《计算机应用》唯一官方网站 ›› 2022, Vol. 42 ›› Issue (8): 2319-2325.DOI: 10.11772/j.issn.1001-9081.2021060993

• 人工智能 • 上一篇    

基于图像翻转变换的对抗样本生成方法

杨博1, 张恒巍1(), 李哲铭1,2, 徐开勇1   

  1. 1.中国人民解放军战略支援部队信息工程大学,郑州 450001
    2.中国人民解放军陆军参谋部,北京 100000
  • 收稿日期:2021-06-10 修回日期:2021-10-12 接受日期:2021-10-29 发布日期:2022-01-25 出版日期:2022-08-10
  • 通讯作者: 张恒巍
  • 作者简介:杨博(1993—),男,湖北咸宁人,硕士研究生,主要研究方向:深度学习、智能系统安全;
    张恒巍(1978—),男,河南洛阳人,副教授,博士,主要研究方向:网络安全博弈、智能系统安全;
    李哲铭(1994—),男,河北唐山人,助理工程师,硕士研究生,主要研究方向:深度学习、网络与信息安全;
    徐开勇(1963—),男,河南信阳人,研究员,主要研究方向:网络与信息安全、可信计算。
  • 基金资助:
    国家重点研发计划项目(2017YFB0801900)

Adversarial example generation method based on image flipping transform

Bo YANG1, Hengwei ZHANG1(), Zheming LI1,2, Kaiyong XU1   

  1. 1.Information Engineering University,Zhengzhou Henan 450001,China
    2.PLA Army General Staff,Beijing 100000,China
  • Received:2021-06-10 Revised:2021-10-12 Accepted:2021-10-29 Online:2022-01-25 Published:2022-08-10
  • Contact: Hengwei ZHANG
  • About author:YANG Bo, born in 1993, M. S. candidate. His research interests include deep learning, intelligent system security.
    ZHANG Hengwei, born in 1978, Ph. D., associate professor. His research interests include network security game theory, intelligent system security.
    LI Zheming, born in 1994, M. S. candidate, assistant engineer. His research interests include deep learning, network and information security.
    XU Kaiyong, born in 1963, research fellow. His research interests include network and information security, trusted computing.
  • Supported by:
    National Key Research and Development Program of China(2017YFB0801900)

摘要:

面对对抗样本的攻击,深度神经网络是脆弱的。对抗样本是在原始输入图像上添加人眼几乎不可见的噪声生成的,从而使深度神经网络误分类并带来安全威胁。因此在深度神经网络部署前,对抗性攻击是评估模型鲁棒性的重要方法。然而,在黑盒情况下,对抗样本的攻击成功率还有待提高,即对抗样本的可迁移性有待提升。针对上述情况,提出基于图像翻转变换的对抗样本生成方法——FT-MI-FGSM(Flipping Transformation Momentum Iterative Fast Gradient Sign Method)。首先,从数据增强的角度出发,在对抗样本生成过程的每次迭代中,对原始输入图像随机翻转变换;然后,计算变换后图像的梯度;最后,根据梯度生成对抗样本以减轻对抗样本生成过程中的过拟合,并提升对抗样本的可迁移性。此外,通过使用攻击集成模型的方法,进一步提高对抗样本的可迁移性。在ImageNet数据集上验证了所提方法的有效性。相较于I-FGSM(Iterative Fast Gradient Sign Method)和MI-FGSM(Momentum I-FGSM),在攻击集成模型设置下,FT-MI-FGSM在对抗训练网络上的平均黑盒攻击成功率分别提升了26.0和8.4个百分点。

关键词: 图像翻转变换, 对抗样本, 黑盒攻击, 深度神经网络, 可迁移性

Abstract:

In the face of adversarial example attack, deep neural networks are vulnerable. These adversarial examples result in the misclassification of deep neural networks by adding human-imperceptible perturbations on the original images, which brings a security threat to deep neural networks. Therefore, before the deployment of deep neural networks, the adversarial attack is an important method to evaluate the robustness of models. However, under the black-box setting, the attack success rates of adversarial examples need to be improved, that is, the transferability of adversarial examples need to be increased. To address this issue, an adversarial example method based on image flipping transform, namely FT-MI-FGSM (Flipping Transformation Momentum Iterative Fast Gradient Sign Method), was proposed. Firstly, from the perspective of data augmentation, in each iteration of the adversarial example generation process, the original input image was flipped randomly. Then, the gradient of the transformed images was calculated. Finally, the adversarial examples were generated based on this gradient, so as to alleviate the overfitting in the process of adversarial example generation and to improve the transferability of adversarial examples. In addition, the method of attacking ensemble models was used to further enhance the transferability of adversarial examples. Extensive experiments on ImageNet dataset demonstrated the effectiveness of the proposed algorithm. Compared with I-FGSM (Iterative Fast Gradient Sign Method) and MI-FGSM (Momentum I-FGSM), the average black-box attack success rate of FT-MI-FGSM on the adversarially training networks is improved by 26.0 and 8.4 percentage points under the attacking ensemble model setting, respectively.

Key words: image flipping transform, adversarial example, black-box attack, deep neural network, transferability

中图分类号: