用于白盒目标攻击的GAN对抗样本生成

doi:10.16451/j.cnki.issn1003-6059.202009007

摘要
图/表
参考文献
相关文章 (2)

全文: PDF (1527 KB) HTML (1 KB)
输出: BibTeX | EndNote (RIS)

摘要深度神经网络易受对抗样本攻击的影响并产生错误输出,传统的生成对抗样本的方法都是从优化角度生成对抗样本.文中提出基于生成对抗网络(GAN)的对抗样本生成方法,使用GAN进行白盒目标攻击,训练好的生成器对输入样本产生扰动,生成对抗样本.使用四种损失函数约束生成对抗样本的质量并提高攻击成功率.在MNIST、CIFAR-10、ImageNet数据集上的大量实验验证文中方法的有效性,文中方法的攻击成功率较高.

	服务

	把本文推荐给朋友
	加入我的书架
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章
	张高志
	刘新平
	邵明文

关键词 ：对抗样本, 生成对抗网络(GAN), 目标攻击, 白盒攻击

Abstract：Deep neural networks(DNNs) are easily affected by adversarial examples and consequently generate wrong outputs. Adversarial examples are generated by the traditional methods from an optimization perspective. In this paper, a method for generating adversarial examples is proposed with generative adversarial network(GAN) and GAN is exploited for target attack in the white-box setting. Adversarial perturbations are generated by a trained generator to form adversarial examples. Four kinds of loss functions are utilized to constrain the quality of adversarial examples and improve attack success rates. The effectiveness of the proposed method is testified through extensive experiments on MNIST, CIFAR-10 and ImageNet datasets and the proposed method produces higher attack success rates.

Key words： Adversarial Example Generative Adversarial Network(GAN) Target Attack White-Box Attack

收稿日期: 2020-06-15

ZTFLH:

TP 181

基金资助:国家自然科学基金项目(No.61673396)资助

通讯作者: 邵明文,博士,教授,主要研究方向为粗糙集、粒计算、深度学习.E-mail:smw278@126.com.

作者简介: 张高志,硕士研究生,主要研究方向为对抗机器学习.E-mail:upczgz@163.com.刘新平,博士,副教授,主要研究方向为计算机智能控制、智能信息处理.E-mail: liuxinp@upc.edu.cn.

引用本文:

张高志, 刘新平, 邵明文. 用于白盒目标攻击的GAN对抗样本生成[J]. 模式识别与人工智能, 2020, 33(9): 830-838. ZHANG Gaozhi, LIU Xinping, SHAO Mingwen. Generating Adversarial Example with GAN for White-Box Target Attacks. , 2020, 33(9): 830-838.

链接本文:

http://manu46.magtech.com.cn/Jweb_prai/CN/10.16451/j.cnki.issn1003-6059.202009007 或 http://manu46.magtech.com.cn/Jweb_prai/CN/Y2020/V33/I9/830

[1] CHEN P Y, SHARMA Y, ZHANG H, et al. EAD: Elastic-Net: Attacks to Deep Neural Networks via Adversarial Examples[C/OL]. [2020-03-14].https://arxiv.org/pdf/1709.04114.pdf.
[2] MOPURI K R, GANESHAN A, BABU R V. Generalizable Data-Free Objective for Crafting Universal Adversarial Perturbations. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019, 41(10): 2452-2465.
[3] MOPURI K R, OJHA U, GARG U, et al. NAG: Network for Adversary Generation // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2018: 742-751.
[4] MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2016: 2574-2582.
[5] HAYES J, DANEZIS G. Learning Universal Adversarial Perturbations with Generative Models // Proc of the IEEE Security and Privacy Workshops. Washington, USA: IEEE, 2018: 43-49.
[6] SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks [C/OL]. [2020-03-14]. https://arxiv.org/pdf/1312.6199.pdf.
[7] GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and Harnessing Adversarial Examples[C/OL]. [2020-03-14]. https://arxiv.org/pdf/1412.6572.pdf.
[8] MA X J, NIU Y H, GU L, et al. Understanding Adversarial Attacks on Deep Learning Based Medical Image Analysis Systems [C/OL]. [2020-03-14]. https://doi.org/10.1016/j.patcog.2020.107332.
[9] EYKHOLT K, EVTIMOV I, FERNANDES E, et al. Robust Physical-World Attacks on Deep Learning Visual Classification // Proc of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2018: 1625-1634.
[10] HORNIK K, STINCHCOMBE M B, WHITE H, et al. Multilayer Feedforward Networks Are Universal Approximators. Neural Networks, 1989, 2(5): 359-366.
[11] YU P, SONG K T, LU J F, et al. Generating Adversarial Examples with Conditional Generative Adversarial Net // Proc of the 24th International Conference on Pattern Recognition. Washington, USA: IEEE, 2018: 676-681.
[12] KURAKIN A, GOODFELLOW I J, BENGIO S, et al. Adversarial Examples in the Physical World[C/OL]. [2020-03-14]. https://arxiv.org/pdf/1607.02533.pdf.
[13] CARLINI N, WAGNER D. Towards Evaluating the Robustness of Neural Networks // Proc of the IEEE Symposium on Security and Privacy. Washington, USA: IEEE, 2017: 39-57.
[14] GOODFELLOW I J, POUGET-ABADIE J, MIRZA M, et al. Generative Adversarial Nets // Proc of the 27th International Confe-rence on Advances in Neural Information Processing Systems. Cambridge, USA: The MIT Press, 2014, II: 2672-2680.
[15] DONG Y P, LIAO F Z, PANG T Y, et al. Boosting Adversarial Attacks with Momentum // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2018: 9185-9193.
[16] XIE C H, ZHANG Z S, WANG J Y, et al. Improving Transferability of Adversarial Examples with Input Diversity // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2019: 2730-2739.
[17] TRAMER F, KURAKIN A, PAPERNOT N, et al. Ensemble Adversarial Training: Attacks and Defenses[C/OL]. [2020-03-14]. https://arxiv.org/pdf/1705.07204.pdf.
[18] MADRY A, MAKELOV A, SCHMIDT L, et al. Towards Deep Learning Models Resistant to Adversarial Attacks [C/OL]. [2020-03-14]. https://arxiv.org/pdf/1706.06083.pdf.
[19] ZHU J Y, PARK T S, ISOLA P, et al. Unpaired Image-to-Image Translation Using Cycle-Consistent Adversarial Networks // Proc of the IEEE International Conference on Computer Vision. Washington, USA: IEEE, 2017: 2242-2251.
[20] ULYANOV D, VEDALDI A, LEMPITSKY V, et al. Instance Normalization: The Missing Ingredient for Fast Stylization [C/OL]. [2020-03-14]. https://arxiv.org/pdf/1607.08022.pdf.
[21] KURAKIN A, GOODFELLOW I J, BENGIO S, et al. Adversarial Attacks and Defences Competition // ESCALERA S, WEIMER M, eds. The NIPS′17 Competition: Building Intelligent Systems. Berlin, Germany: Springer, 2018: 195-231.
[22] XIAO C W, LI B, ZHU J Y, et al. Generating Adversarial Examples with Adversarial Networks // Proc of the 27th International Joint Conference on Artificial Intelligence. Berlin, Germany: Springer, 2018: 3905-3911.
[23] GULRAJANI I, AHMED F, ARJOVSKY M, et al. Improved Training of Wasserstein GANs // Proc of the 30th International Conference on Advances in Neural Information Processing Systems. Cambridge, USA: The MIT Press, 2017: 5769-5779.
[24] HE K M, ZHANG X Y, REN S Q, et al. Deep Residual Learning for Image Recognition // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2016: 770-778.
[25] ZAGORUYKO S, KOMODAKIS N. Wide Residual Networks [C/OL]. [2020-03-14]. https://arxiv.org/pdf/1605.07146.pdf.
[26] SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the Inception Architecture for Computer Vision // Proc of the IEEE Conference on Computer Vision and Pattern Recognition. Washington, USA: IEEE, 2016: 2818-2826.
[27] SZEGEDY C, IOFFE S, VANHOUCKE V, et al. Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning // Proc of the 31st AAAI Conference on Artificial Intelligence. Palo Alto, USA: AAAI Press, 2017: 4278-4284.
[28] KINGMA D P, BA J. Adam: A Method for Stochastic Optimiza-tion [C/OL]. [2020-03-14]. https://arxiv.org/pdf/1412.6980.pdf.