聚焦图像对抗攻击算法PS-MIFGSM

doi:10.11772/j.issn.1001-9081.2019081392

摘要
图/表
参考文献(23)
相关文章 (15)

全文: PDF (1400 KB) HTML
输出: BibTeX | EndNote (RIS)

摘要

针对目前主流对抗攻击算法通过扰动全局图像特征导致攻击隐蔽性降低的问题，提出一种聚焦图像的无目标攻击算法——PS-MIFGSM。首先，通过Grad-CAM算法捕获卷积神经网络(CNN)在分类任务中对图像的重点关注区域；然后，使用MI-FGSM攻击分类网络，生成对抗扰动，并且将扰动作用于图像的重点关注区域，而图像的非关注区域保持不变，从而生成新的对抗样本。在实验部分，以三种图像分类模型Inception_v1、Resnet_v1和Vgg_16为基础，对比了PS-MIFGSM和MI-FGSM两种方法分别进行单模型攻击和集合模型攻击的效果。实验结果表明，PS-MIFGSM能够在攻击成功率不变的同时，有效降低对抗样本与真实样本的差异大小。

	服务

	把本文推荐给朋友
	加入我的书架
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章
	吴立人
	刘政浩
	张浩
	岑悦亮
	周维

关键词 ：无目标攻击, 卷积神经网络, 图像分类, 对抗样本, 集合模型

Abstract：

Aiming at the problem of the present mainstream adversarial attack algorithm that the attack invisibility is reduced by disturbing the global image features, an untargeted attack algorithm named PS-MIFGSM (Perceptual-Sensitive Momentum Iterative Fast Gradient Sign Method) was proposed. Firstly, the areas of the image focused by Convolutional Neural Network (CNN) in the classification task were captured by using Grad-CAM algorithm. Then, MI-FGSM (Momentum Iterative Fast Gradient Sign Method) was used to attack the classification network to generate the adversarial disturbance, and the disturbance was applied to the focus areas of the image with the non-focus areas of the image unchanged, thereby, a new adversarial sample was generated. In the experiment, based on three image classification models Inception_v1, Resnet_v1 and Vgg_16, the effects of PS-MIFGSM and MI-FGSM on single model attack and set model attack were compared. The results show that PS-MIFGSM can effectively reduce the difference between the real sample and the adversarial sample with the attack success rate unchanged.

Key words： untargeted attack Convolutional Neural Network (CNN) image classification adversarial sample set model

收稿日期: 2019-08-13

中图分类号:

TP391.1

基金资助:

国家自然科学基金资助项目（61762089）。

通讯作者: 周维(1974—) E-mail: zwei@ynu.edu.cn

作者简介: 吴立人(1994—)，男，陕西咸阳人，硕士研究生，主要研究方向：深度学习；刘政浩(1996—)，男，湖北黄冈人，硕士研究生，主要研究方向：深度学习；张浩(1992—)，男，云南玉溪人，硕士研究生，主要研究方向：深度学习；岑悦亮(1996—)，女，广西梧州人，硕士研究生，主要研究方向：深度学习；周维(1974—)，男，云南昆明人，教授，博士，主要研究方向：分布式处理、生物信息学。

引用本文:

吴立人, 刘政浩, 张浩, 岑悦亮, 周维. 聚焦图像对抗攻击算法PS-MIFGSM[J]. 计算机应用, 2020, 40(5): 1348-1353. WU Liren, LIU Zhenghao, ZHANG Hao, CEN Yueliang, ZHOU Wei. PS-MIFGSM: focus image adversarial attack algorithm. Journal of Computer Applications, 2020, 40(5): 1348-1353.

链接本文:

http://www.joca.cn/CN/10.11772/j.issn.1001-9081.2019081392 或 http://www.joca.cn/CN/Y2020/V40/I5/1348

1 BOJARSKI M , TESTA D DEL , DWORAKOWSKI D , et al . End to end learning for self-driving cars[EB/OL]. [2019-04-25].https://arxiv.org/pdf/1604.07316.pdf.
2 LECUN Y , MULLER U , BEN J, et al . Off-road obstacle avoidance through end-to-end learning[C]// Proceedings of the 18th International Conference on Neural Information Processing Systems. Cambridge: MIT Press, 2005: 739-746.
3 ETTEN A VAN . You only look twice: rapid multi-scale object detection in satellite imagery[EB/OL]. [2019-05-24].https://arxiv.org/pdf/1805.09512.pdf.
4 COGSWELL M , AHMED F , GIRSHICK R , et al . Reducing overfitting in deep networks by decorrelating representations[EB/OL]. [2018-11-19].https://arxiv.org/pdf/1511.06068.pdf.
5 ZEGGADA A , MELGANI F , BAZI Y . A deep learning approach to UAV image multilabeling[J]. IEEE Geoscience and Remote Sensing Letters, 2017, 14(5): 694-698.
6 YUAN X , HE P , ZHU Q , et al . Adversarial examples: attacks and defenses for deep learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019, 30(9): 2805-2824.
7 PAPERNOT N , MCDANIEL P , JHA S, et al . The limitations of deep learning in adversarial settings[C]// Proceedins of the 2016 IEEE European Symposium on Security and Privacy. Piscataway:IEEE, 2016: 372-387.
8 MOOSAVI-DEZFOOLI S M , FAWZI A , FROSSARD P . DeepFool: a simple and accurate method to fool deep neural networks[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2016: 2574-2582.
9 SELVARAJU R R , COGSWELL M , DAS A, et al . Grad-CAM: why did you say that? visual explanations from deep networks via gradient-based localization[EB/OL]. [2018-10-07].https://arxiv.org/pdf/1610.02391.pdf.
10 ZHOU B , KHOSLA A , LAPEDRIZA A , et al . Learning deep features for discriminative localization[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2016: 2921-2929.
11 DONG Y , LIAO F , PANG T , et al . Boosting adversarial attacks with momentum[C]// Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2018: 9185-9193.
12 SZEGEDY C , ZAREMBA W , SUTSKEVER I , et al . Intriguing properties of neural networks[EB/OL].[2014-02-19]. https://arxiv.org/abs/1312.6199.
13 GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[EB/OL]. [2018-12-20].https://arxiv.org/pdf/1412.6572.pdf.
14 MADRY A , MAKELOV A , SCHMIDT L , et al . Towards deep learning models resistant to adversarial attacks[EB/OL]. [2018-06-19].https://arxiv.org/pdf/1706.06083.pdf.
15 SU J , VARGAS D V , SAKURAI K . One pixel attack for fooling deep neural networks[J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828-841.
16 LECUN Y , BOTTOU L , BENGIO Y , et al . Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998, 86(11): 2278-2324.
17 GIRSHICK R , DONAHUE J , DARRELL T , et al . Rich feature hierarchies for accurate object detection and semantic segmentation[C]// Proceedings of 2014 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2014: 580-587.
18 SWIETOJANSKI P , GHOSHAL A , RENALS S . Convolutional neural networks for distant speech recognition[J]. IEEE Signal Processing Letters, 2014, 21(9): 1120-1124.
19 SINGH R , LANCHANTIN J , ROBINS G , et al . DeepChrome: deep-learning for predicting gene expression from histone modifications[J]. Bioinformatics, 2016, 32(17): i639-i648.
20 PRASOON A , PETERSEN K , IGEL C , et al . Deep feature learning for knee cartilage segmentation using a triplanar convolutional neural network[C]// Proceedings of 2013 International Conference on Medical Image Computing and Computer-Assisted Intervention, LNCS 8150. Berlin: Springer, 2013: 246-253.
21 SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition[EB/OL]. [2018-09-04].https://arxiv.org/pdf/1409.1556.pdf.
22 SZEGEDY C , LIU W , JIA Y , et al . Going deeper with convolutions[C]// Proceedings of 2015 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2015: 1-9.
23 HE K , ZHANG X , REN S , et al . Deep residual learning for image recognition[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2016: 770-778.