘要深度神经网络极易受到局部可视对抗扰动的攻击.文中以生成对抗网络为基础,提出局部可视对抗扰动生成方法.首先,指定被攻击的分类网络作为判别器,并在训练过程中固定参数不变.再构建生成器模型,通过优化欺骗损失、多样性损失和距离损失,使生成器产生局部可视对抗扰动,并叠加在不同输入样本的任意位置上攻击分类网络.最后,提出类别比较法,分析局部可视对抗扰动的有效性.在公开的图像分类数据集上实验表明,文中方法攻击效果较好.

	服务

	把本文推荐给朋友
	加入我的书架
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章
	周星宇
	潘志松
	胡谷雨
	段晔鑫

关键词 ：对抗扰动, 局部的, 可视的, 生成对抗网络(GAN)

Abstract：Deep neural network is susceptible to the disturbance of adversarial attacks. Based on the generative adversarial networks, a novel model of GAN for generating localized and visible adversarial perturbation(G₂LVAP) is proposed. Firstly, the attacked classification network is designated as a discriminator, and its parameters are fixed during the training process. The generator model is constructed to generate localized and visible adversarial perturbations by optimizing fooling loss, diversity loss and distance loss. The generated perturbations can be placed anywhere in different input examples to attack the classification network. Finally, a class comparison method is proposed to analyze the effectiveness of localized and visible adversarial perturbations. Experiments on public image classification datasets indicate that G₂LVAP produces a satisfactory attack effect.

Key words： Adversarial Perturbation Localized Visible Generative Adversarial Network(GAN)

收稿日期: 2019-08-28

ZTFLH:

TP 181

基金资助:国家重点研发计划项目(No.2017YFB0802800)、国家自然科学基金项目(No.61473149)资助

通讯作者: 潘志松,博士,教授,主要研究方向为模式识别、机器学习.E-mail:panzs@nuaa.edu.cn.

作者简介: 周星宇,博士研究生,讲师,主要研究方向为计算机视觉、对抗样本.E-mail:universezhou@sina.cn.胡谷雨,博士,教授,主要研究方向为计算机网络、通信网络管理、网络智能化技术.E-mail:huguyu@189.com.段晔鑫,博士研究生,讲师,主要研究方向为对抗样本、图像识别.E-mail:duanyexin0713@163.com.

引用本文:

周星宇, 潘志松, 胡谷雨, 段晔鑫. 局部可视对抗扰动生成方法[J]. 模式识别与人工智能, 2020, 33(1): 11-20. ZHOU Xingyu, PAN Zhisong, HU Guyu, DUAN Yexin. Generation of Localized and Visible Adversarial Perturbations. , 2020, 33(1): 11-20.

链接本文:

http://manu46.magtech.com.cn/Jweb_prai/CN/10.16451/j.cnki.issn1003-6059.202001002 或 http://manu46.magtech.com.cn/Jweb_prai/CN/Y2020/V33/I1/11

[1] BIGGIO B, FUMERA G, ROLI F. Pattern Recognition Systems under Attack: Design Issues and Research Challenges. International Journal of Pattern Recognition and Artificial Intelligence, 2014, 28(7). DOI: 10.1142/S0218001414600027.
[2] HUANG L, JOSEPH A D, NELSON B, et al. Adversarial Machine Learning // Proc of the 4th ACM Workshop on Security and Artificial Intelligence. New York, USA: ACM, 2011: 43-58.
[3] SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks[C/OL]. [2019-07-28]. https://arxiv.org/pdf/1312.6199.pdf.
[4] GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and Har-nessing Adversarial Examples[C/OL]. [2019-07-28]. https://arxiv.org/pdf/1412.6572.pdf.
[5] BRENDEL W, RAUBER J, BETHGE M. Decision-Based Adversa-rial Attacks: Reliable Attacks against Black-Box Machine Learning Models[C/OL]. [2019-07-28]. https://arxiv.org/pdf/1712.04248.pdf.
[6] CARLINI N, WAGNER D. Towards Evaluating the Robustness of Neural Networks // Proc of the IEEE Symposium on Security and Privacy. Washington, USA: IEEE, 2017: 39-57.
[7] CHEN P Y, SHARMA Y, ZHANG H, et al. EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples[C/OL]. [2019-07-28]. https://arxiv.org/pdf/1709.04114.pdf.
[8] MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2016: 2574-2582.
[9] MOPURI K R, GANESHAN A, BABU R V. Generalizable Data-Free Objective for Crafting Universal Adversarial Perturbations. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019, 41(10): 2452-2465.
[10] HAYES J, DANEZIS G. Learning Universal Adversarial Perturbations with Generative Models // Proc of the IEEE Security and Privacy Workshops. Washington, USA: IEEE, 2018: 43-49.
[11] MOOSAVI-DEZFOOLI S M, FAWZI A, FAWZI O, et al. Universal Adversarial Perturbations // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2017: 1765-1773.
[12] MOPURI K R, OJHA U, GARG U, et al. NAG: Network for Adversary Generation // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2018: 742-751.
[13] KARMON D, ZORAN D, GOLDBERG Y. LaVAN: Localized and Visible Adversarial Noise[C/OL]. [2019-07-28]. https://arxiv.org/pdf/1801.02608.pdf.
[14] MOOSAVI-DEZFOOLI S M, FAWZI A, FAWZI O, et al. Robustness of Classifiers to Universal Perturbations: A Geometric Perspective[C/OL]. [2019-07-28]. https://openreview.net/pdf?id=ByrZyglCb.
[15] BROWN T B, MANÉ D, ROY A, et al. Adversarial Patch[C/OL]. [2019-07-28]. https://arxiv.org/pdf/1712.09665.pdf.
[16] GOODFELLOW I, POUGET-ABADIE J, MIRZA M, et al. Gene-rative Adversarial Nets // Proc of the 27th International Conference on Neural Information Processing Systems. Cambridge, USA: The MIT Press, 2014, I: 2672-2680.
[17] KINGMA D P, BA J L. ADAM: A Method for Stochastic Optimization[C/OL]. [2019-07-28]. https://arxiv.org/pdf/1412.6980v8.pdf.
[18] DENG J, DONG W, SOCHER R, et al. ImageNet: A Large-Scale Hierarchical Image Database // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2009: 248-255.
[19] SZEGEDY C, VANHOUCKE V, LOFFE S, et al. Rethinking the Inception Architecture for Computer Vision // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2016: 2818-2826.
[20] LEI N, LUO Z X, YAU S T, et al. Geometric Understanding of Deep Learning[C/OL]. [2019-07-28]. https://arxiv.org/pdf/1805.10451.pdf.