TargetedFool:一种实现有目标攻击的算法

doi:10.19665/j.issn1001-2400.2021.01.017

摘要/Abstract

摘要：

随着人工智能技术的发展,深度神经网络广泛应用于人脸识别、语音识别、图片识别以及自动驾驶等领域。由于轻微的扰动就可以使深度神经网络出现错误分类,所以在有限的时间内实现特定的攻击效果是对抗攻击领域研究的重点之一。针对有目标对抗攻击算法中产生扰动时间久和扰动易被人眼观察的问题,基于Deepfool提出了在典型的卷积神经网络上生成有目标的对抗样本的算法,即TargetedFool。大量的实验结果表明,TargetedFool可以对MNIST、CIFAR-10和ImageNet实现有目标的对抗攻击。在ImageNet上,TargetedFool可以在平均2.84 s的时间内达到99.8%的扰动率。此外,分析了基于DeepFool的攻击算法无法产生有目标的通用对抗性扰动的原因。

关键词: 深度神经网络, 深度学习, 目标攻击, 对抗样本

Abstract:

With the development of artificial intelligence technology,deep neural networks are widely used in fields such as face recognition,voice recognition,image recognition,and autonomous driving.In recent years,experiments have proved that slight perturbations can cause misclassification of deep neural networks (DNNs) and achieving specific attack effects in a limited time is one of the focuses of research in the field of adversarial attacks.The DeepFool algorithm has a wide range of applications in machine learning platforms such as cleverhans.However,there is still room for research on targeted attacks using the DeepFool algorithm.To solve the problem that generating perturbations takes a long time and that the perturbation is easy for the human eye to observe,this paper proposes the TargetedFool algorithm based on the DeepFool algorithm for generating targeted adversarial examples on typical convolution neural networks (CNNs).Extensive experimental results show that the algorithm proposed in this paper can achieve targeted attacks on the MNIST,CIFAR-10 and ImageNet.The targeted attack described in this paper can achieve a 99.8% deception success rate in an average time of 2.84 s on the ImageNet.In addition,this paper analyzes the reason why the attack algorithm based on the DeepFool cannot generate targeted universal adversarial perturbations.

Key words: deep neural network, deep learning, targeted attack, adversarial examples

中图分类号:

TP301.6

张华,高浩然,杨兴国,李文敏,高飞,温巧燕. TargetedFool:一种实现有目标攻击的算法[J]. 西安电子科技大学学报, 2021, 48(1): 149-159.

ZHANG Hua,GAO Haoran,YANG Xingguo,LI Wenmin,GAO Fei,WEN Qiaoyan. TargetedFool:an algorithm for achieving targeted attacks[J]. Journal of Xidian University, 2021, 48(1): 149-159.

图/表 13

图1

表1

图2

图3

图4

图5

表2

测试结果"

分类器	Top-1 error/%	Top-5 error/%	迭代次数	时间/s	扰动量	$ρ^adv$
DenseNet-121	25.35	7.83	10	1.13	5.26	7.80×10^-3
Inception-v3	22.55	6.44	32	3.01	5.58	1.19×10^-2
ResNet-152	21.69	5.94	12	1.58	3.85	9.18×10^-3
ResNet-34	26.70	8.58	10	0.45	3.83	9.04×10^-3
VGG-19^[27]	27.62	9.12	13	0.71	3.59	8.40×10^-3
VGG-16	28.41	9.62	12	0.63	3.42	7.99×10^-3

表2

图6

表3

表4

在Inception-v3,NIPS2017,l2范式下,扰动率、时间、平均鲁棒性、最大扰动系数以及最大迭代次数(对抗样本由FGSM,IFGSM,JSMA和TargetedFool生成)"

攻击算法	时间/s	扰动率/%	$ρ^adv$	最大扰动系数	最大迭代次数
FGSM	0.53	0.7	2.27×10^-1	16.0	1
IFGSM	7.51	99.7	7.67×10^-2	16.0	30
JSMA	5 889.07	99.4	1.11×10^-1	0.3	5 000
TargetedFool	2.84	99.8	4.81×10^-3		150

表4

图7

图8

图9

参考文献 30

[1]	CHENG S, DONG Y, PANG T, et al. Improving Black-box Adversarial Attacks with a Transfer-based Prior[C/OL].[2020-10-22].https://arxiv.org/abs/1906.06919.
[2]	ZHAO Z, DUA D, SINGH S. Generating Natural Adversarial Examples[C/OL] [2020-10-22].https://openreview.net/pdf?id=H1BLjgZCb.
[3]	IIYAS A, ENGSTROM L, ATHALYE A, et al. Black-box Adversarial Attacks with Limited Queries and Information[C/OL].[2020-10-22].https://arxiv.org/pdf/1804.08598.pdf.
[4]	IIYAS A, ENGSTROM L, MADRY A. Prior Convictions:Black-box Adversarial Attacks with Bandits and Priors[C/OL].[2020-10-22].https://arxiv.org/pdf/1807.07978.pdf.
[5]	GUO C, GARDNER J R, YOU Y, et al. Simple Black-box Adversarial Attacks[C/OL].[2020-10-22].https://arxiv.org/abs/1905.07121.
[6]	GOODFELLOW I J, SHLENS J, SZEGEDY C.Explaining and Harnessing Adversarial Examples[C/OL].[2020-10-22].https://arxiv.org/pdf/1412.6572.pdf.
[7]	MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. Deepfool:a Simple and Accurate Method to Fool Deep Neural Networks [C] //Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2016: 2574-2582.
[8]	THYS S, VAN RANST W, GOEDEME T. Fooling Automated Surveillance Cameras:Adversarial Patches to Attack Person Detection[C/OL].[2020-10-22].https://arxiv.org/abs/1904.08653v1.
[9]	LI J, JI S, DU T, et al. TextBugger:Generating Adversarial Text against Real-world Applications[C/OL].[2020-10-22].https://arxiv.org/pdf/1812.05271.pdf.
[10]	BRENDEL W, RAUBER J, BETHGE M. Decision-based Adversarial Attacks:Reliable Attacks against Black-box Machine Learning Models[C/OL].[2020-10-22].https://arxiv.org/pdf/1712.04248.pdf.
[11]	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks[C/OL].[2020-10-22].https://arxiv.org/abs/1312.6199.
[12]	OREN S S. On the Selection of Parameters in Self Scaling Variable Metric Algorithms[J]. Mathematical Programming, 1974,7(1):351-367.
[13]	KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial Examples in the Physical World[C/OL].[2020-10-22].https://arxiv.org/abs/1607.02533.
[14]	PAPERNOT N, MC DANIEL P, JHA S, et al. The Limitations of Deep Learning in Adversarial Settings[C/OL].[2020-10-22].https://arxiv.org/pdf/1511.07528.pdf.
[15]	MOOSAVI-DEZFOOLI S M, FAWZI A, FAWZI O, et al. Universal Adversarial Perturbations [C]//Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2017: 1765-1773.
[16]	ABADI M, AGARWAL A, BARHAM P, et al. Tensorflow:Large-scale Machine Learning on Heterogeneous Distributed Systems[EB/OL].[2020-10-16].https://arxiv.org/pdf/1603.04467v1.pdf.
[17]	PAPERNOT N, GOODFELLOW I, SHEATSLEY R, et al. Cleverhans v2.0.0:an Adversarial Machine Learning Library[EB/OL].[2020-10-20].https://arxiv.org/pdf/1610.00768v4.pdf.
[18]	LECUN Y, CORTES C. The MNIST database of handwritten digits[EB/OL].[2020-10-20].https://www.researchgate.net/publication/247931959_The_mnist_database_of_handwritten_digits.
[19]	KRIZHEVSKY A.Learning Multiple Layers of Features from Tiny Images[D/OL].[ 2020- 10- 16]. http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=6A53249D656707B0A5E27DEC73ABF8B2?doi=10.1.1.222.9220&rep=rep1&type=pdf.
[20]	DENG J, DONG W, SOCHER R, et al. Imagenet:a Large-scale Hierarchical Image Database [C]// Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2009: 248-255.
[21]	LECUN Y, HAFFNER P, BOTTOU L, et al. Object Recognition with Gradient-based Learning [C]// Lecture Notes in Computer Science:1681.Berlin:Springer Verlag, 1999: 319-345.
[22]	KRIZHEVSKY A, SUTSKEVER I, HINTON G E. Imagenet Classification with Deep Convolutional Neural Networks [C]//Advances in Neural Information Processing Systems:2.Vancouver:Neural Information Processing Systems Foundation, 2012: 1097-1105.
[23]	SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the Inception Architecture for Computer Vision [C]//Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition.Washington:IEEE Computer Society, 2016: 2818-2826.
[24]	HE K, ZHANG X, REN S, et al. Deep Residual Learning for Image Recognition [C]//Proceedings of the 2016 IEEE Computer Society Conference on Computer Vision and Pattern Recognition.Washington:IEEE Computer Society, 2016: 770-778.
[25]	HUANG G, LIU Z, VAN DER MAATEN L, et al.Densely Connected Convolutional Networks [C]// Proceedings of the 2017 30th IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2017: 2261-2269.
[26]	YUAN X, HE P, ZHU Q, et al. Adversarial Examples:Attacks and Defenses for Deep Learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,30(9):2805-2824. doi: 10.1109/TNNLS.2018.2886017 pmid: 30640631
[27]	SIMONYAN K, ZISSERMAN A. Very Deep Convolutional Networks for Large-scale Image Recognition [C]// Proceedings of the 2015 3rd International Conference on Learning Representations.San Diego:ICLR, 2015: 149801.
[28]	KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial Machine Learning at Scale [C]// Proceedings of the 2017 5th International Conference on Learning Representations.San Diego:ICLR, 2017: 149804.
[29]	PAPERNOT N, MCDANIEL P, WU X, et al. Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks [C]// Proceedings of the 2016 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2016: 582-597.
[30]	SAMANGOUEI P, KABKAB M, CHELLAPPA R. Defense-GAN:Protecting Classifiers against Adversarial Attacks Using Generative Models [C]// Proceedings of the 2018 6th International Conference on Learning Representations.San Diego:ICLR, 2018: 149806.

符号	描述	符号	描述
x	原始样本	t	目标类别
x_adv	对抗样本	J(·)	损失函数
f(x)	分类器函数	$\mathscr{F}$_L	线性决策面
w	神经网络模型权重	$\mathscr{F}$_N	非线性决策面
b	神经网络模型偏置	P	多个决策面形成的空间
r(x)	扰动	?	梯度

分类器	Test error/%	TargetedFool		DeepFool
分类器	Test error/%	时间/s	扰动量	时间/s	扰动量
LeNet(MNIST)	1.00	0.07	3.31	0.05	1.94
ALexNet(CIFAR-10)	22.60	0.07	0.75	0.06	0.05
Inception-v3(ILSVRC2012)	31.30	3.01	5.58	0.78	0.76
ResNet-152(ILSVRC2012)	26.70	1.58	3.85	1.56	0.84
DenseNet-121(ILSVRC2012)	25.40	1.13	5.26	1.22	0.69