TargetedFool:一种实现有目标攻击的算法

doi:10.19665/j.issn1001-2400.2021.01.017

Abstract

Abstract:

With the development of artificial intelligence technology,deep neural networks are widely used in fields such as face recognition,voice recognition,image recognition,and autonomous driving.In recent years,experiments have proved that slight perturbations can cause misclassification of deep neural networks (DNNs) and achieving specific attack effects in a limited time is one of the focuses of research in the field of adversarial attacks.The DeepFool algorithm has a wide range of applications in machine learning platforms such as cleverhans.However,there is still room for research on targeted attacks using the DeepFool algorithm.To solve the problem that generating perturbations takes a long time and that the perturbation is easy for the human eye to observe,this paper proposes the TargetedFool algorithm based on the DeepFool algorithm for generating targeted adversarial examples on typical convolution neural networks (CNNs).Extensive experimental results show that the algorithm proposed in this paper can achieve targeted attacks on the MNIST,CIFAR-10 and ImageNet.The targeted attack described in this paper can achieve a 99.8% deception success rate in an average time of 2.84 s on the ImageNet.In addition,this paper analyzes the reason why the attack algorithm based on the DeepFool cannot generate targeted universal adversarial perturbations.

Key words: deep neural network, deep learning, targeted attack, adversarial examples

CLC Number:

TP301.6

ZHANG Hua,GAO Haoran,YANG Xingguo,LI Wenmin,GAO Fei,WEN Qiaoyan. TargetedFool:an algorithm for achieving targeted attacks[J].Journal of Xidian University, 2021, 48(1): 149-159.

Figures/Tables 13

分类器	Top-1 error/%	Top-5 error/%	迭代次数	时间/s	扰动量	$ρ^adv$
DenseNet-121	25.35	7.83	10	1.13	5.26	7.80×10^-3
Inception-v3	22.55	6.44	32	3.01	5.58	1.19×10^-2
ResNet-152	21.69	5.94	12	1.58	3.85	9.18×10^-3
ResNet-34	26.70	8.58	10	0.45	3.83	9.04×10^-3
VGG-19^[27]	27.62	9.12	13	0.71	3.59	8.40×10^-3
VGG-16	28.41	9.62	12	0.63	3.42	7.99×10^-3

攻击算法	时间/s	扰动率/%	$ρ^adv$	最大扰动系数	最大迭代次数
FGSM	0.53	0.7	2.27×10^-1	16.0	1
IFGSM	7.51	99.7	7.67×10^-2	16.0	30
JSMA	5 889.07	99.4	1.11×10^-1	0.3	5 000
TargetedFool	2.84	99.8	4.81×10^-3		150

References 30

[1]	CHENG S, DONG Y, PANG T, et al. Improving Black-box Adversarial Attacks with a Transfer-based Prior[C/OL].[2020-10-22].https://arxiv.org/abs/1906.06919.
[2]	ZHAO Z, DUA D, SINGH S. Generating Natural Adversarial Examples[C/OL] [2020-10-22].https://openreview.net/pdf?id=H1BLjgZCb.
[3]	IIYAS A, ENGSTROM L, ATHALYE A, et al. Black-box Adversarial Attacks with Limited Queries and Information[C/OL].[2020-10-22].https://arxiv.org/pdf/1804.08598.pdf.
[4]	IIYAS A, ENGSTROM L, MADRY A. Prior Convictions:Black-box Adversarial Attacks with Bandits and Priors[C/OL].[2020-10-22].https://arxiv.org/pdf/1807.07978.pdf.
[5]	GUO C, GARDNER J R, YOU Y, et al. Simple Black-box Adversarial Attacks[C/OL].[2020-10-22].https://arxiv.org/abs/1905.07121.
[6]	GOODFELLOW I J, SHLENS J, SZEGEDY C.Explaining and Harnessing Adversarial Examples[C/OL].[2020-10-22].https://arxiv.org/pdf/1412.6572.pdf.
[7]	MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. Deepfool:a Simple and Accurate Method to Fool Deep Neural Networks [C] //Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2016: 2574-2582.
[8]	THYS S, VAN RANST W, GOEDEME T. Fooling Automated Surveillance Cameras:Adversarial Patches to Attack Person Detection[C/OL].[2020-10-22].https://arxiv.org/abs/1904.08653v1.
[9]	LI J, JI S, DU T, et al. TextBugger:Generating Adversarial Text against Real-world Applications[C/OL].[2020-10-22].https://arxiv.org/pdf/1812.05271.pdf.
[10]	BRENDEL W, RAUBER J, BETHGE M. Decision-based Adversarial Attacks:Reliable Attacks against Black-box Machine Learning Models[C/OL].[2020-10-22].https://arxiv.org/pdf/1712.04248.pdf.
[11]	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks[C/OL].[2020-10-22].https://arxiv.org/abs/1312.6199.
[12]	OREN S S. On the Selection of Parameters in Self Scaling Variable Metric Algorithms[J]. Mathematical Programming, 1974,7(1):351-367.
[13]	KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial Examples in the Physical World[C/OL].[2020-10-22].https://arxiv.org/abs/1607.02533.
[14]	PAPERNOT N, MC DANIEL P, JHA S, et al. The Limitations of Deep Learning in Adversarial Settings[C/OL].[2020-10-22].https://arxiv.org/pdf/1511.07528.pdf.
[15]	MOOSAVI-DEZFOOLI S M, FAWZI A, FAWZI O, et al. Universal Adversarial Perturbations [C]//Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2017: 1765-1773.
[16]	ABADI M, AGARWAL A, BARHAM P, et al. Tensorflow:Large-scale Machine Learning on Heterogeneous Distributed Systems[EB/OL].[2020-10-16].https://arxiv.org/pdf/1603.04467v1.pdf.
[17]	PAPERNOT N, GOODFELLOW I, SHEATSLEY R, et al. Cleverhans v2.0.0:an Adversarial Machine Learning Library[EB/OL].[2020-10-20].https://arxiv.org/pdf/1610.00768v4.pdf.
[18]	LECUN Y, CORTES C. The MNIST database of handwritten digits[EB/OL].[2020-10-20].https://www.researchgate.net/publication/247931959_The_mnist_database_of_handwritten_digits.
[19]	KRIZHEVSKY A.Learning Multiple Layers of Features from Tiny Images[D/OL].[ 2020- 10- 16]. http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=6A53249D656707B0A5E27DEC73ABF8B2?doi=10.1.1.222.9220&rep=rep1&type=pdf.
[20]	DENG J, DONG W, SOCHER R, et al. Imagenet:a Large-scale Hierarchical Image Database [C]// Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2009: 248-255.
[21]	LECUN Y, HAFFNER P, BOTTOU L, et al. Object Recognition with Gradient-based Learning [C]// Lecture Notes in Computer Science:1681.Berlin:Springer Verlag, 1999: 319-345.
[22]	KRIZHEVSKY A, SUTSKEVER I, HINTON G E. Imagenet Classification with Deep Convolutional Neural Networks [C]//Advances in Neural Information Processing Systems:2.Vancouver:Neural Information Processing Systems Foundation, 2012: 1097-1105.
[23]	SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the Inception Architecture for Computer Vision [C]//Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition.Washington:IEEE Computer Society, 2016: 2818-2826.
[24]	HE K, ZHANG X, REN S, et al. Deep Residual Learning for Image Recognition [C]//Proceedings of the 2016 IEEE Computer Society Conference on Computer Vision and Pattern Recognition.Washington:IEEE Computer Society, 2016: 770-778.
[25]	HUANG G, LIU Z, VAN DER MAATEN L, et al.Densely Connected Convolutional Networks [C]// Proceedings of the 2017 30th IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2017: 2261-2269.
[26]	YUAN X, HE P, ZHU Q, et al. Adversarial Examples:Attacks and Defenses for Deep Learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,30(9):2805-2824. doi: 10.1109/TNNLS.2018.2886017 pmid: 30640631
[27]	SIMONYAN K, ZISSERMAN A. Very Deep Convolutional Networks for Large-scale Image Recognition [C]// Proceedings of the 2015 3rd International Conference on Learning Representations.San Diego:ICLR, 2015: 149801.
[28]	KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial Machine Learning at Scale [C]// Proceedings of the 2017 5th International Conference on Learning Representations.San Diego:ICLR, 2017: 149804.
[29]	PAPERNOT N, MCDANIEL P, WU X, et al. Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks [C]// Proceedings of the 2016 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2016: 582-597.
[30]	SAMANGOUEI P, KABKAB M, CHELLAPPA R. Defense-GAN:Protecting Classifiers against Adversarial Attacks Using Generative Models [C]// Proceedings of the 2018 6th International Conference on Learning Representations.San Diego:ICLR, 2018: 149806.

符号	描述	符号	描述
x	原始样本	t	目标类别
x_adv	对抗样本	J(·)	损失函数
f(x)	分类器函数	$\mathscr{F}$_L	线性决策面
w	神经网络模型权重	$\mathscr{F}$_N	非线性决策面
b	神经网络模型偏置	P	多个决策面形成的空间
r(x)	扰动	?	梯度

分类器	Test error/%	TargetedFool		DeepFool
分类器	Test error/%	时间/s	扰动量	时间/s	扰动量
LeNet(MNIST)	1.00	0.07	3.31	0.05	1.94
ALexNet(CIFAR-10)	22.60	0.07	0.75	0.06	0.05
Inception-v3(ILSVRC2012)	31.30	3.01	5.58	0.78	0.76
ResNet-152(ILSVRC2012)	26.70	1.58	3.85	1.56	0.84
DenseNet-121(ILSVRC2012)	25.40	1.13	5.26	1.22	0.69

TargetedFool:an algorithm for achieving targeted attacks

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 30

Related Articles 15

Metrics

Comments

Recommended 0

[1]	ZHANG Jing, WU Huixue, ZHANG Shaobo, LI Yunsong. Decoder-side enhanced image compression network under distributed strategy [J]. Journal of Xidian University, 2025, 52(1): 1-13.
[2]	WANG Chao, JIANG Xiaofeng, WANG Sumin. Research on the quantum effect traffic prediction algorithm oriented towards intuitive reasoning [J]. Journal of Xidian University, 2025, 52(1): 152-162.
[3]	ZHAO Congjian, JIAO Yiyuan, LI Yanni. Overview of deep sentence-level entity relation extraction [J]. Journal of Xidian University, 2024, 51(6): 117-131.
[4]	XU Haitao, LIU Yuzhe, YAN Xinyi, LI Jiaojiao, XUE Changbin. Fusion classification network for hyperspectral and LiDAR eature coupling modeling [J]. Journal of Xidian University, 2024, 51(6): 73-83.
[5]	WU Xinting, HUANG Ying, NIU Baoning, GUAN Hu, LAN Fangpeng, LIU Jie. Image texture-guided iterative watermarking model [J]. Journal of Xidian University, 2024, 51(5): 110-121.
[6]	ZHANG Mingjin, ZHOU Nan, LI Yunsong. Smooth interactive compression network for infrared small target detection [J]. Journal of Xidian University, 2024, 51(4): 1-14.
[7]	GAO Dihui, SHENG Lijie, XU Xiaodong, MIAO Qiguang. Joint feature approach for image-text cross-modal retrieval [J]. Journal of Xidian University, 2024, 51(4): 128-138.
[8]	WAN Pengwu, HUI Xi, CHEN Dongrui, WU Bo. Modulation recognition based on the two-dimensional asynchronous in-phase quadrature histogram [J]. Journal of Xidian University, 2024, 51(4): 78-90.
[9]	GUAN Yepeng, SU Guangyao, SHENG Yi. Time series prediction method based on the bidirectional long short-term memory network [J]. Journal of Xidian University, 2024, 51(3): 103-112.
[10]	HE Wangpeng, HU Deshun, LI Cheng, ZHOU Yue, GUO Baolong. Siamese network tracking using template updating and trajectory prediction [J]. Journal of Xidian University, 2024, 51(3): 46-54.
[11]	LIU Wei, WANG Mengyang, BAI Baoming. Efficient semantic communication method for bandwidth constrained scenarios [J]. Journal of Xidian University, 2024, 51(3): 9-18.
[12]	LIU Zhenyan, ZHANG Hua, LIU Yong, YANG Libo, WANG Mengdi. Efficient seed generation method for software fuzzing [J]. Journal of Xidian University, 2024, 51(2): 126-136.
[13]	ZHAI Fengwen, SUN Fanglin, JIN Jing. Study of EEG classification of depression by multi-scale convolution combined with the Transformer [J]. Journal of Xidian University, 2024, 51(2): 182-195.
[14]	DING Xinmiao, WANG Jiaxing, GUO Wen. Three-dimensional attention-enhanced algorithm for violence scene detection [J]. Journal of Xidian University, 2024, 51(1): 114-124.
[15]	LIU Bochong, CAI Huaiyu, WANG Yi, CHEN Xiaodong. Self-supervised contrastive representation learning for semantic segmentation [J]. Journal of Xidian University, 2024, 51(1): 125-134.