聚焦图像对抗攻击算法PS-MIFGSM

doi:10.11772/j.issn.1001-9081.2019081392

计算机应用 ›› 2020, Vol. 40 ›› Issue (5): 1348-1353.DOI: 10.11772/j.issn.1001-9081.2019081392

聚焦图像对抗攻击算法PS-MIFGSM

吴立人¹, 刘政浩¹, 张浩¹, 岑悦亮², 周维¹

1.云南大学软件学院，昆明 650091
2.昆明理工大学信息工程与自动化学院，昆明 650500

收稿日期:2019-08-13 修回日期:2019-11-04 出版日期:2020-05-10 发布日期:2020-05-15
通讯作者: 周维(1974—)
作者简介:吴立人(1994—)，男，陕西咸阳人，硕士研究生，主要研究方向：深度学习；刘政浩(1996—)，男，湖北黄冈人，硕士研究生，主要研究方向：深度学习；张浩(1992—)，男，云南玉溪人，硕士研究生，主要研究方向：深度学习；岑悦亮(1996—)，女，广西梧州人，硕士研究生，主要研究方向：深度学习；周维(1974—)，男，云南昆明人，教授，博士，主要研究方向：分布式处理、生物信息学。
基金资助:
国家自然科学基金资助项目（61762089）。

PS-MIFGSM: focus image adversarial attack algorithm

WU Liren¹, LIU Zhenghao¹, ZHANG Hao¹, CEN Yueliang², ZHOU Wei¹

1.School of Software, Yunnan University, KunmingYunnan 650091, China
2.Faculty of Information Engineering and Automation, Kunming University of Science and Technology, KunmingYunnan 650500, China

Received:2019-08-13 Revised:2019-11-04 Online:2020-05-10 Published:2020-05-15
Contact: ZHOU Wei, born in 1974, Ph. D., professor. His research interests include distributed processing, bioinformatics.
About author:WU Liren, born in 1994, M. S. candidate. His research interests include deep learning.LIU Zhenghao, born in 1996, M. S. candidate. His research interests include deep learning.ZHANG Hao, born in 1992, M. S. candidate. His research interests include deep learning.CEN Yueliang, born in 1999, M. S. candidate. Her research interests include deep learning.ZHOU Wei, born in 1974, Ph. D., professor. His research interests include distributed processing, bioinformatics.
Supported by:
This work is partially supported by the National Natural Science Foundation of China (61762089).

摘要/Abstract

摘要：

针对目前主流对抗攻击算法通过扰动全局图像特征导致攻击隐蔽性降低的问题，提出一种聚焦图像的无目标攻击算法——PS-MIFGSM。首先，通过Grad-CAM算法捕获卷积神经网络(CNN)在分类任务中对图像的重点关注区域；然后，使用MI-FGSM攻击分类网络，生成对抗扰动，并且将扰动作用于图像的重点关注区域，而图像的非关注区域保持不变，从而生成新的对抗样本。在实验部分，以三种图像分类模型Inception_v1、Resnet_v1和Vgg_16为基础，对比了PS-MIFGSM和MI-FGSM两种方法分别进行单模型攻击和集合模型攻击的效果。实验结果表明，PS-MIFGSM能够在攻击成功率不变的同时，有效降低对抗样本与真实样本的差异大小。

关键词: 无目标攻击, 卷积神经网络, 图像分类, 对抗样本, 集合模型

Abstract:

Aiming at the problem of the present mainstream adversarial attack algorithm that the attack invisibility is reduced by disturbing the global image features, an untargeted attack algorithm named PS-MIFGSM (Perceptual-Sensitive Momentum Iterative Fast Gradient Sign Method) was proposed. Firstly, the areas of the image focused by Convolutional Neural Network (CNN) in the classification task were captured by using Grad-CAM algorithm. Then, MI-FGSM (Momentum Iterative Fast Gradient Sign Method) was used to attack the classification network to generate the adversarial disturbance, and the disturbance was applied to the focus areas of the image with the non-focus areas of the image unchanged, thereby, a new adversarial sample was generated. In the experiment, based on three image classification models Inception_v1, Resnet_v1 and Vgg_16, the effects of PS-MIFGSM and MI-FGSM on single model attack and set model attack were compared. The results show that PS-MIFGSM can effectively reduce the difference between the real sample and the adversarial sample with the attack success rate unchanged.

Key words: untargeted attack, Convolutional Neural Network (CNN), image classification, adversarial sample, set model

中图分类号:

TP391.1

吴立人, 刘政浩, 张浩, 岑悦亮, 周维. 聚焦图像对抗攻击算法PS-MIFGSM[J]. 计算机应用, 2020, 40(5): 1348-1353.

WU Liren, LIU Zhenghao, ZHANG Hao, CEN Yueliang, ZHOU Wei. PS-MIFGSM: focus image adversarial attack algorithm[J]. Journal of Computer Applications, 2020, 40(5): 1348-1353.

参考文献

1 BOJARSKI M , TESTA D DEL , DWORAKOWSKI D , et al . End to end learning for self-driving cars[EB/OL]. [2019-04-25].https://arxiv.org/pdf/1604.07316.pdf.
2 LECUN Y , MULLER U , BEN J, et al . Off-road obstacle avoidance through end-to-end learning[C]// Proceedings of the 18th International Conference on Neural Information Processing Systems. Cambridge: MIT Press, 2005: 739-746.
3 ETTEN A VAN . You only look twice: rapid multi-scale object detection in satellite imagery[EB/OL]. [2019-05-24].https://arxiv.org/pdf/1805.09512.pdf.
4 COGSWELL M , AHMED F , GIRSHICK R , et al . Reducing overfitting in deep networks by decorrelating representations[EB/OL]. [2018-11-19].https://arxiv.org/pdf/1511.06068.pdf.
5 ZEGGADA A , MELGANI F , BAZI Y . A deep learning approach to UAV image multilabeling[J]. IEEE Geoscience and Remote Sensing Letters, 2017, 14(5): 694-698.
6 YUAN X , HE P , ZHU Q , et al . Adversarial examples: attacks and defenses for deep learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019, 30(9): 2805-2824.
7 PAPERNOT N , MCDANIEL P , JHA S, et al . The limitations of deep learning in adversarial settings[C]// Proceedins of the 2016 IEEE European Symposium on Security and Privacy. Piscataway:IEEE, 2016: 372-387.
8 MOOSAVI-DEZFOOLI S M , FAWZI A , FROSSARD P . DeepFool: a simple and accurate method to fool deep neural networks[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2016: 2574-2582.
9 SELVARAJU R R , COGSWELL M , DAS A, et al . Grad-CAM: why did you say that? visual explanations from deep networks via gradient-based localization[EB/OL]. [2018-10-07].https://arxiv.org/pdf/1610.02391.pdf.
10 ZHOU B , KHOSLA A , LAPEDRIZA A , et al . Learning deep features for discriminative localization[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2016: 2921-2929.
11 DONG Y , LIAO F , PANG T , et al . Boosting adversarial attacks with momentum[C]// Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2018: 9185-9193.
12 SZEGEDY C , ZAREMBA W , SUTSKEVER I , et al . Intriguing properties of neural networks[EB/OL].[2014-02-19]. https://arxiv.org/abs/1312.6199.
13 GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[EB/OL]. [2018-12-20].https://arxiv.org/pdf/1412.6572.pdf.
14 MADRY A , MAKELOV A , SCHMIDT L , et al . Towards deep learning models resistant to adversarial attacks[EB/OL]. [2018-06-19].https://arxiv.org/pdf/1706.06083.pdf.
15 SU J , VARGAS D V , SAKURAI K . One pixel attack for fooling deep neural networks[J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828-841.
16 LECUN Y , BOTTOU L , BENGIO Y , et al . Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998, 86(11): 2278-2324.
17 GIRSHICK R , DONAHUE J , DARRELL T , et al . Rich feature hierarchies for accurate object detection and semantic segmentation[C]// Proceedings of 2014 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2014: 580-587.
18 SWIETOJANSKI P , GHOSHAL A , RENALS S . Convolutional neural networks for distant speech recognition[J]. IEEE Signal Processing Letters, 2014, 21(9): 1120-1124.
19 SINGH R , LANCHANTIN J , ROBINS G , et al . DeepChrome: deep-learning for predicting gene expression from histone modifications[J]. Bioinformatics, 2016, 32(17): i639-i648.
20 PRASOON A , PETERSEN K , IGEL C , et al . Deep feature learning for knee cartilage segmentation using a triplanar convolutional neural network[C]// Proceedings of 2013 International Conference on Medical Image Computing and Computer-Assisted Intervention, LNCS 8150. Berlin: Springer, 2013: 246-253.
21 SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition[EB/OL]. [2018-09-04].https://arxiv.org/pdf/1409.1556.pdf.
22 SZEGEDY C , LIU W , JIA Y , et al . Going deeper with convolutions[C]// Proceedings of 2015 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2015: 1-9.
23 HE K , ZHANG X , REN S , et al . Deep residual learning for image recognition[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2016: 770-778.

[1]	宋中山, 梁家锐, 郑禄, 刘振宇, 帖军. 基于双向门控尺度特征融合的遥感场景分类[J]. 计算机应用, 2021, 41(9): 2726-2735.
[2]	李康康, 张静. 基于注意力机制的多层次编码和解码的图像描述模型[J]. 计算机应用, 2021, 41(9): 2504-2509.
[3]	张永斌, 常文欣, 孙连山, 张航. 基于字典的域名生成算法生成域名的检测方法[J]. 计算机应用, 2021, 41(9): 2609-2614.
[4]	赵宏, 孔东一. 图像特征注意力与自适应注意力融合的图像内容中文描述[J]. 计算机应用, 2021, 41(9): 2496-2503.
[5]	徐江浪, 李林燕, 万新军, 胡伏原. 结合目标检测的室内场景识别方法[J]. 计算机应用, 2021, 41(9): 2720-2725.
[6]	牟长宁, 王海鹏, 周丕宇, 侯鑫行. 基于图卷积神经网络的串联质谱从头测序[J]. 计算机应用, 2021, 41(9): 2773-2779.
[7]	王贺兵, 张春梅. 基于非对称卷积-压缩激发-次代残差网络的人脸关键点检测[J]. 计算机应用, 2021, 41(9): 2741-2747.
[8]	曹玉红, 徐海, 刘荪傲, 王紫霄, 李宏亮. 基于深度学习的医学影像分割研究综述[J]. 计算机应用, 2021, 41(8): 2273-2287.
[9]	秦斌斌, 彭良康, 卢向明, 钱江波. 司机分心驾驶检测研究进展[J]. 计算机应用, 2021, 41(8): 2330-2337.
[10]	黄程程, 董霄霄, 李钊. 基于二维Winograd算法的深流水线5×5卷积方法[J]. 计算机应用, 2021, 41(8): 2258-2264.
[11]	曾祥银, 郑伯川, 刘丹. 基于深度卷积神经网络和聚类的左右轨道线检测[J]. 计算机应用, 2021, 41(8): 2324-2329.
[12]	武光利, 李雷霆, 郭振洲, 王成祥. 基于改进的双向长短期记忆网络的视频摘要生成模型[J]. 计算机应用, 2021, 41(7): 1908-1914.
[13]	谭道强, 曾诚, 乔金霞, 张俊. 基于混合注意力模型的阴影检测方法[J]. 计算机应用, 2021, 41(7): 2076-2081.
[14]	吴则举, 焦翠娟, 陈亮. 基于改进Faster R-CNN的轮胎缺陷检测方法[J]. 计算机应用, 2021, 41(7): 1939-1946.
[15]	杨粟, 欧阳智, 杜逆索. 基于相关度距离的无监督并行哈希图像检索[J]. 计算机应用, 2021, 41(7): 1902-1907.

聚焦图像对抗攻击算法PS-MIFGSM

PS-MIFGSM: focus image adversarial attack algorithm

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics