针对深度神经网络的高效光学对抗攻击

doi:10.19665/j.issn1001-2400.20241201

摘要/Abstract

摘要：

随着对抗攻击算法的不断更新,深度神经网络面临的安全风险愈加严峻。由于光学现象在真实世界中出现频繁,对光学对抗攻击的抗干扰能力直观反应了深度神经网络在实际应用中的安全性。然而,目前光学对抗攻击方面的研究普遍存在光学对抗扰动失真和优化不稳定的问题。为此,提出了一种新型光学攻击方法AdvFlare,以便于探究眩光扰动对深度神经网络安全性的影响。AdvFlare构造了一种参数化的眩光仿真模型,该模型对眩光的形状和颜色等多个属性进行建模,仿真效果好。在此基础上,提出了参数空间限制、随机初始化和分步优化的策略,解决了对抗扰动失真与收敛困难的问题。实验结果表明,与现有方法相比,AdvFlare能够以极高的成功率让深度神经网络误分类,具有稳定和扰动逼真度高的优点。此外,还发现,无论在数字域还是物理域,利用AdvFlare进行对抗训练能够显著提高深度神经网络的抗干扰能力,对提高公共交通场景下的模型鲁棒性有启发作用。

关键词: 深度神经网络, 对抗攻击, 眩光效应, 模型鲁棒性, 对抗训练

Abstract:

With the continuous advancement of adversarial attack algorithms,the security risks that deep neural networks face are increasingly severe.Optical phenomena frequently occur in real-world scenarios,and the robustness against optical adversarial attacks directly reflects the safety of deep neural networks.Nevertheless,current research on optical adversarial attacks commonly encounters challenges such as optical perturbation distortion and optimization instability.To solve this problem,this paper proposes a novel optical attack method named AdvFlare,to help explore the effect of flare perturbations on the safety of deep neural networks.AdvFlare constructs a parameterized flare simulation model,which models the multiple attributes of the flare pattern,such as shape and color,with great simulation,on the basis of which this paper addresses the problems of adversarial perturbation distortion and convergence difficulties through strategies such as parameter space constraints,random initialization,and stepwise optimization.Experimental results indicate that AdvFlare can induce misclassification in deep neural networks with a significantly higher success rate compared to existing methods,while also offering a superior visual perturbation quality and stability.Furthermore,it is discovered that adversarial training using AdvFlare can markedly enhance the robustness of deep neural networks,in both the digital and physical world,providing valuable insights for improving model robustness in public transportation contexts.

Key words: deep neural networks, adversarial attacks, flare effect, model robustness, adversarial training

中图分类号:

TP183

戚富琪, 高海昌, 李博凌, 邹翔. 针对深度神经网络的高效光学对抗攻击[J]. 西安电子科技大学学报, 2025, 52(2): 1-12.

QI Fuqi, GAO Haichang, LI Boling, ZOU Xiang. Effective adversarial optical attacks on deep neural networks[J]. Journal of Xidian University, 2025, 52(2): 1-12.

图/表 7

图1

表1

图2

表2

图3

表3

表4

参考文献 35

[1]	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks(2013)[J/OL].[2013-12-21]. https://arxiv.org/abs/1312.6199v1.
[2]	BROWN T B, MANE D, ROY A, et al. Adversarial Patch(2017)[J/OL].[2017-12-27]. https://arxiv.org/abs/1712.09665v1.
[3]	ZHONG Y, LIU X, ZHAI D, et al. Shadows Can Be Dangerous:Stealthy and Effective Physical-World Adversarial Attack by Natural Phenomenon[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE, 2022:15345-15354.
[4]	SHAFAHI A, NAJIBI M, GHIASI M A, et al. Adversarial Training for Free![C]// Advances in Neural Information Processing Systems. Cambridge: MIT Press, 2019:3358-3369.
[5]	ZHANG H, YU Y, JIAO J, et al. Theoretically Principled Trade-off between Robustness and Accuracy[C]// International Conference on Machine Learning. New York: PMLR, 2019:7472-7482.
[6]	MAO T, MULLER M N, FISCHER M, et al. Connecting Certified and Adversarial Training[C]// Proceedings of the 37th International Conference on Neural Information Processing Systems. Cambridge: MIT Press, 2023:73422-73440.
[7]	GOODFELLOW I J, SHLENS J, SZEGEDY C, et al. Explaining and Harnessing Adversarial Examples(2014)[J/OL].[2014-12-20]. https://arxiv.org/abs/1412.6572v1.
[8]	DONG Y, LIAO F, PANG T, et al. Boosting Adversarial Attacks with Momentum[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE, 2018:9185-9193.
[9]	XIAO C, LI B, ZHU J, et al. Generating Adversarial Examples with Adversarial Networks(2018)[J/OL].[2018-01-08]. https://arxiv.org/abs/1801.02610v1.
[10]	CHEN B, YIN J, CHEN S, et al. An Adaptive Model Ensemble Adversarial Attack for Boosting Adversarial Transferability[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. Piscataway:IEEE, 2023:4489-4498.
[11]	PARK J, MILLER P, MCLAUGHLIN N. Hard-Label Based Small Query Black-Box Adversarial Attack[C]//Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision. Piscataway:IEEE, 2024:3986-3995.
[12]	CHEN J, CHEN H, CHEN K, et al. Diffusion Models for Imperceptible and Transferable Adversarial Attack[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2024:1-17.
[13]	HSIAO T F, HUANG B L, NI Z X, et al. Natural Light Can Also Be Dangerous:Traffic Sign Misinterpretation Under Adversarial Natural Light Attacks[C]//Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision. Piscataway:IEEE, 2024:3915-3924.
[14]	LI J, SCHMIDT F, KOLTER Z. Adversarial Camera Stickers:A Physical Camera-Based Attack on Deep Learning Systems[C]// International Conference on Machine Learning. New York: PMLR, 2019:3896-3904.
[15]	ZOLFI A, KRAVCHIK M, ELOVICI Y, et al. The Translucent Patch:A Physical and Universal Attack on Object Detectors[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE, 2021:15232-15241.
[16]	DUAN R, MAO X, QIN A K, et al. Adversarial Laser Beam:Effective Physical-World Attack to Dnns in a Blink[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE, 2021:16062-16071.
[17]	HU C, WANG I L, TILIWALIDI K, et al. Adversarial Laser Spot:Robust and Covert Physical Adversarial Attack to DNNs[C]// Proceedings of The 14th Asian Conference on Machine. New York: PMLR, 2023:483-498.
[18]	GUO D F, WU Y T, DAO Y M, et al. Invisible Optical Adversarial Stripes on Traffic Sign Against Autonomous Vehicles[C]// Proceedings of the 22nd Annual International Conference on Mobile Systems,Applications and Services. New York: ACM, 2024:534-546.
[19]	NIU D, GUO R, WANG Y. Morié Attack(MA):A New Potential Risk of Screen Photos[J]. Advances in Neural Information Processing Systems, 2021, 34:26117-26129.
[20]	HUANG Y, XU J F, GUO Q, et al. Natural & Adversarial Bokeh Rendering via Circle-of-Confusion Predictive Network[J]. IEEE Transactions on Multimedia, 2023, 26:5729-5740.
[21]	TIAN B, XU J F, GUO Q, et al. AVA:Adversarial Vignetting Attack against Visual Recognition(2021)[J/OL].[2021-03-12]. https://arxiv.org/abs/2105.05558.
[22]	CHI L, MSAHLI M, ZHANG Q, et al. Adversarial Attacks on Autonomous Driving Systems in the Physical World:A Survey[J]. IEEE Transactions on Intelligent Vehicles, 2024, 11(17):28931-28944.
[23]	王嘉明, 赵君, 张恒, 等. 眩光评价方法各项参数的分析与研究[J]. 工业计量, 2023, 33(4):7-13.
	WANG Jiaming, ZHAO Jun, ZHANG Heng, et al. Analysis and Research on Parameters of Glare Evaluation Method[J]. Industrial Metrology, 2023, 33(4):7-13.
[24]	张佳怡. 基于数字图像的道路照明动态眩光评价[D]. 西安: 西安理工大学, 2023.
[25]	HULLIN M, EISEMANN E, SEIDEL H P, et al. Physically-Based Real-Time Lens Flare Rendering[M]. New York: ACM, 2011:1-10.
[26]	CHABERT F. Automated Lens Flare Removal:Technical Report[R]. Department of Electrical Engineering: Stanford University, 2015.
[27]	ASHA C S, BHAT S K, NAYAK D, et al. Auto Removal of Bright Spot from Images Captured against Flashing Light Source[C]// 2019 IEEE International Conference on Distributed Computing,VLSI,Electrical Circuits and Robotics(DISCOVER).Piscataway:IEEE, 2019: 1-6.
[28]	JIANG Y, CHEN X, PUN C M, et al. Mfdnet:Multi-Frequency Deflare Network for Efficient Nighttime Flare Removal[J]. The Visual Computer, 2024, 40:1-14.
[29]	ZHANG D, OUYANG J, LIU G, et al. Ff-Former:Swin Fourier Transformer for Nighttime Flare Removal[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. Piscataway:IEEE, 2023:2824-2832.
[30]	WU Y, HE Q, XUE T, et al. How to Train Neural Networks for Flare Removal[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. Piscataway:IEEE, 2021:2239-2247.
[31]	DAI Y, LI C, ZHOU S, et al. Flare7k++:Mixing Synthetic and Real Datasets for Nighttime Flare Removal and Beyond(2023)[J/OL].[2023-06-07]. https://arxiv.org/abs/2306.04236v1.
[32]	NUSSBERGER A, GRABNER H, VAN G L. Robust Aerial Object Tracking in Images with Lens Flare[C]// 2015 IEEE International Conference on Robotics and Automation(ICRA).Piscataway:IEEE, 2015: 6380-6387.
[33]	MAN Y, LI M, GERDES R. {GhostImage}:Remote Perception Attacks against Camera-Based Image Classification Systems[C]// 23rd International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2020).Berlin:Springer, 2020:317-332.
[34]	JAHNE B. Digital Image Processing[M]. Berlin:Springer, 2005,1:606.
[35]	SCHAND J. CIE Colorimetry[J]. Colorimetry:Understanding the CIE system, 2007, 3(1):25-78.

模型	AdvSticker	AdvLB	AdvShadow	AdvFlare(文中方法)
GTSRB-CNN	87.7	82.0	88.3	89.0
ResNet50	86.2	89.9	92.1	93.4
ResNet101	89.1	88.6	92.7	92.9

模型	所有参数随机设置不优化		所有参数直接优化		参数组分步优化
模型	ASR/%	epoch	ASR/%	epoch	ASR/%	spoch
GTSRB-CNN	34.4		82.3	26.2	89.0	6.7
ResNet50	41.3		82.7	35.8	93.4	9.1
ResNet101	40.8		84.0	36.5	92.9	8.9

模型	干净精度	AdvSticker-ASR	AdvLB-ASR	AdvShadow-ASR	AdvFlare-ASR
GTSRB-CNN	95.7	87.7	82.0	88.3	89.0
GTSRB-CNN-AT	94.9(¯0.8)	71.9(¯15.8)	70.1(11.9)	87.9(¯0.4)	61.5(¯27.5)
ResNet50	77.1	86.2	89.9	92.1	93.4
ResNet50-AT	75.6(¯1.5)	73.5(¯12.7)	81.5(¯8.4)	91.9(¯0.3)	64.8(¯28.6)
ResNet101	78.2	89.1	88.6	92.7	92.9
ResNet101-AT	78.0(¯0.2)	75.4(¯13.7)	81.2(¯7.4)	92.2(¯0.5)	65.1(¯27.8)

模型	摩托车	小轿车	校车	卡车
ResNet50	42.3	51.0	36.0	42.7
ResNet50-AT	54.6(12.3)	55.7(4.7)	48.3(12.3)	50.3(7.6)
ResNet101	45.7	52.3	38.7	41.3
ResNet101-AT	56.7(11.0)	57.7(5.4)	49.0(10.3)	49.7(8.4)