西安电子科技大学学报 ›› 2021, Vol. 48 ›› Issue (1): 149-159.doi: 10.19665/j.issn1001-2400.2021.01.017
张华(),高浩然(),杨兴国(),李文敏(),高飞(),温巧燕()
收稿日期:
2020-11-02
出版日期:
2021-02-20
发布日期:
2021-02-03
通讯作者:
高浩然
作者简介:
张 华(1978—),女,副教授,博士,E-mail: 基金资助:
ZHANG Hua(),GAO Haoran(),YANG Xingguo(),LI Wenmin(),GAO Fei(),WEN Qiaoyan()
Received:
2020-11-02
Online:
2021-02-20
Published:
2021-02-03
Contact:
Haoran GAO
摘要:
随着人工智能技术的发展,深度神经网络广泛应用于人脸识别、语音识别、图片识别以及自动驾驶等领域。由于轻微的扰动就可以使深度神经网络出现错误分类,所以在有限的时间内实现特定的攻击效果是对抗攻击领域研究的重点之一。针对有目标对抗攻击算法中产生扰动时间久和扰动易被人眼观察的问题,基于Deepfool提出了在典型的卷积神经网络上生成有目标的对抗样本的算法,即TargetedFool。大量的实验结果表明,TargetedFool可以对MNIST、CIFAR-10和ImageNet实现有目标的对抗攻击。在ImageNet上,TargetedFool可以在平均2.84 s的时间内达到99.8%的扰动率。此外,分析了基于DeepFool的攻击算法无法产生有目标的通用对抗性扰动的原因。
中图分类号:
张华,高浩然,杨兴国,李文敏,高飞,温巧燕. TargetedFool:一种实现有目标攻击的算法[J]. 西安电子科技大学学报, 2021, 48(1): 149-159.
ZHANG Hua,GAO Haoran,YANG Xingguo,LI Wenmin,GAO Fei,WEN Qiaoyan. TargetedFool:an algorithm for achieving targeted attacks[J]. Journal of Xidian University, 2021, 48(1): 149-159.
表2
测试结果"
分类器 | Top-1 error/% | Top-5 error/% | 迭代次数 | 时间/s | 扰动量 | |
---|---|---|---|---|---|---|
DenseNet-121 | 25.35 | 7.83 | 10 | 1.13 | 5.26 | 7.80×10-3 |
Inception-v3 | 22.55 | 6.44 | 32 | 3.01 | 5.58 | 1.19×10-2 |
ResNet-152 | 21.69 | 5.94 | 12 | 1.58 | 3.85 | 9.18×10-3 |
ResNet-34 | 26.70 | 8.58 | 10 | 0.45 | 3.83 | 9.04×10-3 |
VGG-19[ | 27.62 | 9.12 | 13 | 0.71 | 3.59 | 8.40×10-3 |
VGG-16 | 28.41 | 9.62 | 12 | 0.63 | 3.42 | 7.99×10-3 |
表3
TargetedFool算法与DeepFool算法的比较"
分类器 | Test error/% | TargetedFool | DeepFool | ||
---|---|---|---|---|---|
时间/s | 扰动量 | 时间/s | 扰动量 | ||
LeNet(MNIST) | 1.00 | 0.07 | 3.31 | 0.05 | 1.94 |
ALexNet(CIFAR-10) | 22.60 | 0.07 | 0.75 | 0.06 | 0.05 |
Inception-v3(ILSVRC2012) | 31.30 | 3.01 | 5.58 | 0.78 | 0.76 |
ResNet-152(ILSVRC2012) | 26.70 | 1.58 | 3.85 | 1.56 | 0.84 |
DenseNet-121(ILSVRC2012) | 25.40 | 1.13 | 5.26 | 1.22 | 0.69 |
[1] | CHENG S, DONG Y, PANG T, et al. Improving Black-box Adversarial Attacks with a Transfer-based Prior[C/OL].[2020-10-22].https://arxiv.org/abs/1906.06919. |
[2] | ZHAO Z, DUA D, SINGH S. Generating Natural Adversarial Examples[C/OL] [2020-10-22].https://openreview.net/pdf?id=H1BLjgZCb. |
[3] | IIYAS A, ENGSTROM L, ATHALYE A, et al. Black-box Adversarial Attacks with Limited Queries and Information[C/OL].[2020-10-22].https://arxiv.org/pdf/1804.08598.pdf. |
[4] | IIYAS A, ENGSTROM L, MADRY A. Prior Convictions:Black-box Adversarial Attacks with Bandits and Priors[C/OL].[2020-10-22].https://arxiv.org/pdf/1807.07978.pdf. |
[5] | GUO C, GARDNER J R, YOU Y, et al. Simple Black-box Adversarial Attacks[C/OL].[2020-10-22].https://arxiv.org/abs/1905.07121. |
[6] | GOODFELLOW I J, SHLENS J, SZEGEDY C.Explaining and Harnessing Adversarial Examples[C/OL].[2020-10-22].https://arxiv.org/pdf/1412.6572.pdf. |
[7] | MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. Deepfool:a Simple and Accurate Method to Fool Deep Neural Networks [C] //Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2016: 2574-2582. |
[8] | THYS S, VAN RANST W, GOEDEME T. Fooling Automated Surveillance Cameras:Adversarial Patches to Attack Person Detection[C/OL].[2020-10-22].https://arxiv.org/abs/1904.08653v1. |
[9] | LI J, JI S, DU T, et al. TextBugger:Generating Adversarial Text against Real-world Applications[C/OL].[2020-10-22].https://arxiv.org/pdf/1812.05271.pdf. |
[10] | BRENDEL W, RAUBER J, BETHGE M. Decision-based Adversarial Attacks:Reliable Attacks against Black-box Machine Learning Models[C/OL].[2020-10-22].https://arxiv.org/pdf/1712.04248.pdf. |
[11] | SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks[C/OL].[2020-10-22].https://arxiv.org/abs/1312.6199. |
[12] | OREN S S. On the Selection of Parameters in Self Scaling Variable Metric Algorithms[J]. Mathematical Programming, 1974,7(1):351-367. |
[13] | KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial Examples in the Physical World[C/OL].[2020-10-22].https://arxiv.org/abs/1607.02533. |
[14] | PAPERNOT N, MC DANIEL P, JHA S, et al. The Limitations of Deep Learning in Adversarial Settings[C/OL].[2020-10-22].https://arxiv.org/pdf/1511.07528.pdf. |
[15] | MOOSAVI-DEZFOOLI S M, FAWZI A, FAWZI O, et al. Universal Adversarial Perturbations [C]//Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2017: 1765-1773. |
[16] | ABADI M, AGARWAL A, BARHAM P, et al. Tensorflow:Large-scale Machine Learning on Heterogeneous Distributed Systems[EB/OL].[2020-10-16].https://arxiv.org/pdf/1603.04467v1.pdf. |
[17] | PAPERNOT N, GOODFELLOW I, SHEATSLEY R, et al. Cleverhans v2.0.0:an Adversarial Machine Learning Library[EB/OL].[2020-10-20].https://arxiv.org/pdf/1610.00768v4.pdf. |
[18] | LECUN Y, CORTES C. The MNIST database of handwritten digits[EB/OL].[2020-10-20].https://www.researchgate.net/publication/247931959_The_mnist_database_of_handwritten_digits. |
[19] | KRIZHEVSKY A.Learning Multiple Layers of Features from Tiny Images[D/OL].[ 2020- 10- 16]. http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=6A53249D656707B0A5E27DEC73ABF8B2?doi=10.1.1.222.9220&rep=rep1&type=pdf. |
[20] | DENG J, DONG W, SOCHER R, et al. Imagenet:a Large-scale Hierarchical Image Database [C]// Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2009: 248-255. |
[21] | LECUN Y, HAFFNER P, BOTTOU L, et al. Object Recognition with Gradient-based Learning [C]// Lecture Notes in Computer Science:1681.Berlin:Springer Verlag, 1999: 319-345. |
[22] | KRIZHEVSKY A, SUTSKEVER I, HINTON G E. Imagenet Classification with Deep Convolutional Neural Networks [C]//Advances in Neural Information Processing Systems:2.Vancouver:Neural Information Processing Systems Foundation, 2012: 1097-1105. |
[23] | SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the Inception Architecture for Computer Vision [C]//Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition.Washington:IEEE Computer Society, 2016: 2818-2826. |
[24] | HE K, ZHANG X, REN S, et al. Deep Residual Learning for Image Recognition [C]//Proceedings of the 2016 IEEE Computer Society Conference on Computer Vision and Pattern Recognition.Washington:IEEE Computer Society, 2016: 770-778. |
[25] | HUANG G, LIU Z, VAN DER MAATEN L, et al.Densely Connected Convolutional Networks [C]// Proceedings of the 2017 30th IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2017: 2261-2269. |
[26] |
YUAN X, HE P, ZHU Q, et al. Adversarial Examples:Attacks and Defenses for Deep Learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,30(9):2805-2824.
doi: 10.1109/TNNLS.2018.2886017 pmid: 30640631 |
[27] | SIMONYAN K, ZISSERMAN A. Very Deep Convolutional Networks for Large-scale Image Recognition [C]// Proceedings of the 2015 3rd International Conference on Learning Representations.San Diego:ICLR, 2015: 149801. |
[28] | KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial Machine Learning at Scale [C]// Proceedings of the 2017 5th International Conference on Learning Representations.San Diego:ICLR, 2017: 149804. |
[29] | PAPERNOT N, MCDANIEL P, WU X, et al. Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks [C]// Proceedings of the 2016 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2016: 582-597. |
[30] | SAMANGOUEI P, KABKAB M, CHELLAPPA R. Defense-GAN:Protecting Classifiers against Adversarial Attacks Using Generative Models [C]// Proceedings of the 2018 6th International Conference on Learning Representations.San Diego:ICLR, 2018: 149806. |
[1] | 王勇,靳伟昭,冯伟,全英汇. 一种改进R(2+1)D网络的暴力行为检测方法[J]. 西安电子科技大学学报, 2022, 49(2): 155-163. |
[2] | 王勇,王喜媛,任泽洋. 毫米波MIMO的DNN混合预编码梯度优化方法[J]. 西安电子科技大学学报, 2022, 49(1): 202-207. |
[3] | 高杰,霍智勇. 一种门控卷积生成对抗网络的图像修复算法[J]. 西安电子科技大学学报, 2022, 49(1): 216-224. |
[4] | 张艳,王翔宇,张众维,孙叶美,刘树东. 一种基于边界感知的遥感影像建筑物提取方法[J]. 西安电子科技大学学报, 2022, 49(1): 236-244. |
[5] | 刘佳玮,张文辉,寇晓丽,李雁妮. 增强型深度对抗样本攻击防御算法[J]. 西安电子科技大学学报, 2021, 48(6): 23-31. |
[6] | 宋建锋,苗启广,王崇晓,徐浩,杨瑾. 注意力机制的多尺度单目标跟踪算法[J]. 西安电子科技大学学报, 2021, 48(5): 110-116. |
[7] | 李鹏,冯存前,许旭光,唐子翔. 一种利用贝叶斯优化的弹道目标微动分类网络[J]. 西安电子科技大学学报, 2021, 48(5): 139-148. |
[8] | 张宇浩,程培涛,张书豪,王秀美. 一种自适应权重学习的轻量超分辨率重建网络[J]. 西安电子科技大学学报, 2021, 48(5): 15-22. |
[9] | 闫佳,曹玉东,任佳兴,陈冬昊,李晓会. 深度非对称压缩型哈希算法[J]. 西安电子科技大学学报, 2021, 48(5): 212-221. |
[10] | 宁阳,杜建超,韩硕,杨传凯. 改进DeeplabV3+的火焰分割与火情分析方法[J]. 西安电子科技大学学报, 2021, 48(5): 38-46. |
[11] | 周鹏,杨军. 采用神经网络架构搜索的遥感影像分割方法[J]. 西安电子科技大学学报, 2021, 48(5): 47-57. |
[12] | 张书伟,李俊民. 一种复杂监控场景下的人体检测算法[J]. 西安电子科技大学学报, 2021, 48(5): 68-77. |
[13] | 戚艳军,孔月萍,王佳婧,朱旭东. 一种LSTM与CNN相结合的步态识别方法[J]. 西安电子科技大学学报, 2021, 48(5): 78-85. |
[14] | 宋剑桥,王峰,牛锦,师泽洲,马军辉. 一种面向时空神经网络的潜在情绪识别方法[J]. 西安电子科技大学学报, 2021, 48(4): 159-167. |
[15] | 回海生,张雪英,吴泽林,李凤莲. 一种主辅路径注意力补偿的脑卒中病灶分割方法[J]. 西安电子科技大学学报, 2021, 48(4): 200-208. |
|