TargetedFool:一种实现有目标攻击的算法

doi:10.19665/j.issn1001-2400.2021.01.017

Abstract

Abstract:

With the development of artificial intelligence technology,deep neural networks are widely used in fields such as face recognition,voice recognition,image recognition,and autonomous driving.In recent years,experiments have proved that slight perturbations can cause misclassification of deep neural networks (DNNs) and achieving specific attack effects in a limited time is one of the focuses of research in the field of adversarial attacks.The DeepFool algorithm has a wide range of applications in machine learning platforms such as cleverhans.However,there is still room for research on targeted attacks using the DeepFool algorithm.To solve the problem that generating perturbations takes a long time and that the perturbation is easy for the human eye to observe,this paper proposes the TargetedFool algorithm based on the DeepFool algorithm for generating targeted adversarial examples on typical convolution neural networks (CNNs).Extensive experimental results show that the algorithm proposed in this paper can achieve targeted attacks on the MNIST,CIFAR-10 and ImageNet.The targeted attack described in this paper can achieve a 99.8% deception success rate in an average time of 2.84 s on the ImageNet.In addition,this paper analyzes the reason why the attack algorithm based on the DeepFool cannot generate targeted universal adversarial perturbations.

Key words: deep neural network, deep learning, targeted attack, adversarial examples

CLC Number:

TP301.6

ZHANG Hua,GAO Haoran,YANG Xingguo,LI Wenmin,GAO Fei,WEN Qiaoyan. TargetedFool:an algorithm for achieving targeted attacks[J].Journal of Xidian University, 2021, 48(1): 149-159.

Figures/Tables 13

分类器	Top-1 error/%	Top-5 error/%	迭代次数	时间/s	扰动量	$ρ^adv$
DenseNet-121	25.35	7.83	10	1.13	5.26	7.80×10^-3
Inception-v3	22.55	6.44	32	3.01	5.58	1.19×10^-2
ResNet-152	21.69	5.94	12	1.58	3.85	9.18×10^-3
ResNet-34	26.70	8.58	10	0.45	3.83	9.04×10^-3
VGG-19^[27]	27.62	9.12	13	0.71	3.59	8.40×10^-3
VGG-16	28.41	9.62	12	0.63	3.42	7.99×10^-3

攻击算法	时间/s	扰动率/%	$ρ^adv$	最大扰动系数	最大迭代次数
FGSM	0.53	0.7	2.27×10^-1	16.0	1
IFGSM	7.51	99.7	7.67×10^-2	16.0	30
JSMA	5 889.07	99.4	1.11×10^-1	0.3	5 000
TargetedFool	2.84	99.8	4.81×10^-3		150

References 30

[1]	CHENG S, DONG Y, PANG T, et al. Improving Black-box Adversarial Attacks with a Transfer-based Prior[C/OL].[2020-10-22].https://arxiv.org/abs/1906.06919.
[2]	ZHAO Z, DUA D, SINGH S. Generating Natural Adversarial Examples[C/OL] [2020-10-22].https://openreview.net/pdf?id=H1BLjgZCb.
[3]	IIYAS A, ENGSTROM L, ATHALYE A, et al. Black-box Adversarial Attacks with Limited Queries and Information[C/OL].[2020-10-22].https://arxiv.org/pdf/1804.08598.pdf.
[4]	IIYAS A, ENGSTROM L, MADRY A. Prior Convictions:Black-box Adversarial Attacks with Bandits and Priors[C/OL].[2020-10-22].https://arxiv.org/pdf/1807.07978.pdf.
[5]	GUO C, GARDNER J R, YOU Y, et al. Simple Black-box Adversarial Attacks[C/OL].[2020-10-22].https://arxiv.org/abs/1905.07121.
[6]	GOODFELLOW I J, SHLENS J, SZEGEDY C.Explaining and Harnessing Adversarial Examples[C/OL].[2020-10-22].https://arxiv.org/pdf/1412.6572.pdf.
[7]	MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. Deepfool:a Simple and Accurate Method to Fool Deep Neural Networks [C] //Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2016: 2574-2582.
[8]	THYS S, VAN RANST W, GOEDEME T. Fooling Automated Surveillance Cameras:Adversarial Patches to Attack Person Detection[C/OL].[2020-10-22].https://arxiv.org/abs/1904.08653v1.
[9]	LI J, JI S, DU T, et al. TextBugger:Generating Adversarial Text against Real-world Applications[C/OL].[2020-10-22].https://arxiv.org/pdf/1812.05271.pdf.
[10]	BRENDEL W, RAUBER J, BETHGE M. Decision-based Adversarial Attacks:Reliable Attacks against Black-box Machine Learning Models[C/OL].[2020-10-22].https://arxiv.org/pdf/1712.04248.pdf.
[11]	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks[C/OL].[2020-10-22].https://arxiv.org/abs/1312.6199.
[12]	OREN S S. On the Selection of Parameters in Self Scaling Variable Metric Algorithms[J]. Mathematical Programming, 1974,7(1):351-367.
[13]	KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial Examples in the Physical World[C/OL].[2020-10-22].https://arxiv.org/abs/1607.02533.
[14]	PAPERNOT N, MC DANIEL P, JHA S, et al. The Limitations of Deep Learning in Adversarial Settings[C/OL].[2020-10-22].https://arxiv.org/pdf/1511.07528.pdf.
[15]	MOOSAVI-DEZFOOLI S M, FAWZI A, FAWZI O, et al. Universal Adversarial Perturbations [C]//Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2017: 1765-1773.
[16]	ABADI M, AGARWAL A, BARHAM P, et al. Tensorflow:Large-scale Machine Learning on Heterogeneous Distributed Systems[EB/OL].[2020-10-16].https://arxiv.org/pdf/1603.04467v1.pdf.
[17]	PAPERNOT N, GOODFELLOW I, SHEATSLEY R, et al. Cleverhans v2.0.0:an Adversarial Machine Learning Library[EB/OL].[2020-10-20].https://arxiv.org/pdf/1610.00768v4.pdf.
[18]	LECUN Y, CORTES C. The MNIST database of handwritten digits[EB/OL].[2020-10-20].https://www.researchgate.net/publication/247931959_The_mnist_database_of_handwritten_digits.
[19]	KRIZHEVSKY A.Learning Multiple Layers of Features from Tiny Images[D/OL].[ 2020- 10- 16]. http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=6A53249D656707B0A5E27DEC73ABF8B2?doi=10.1.1.222.9220&rep=rep1&type=pdf.
[20]	DENG J, DONG W, SOCHER R, et al. Imagenet:a Large-scale Hierarchical Image Database [C]// Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2009: 248-255.
[21]	LECUN Y, HAFFNER P, BOTTOU L, et al. Object Recognition with Gradient-based Learning [C]// Lecture Notes in Computer Science:1681.Berlin:Springer Verlag, 1999: 319-345.
[22]	KRIZHEVSKY A, SUTSKEVER I, HINTON G E. Imagenet Classification with Deep Convolutional Neural Networks [C]//Advances in Neural Information Processing Systems:2.Vancouver:Neural Information Processing Systems Foundation, 2012: 1097-1105.
[23]	SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the Inception Architecture for Computer Vision [C]//Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition.Washington:IEEE Computer Society, 2016: 2818-2826.
[24]	HE K, ZHANG X, REN S, et al. Deep Residual Learning for Image Recognition [C]//Proceedings of the 2016 IEEE Computer Society Conference on Computer Vision and Pattern Recognition.Washington:IEEE Computer Society, 2016: 770-778.
[25]	HUANG G, LIU Z, VAN DER MAATEN L, et al.Densely Connected Convolutional Networks [C]// Proceedings of the 2017 30th IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2017: 2261-2269.
[26]	YUAN X, HE P, ZHU Q, et al. Adversarial Examples:Attacks and Defenses for Deep Learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,30(9):2805-2824. doi: 10.1109/TNNLS.2018.2886017 pmid: 30640631
[27]	SIMONYAN K, ZISSERMAN A. Very Deep Convolutional Networks for Large-scale Image Recognition [C]// Proceedings of the 2015 3rd International Conference on Learning Representations.San Diego:ICLR, 2015: 149801.
[28]	KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial Machine Learning at Scale [C]// Proceedings of the 2017 5th International Conference on Learning Representations.San Diego:ICLR, 2017: 149804.
[29]	PAPERNOT N, MCDANIEL P, WU X, et al. Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks [C]// Proceedings of the 2016 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2016: 582-597.
[30]	SAMANGOUEI P, KABKAB M, CHELLAPPA R. Defense-GAN:Protecting Classifiers against Adversarial Attacks Using Generative Models [C]// Proceedings of the 2018 6th International Conference on Learning Representations.San Diego:ICLR, 2018: 149806.

符号	描述	符号	描述
x	原始样本	t	目标类别
x_adv	对抗样本	J(·)	损失函数
f(x)	分类器函数	$\mathscr{F}$_L	线性决策面
w	神经网络模型权重	$\mathscr{F}$_N	非线性决策面
b	神经网络模型偏置	P	多个决策面形成的空间
r(x)	扰动	?	梯度

分类器	Test error/%	TargetedFool		DeepFool
分类器	Test error/%	时间/s	扰动量	时间/s	扰动量
LeNet(MNIST)	1.00	0.07	3.31	0.05	1.94
ALexNet(CIFAR-10)	22.60	0.07	0.75	0.06	0.05
Inception-v3(ILSVRC2012)	31.30	3.01	5.58	0.78	0.76
ResNet-152(ILSVRC2012)	26.70	1.58	3.85	1.56	0.84
DenseNet-121(ILSVRC2012)	25.40	1.13	5.26	1.22	0.69

TargetedFool:an algorithm for achieving targeted attacks

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 30

Related Articles 15

Metrics

Comments

Recommended 10

[1]	WANG Yong,JIN Weizhao,FENG Wei,QUAN Yinghui. Improved violent behavior detection method for the R(2+1)D network [J]. Journal of Xidian University, 2022, 49(2): 155-163.
[2]	WANG Yong,WANG Xiyuan,REN Zeyang. Algorithm for gradient optimization of hybrid precoding based on DNN in the millimeter wave MIMO system [J]. Journal of Xidian University, 2022, 49(1): 202-207.
[3]	GAO Jie,HUO Zhiyong. Algorithmfor image inpainting in generative adversarial networks based on gated convolution [J]. Journal of Xidian University, 2022, 49(1): 216-224.
[4]	ZHANG Yan,WANG Xiangyu,ZHANG Zhongwei,SUN Yemei,LIU Shudong. Boundary-aware network for building extraction from remote sensing images [J]. Journal of Xidian University, 2022, 49(1): 236-244.
[5]	LIU Jiawei,ZHANG Wenhui,KOU Xiaoli,LI Yanni. Harnessing adversarial examples via input denoising and hidden information restoring [J]. Journal of Xidian University, 2021, 48(6): 23-31.
[6]	SONG Jianfeng,MIAO Qiguang,WANG Chongxiao,XU Hao,YANG Jin. Multi-scale single object tracking based on the attention mechanism [J]. Journal of Xidian University, 2021, 48(5): 110-116.
[7]	LI Peng,FENG Cunqian,XU Xuguang,TANG Zixiang. Ballistic target fretting classification network based on Bayesian optimization [J]. Journal of Xidian University, 2021, 48(5): 139-148.
[8]	ZHANG Yuhao,CHENG Peitao,ZHANG Shuhao,WANG Xiumei. Lightweight image super-resolution with the adaptive weight learning network [J]. Journal of Xidian University, 2021, 48(5): 15-22.
[9]	YAN Jia,CAO Yudong,REN Jiaxing,CHEN Donghao,LI Xiaohui. Deep asymmetric compression Hashing algorithm [J]. Journal of Xidian University, 2021, 48(5): 212-221.
[10]	NING Yang,DU Jianchao,HAN Shuo,YANG Chuankai. Fire segmentation based on the improved DeeplabV3+ and the analytical method for fire development [J]. Journal of Xidian University, 2021, 48(5): 38-46.
[11]	ZHOU Peng,YANG Jun. Semantic segmentation of remote sensing images based on neural architecture search [J]. Journal of Xidian University, 2021, 48(5): 47-57.
[12]	ZHANG Shuwei,LI Junmin. Human body detection algorithm in complex monitoring scenes [J]. Journal of Xidian University, 2021, 48(5): 68-77.
[13]	QI Yanjun,KONG Yueping,WANG Jiajing,ZHU Xudong. Gait recognition method combining LSTM and CNN [J]. Journal of Xidian University, 2021, 48(5): 78-85.
[14]	HUI Haisheng,ZHANG Xueying,WU Zelin,LI Fenglian. Method for stroke lesion segmentation using the primary-auxiliary path attention compensation network [J]. Journal of Xidian University, 2021, 48(4): 200-208.
[15]	SUN Haojie,LI Miaoyu,ZHANG Panpan,XU Pengfei. Self-supervised facial asymmetry learning for automatic evaluation of facial paralysis [J]. Journal of Xidian University, 2021, 48(3): 115-122.