Journal of Computer Applications ›› 2022, Vol. 42 ›› Issue (2): 510-518.DOI: 10.11772/j.issn.1001-9081.2021020360
• Cyber security • Previous Articles
Quan CHEN, Li LI, Yongle CHEN(), Yuexing DUAN
Received:
2021-03-10
Revised:
2021-04-28
Accepted:
2021-04-29
Online:
2021-05-10
Published:
2022-02-10
Contact:
Yongle CHEN
About author:
CHEN Quan, born in 1996, M. S. candidate. His research interests include deep learning, adversarial attack.Supported by:
通讯作者:
陈永乐
作者简介:
陈权(1996—),男,山西太原人,硕士研究生,主要研究方向:深度学习、对抗攻击;基金资助:
CLC Number:
Quan CHEN, Li LI, Yongle CHEN, Yuexing DUAN. Adversarial attack algorithm for deep learning interpretability[J]. Journal of Computer Applications, 2022, 42(2): 510-518.
陈权, 李莉, 陈永乐, 段跃兴. 面向深度学习可解释性的对抗攻击算法[J]. 《计算机应用》唯一官方网站, 2022, 42(2): 510-518.
Add to citation manager EndNote|Ris|BibTeX
URL: http://www.joca.cn/EN/10.11772/j.issn.1001-9081.2021020360
算法 | 运行时间/s |
---|---|
动态遗传算法 | 13.0 |
灰狼算法 | 14.6 |
布谷鸟算法 | 20.1 |
樽海鞘群算法 | 11.2 |
Tab. 1 Running times of different optimization algorithms
算法 | 运行时间/s |
---|---|
动态遗传算法 | 13.0 |
灰狼算法 | 14.6 |
布谷鸟算法 | 20.1 |
樽海鞘群算法 | 11.2 |
算法 | AlexNet | VGG-19 | ResNet-50 | SqueezeNet |
---|---|---|---|---|
BIM | 99.50 | 99.60 | 100.00 | 99.60 |
DeepFool | 99.40 | 99.80 | 99.90 | 99.80 |
Grad-CAM Attack(S=1) | 72.50 | 72.30 | 91.10 | 86.50 |
Grad-CAM Attack (S=-1) | 48.50 | 16.50 | 9.90 | 39.00 |
Tab. 2 Untargeted attack successrate under different models
算法 | AlexNet | VGG-19 | ResNet-50 | SqueezeNet |
---|---|---|---|---|
BIM | 99.50 | 99.60 | 100.00 | 99.60 |
DeepFool | 99.40 | 99.80 | 99.90 | 99.80 |
Grad-CAM Attack(S=1) | 72.50 | 72.30 | 91.10 | 86.50 |
Grad-CAM Attack (S=-1) | 48.50 | 16.50 | 9.90 | 39.00 |
算法 | AlexNet | VGG-19 | ResNet-50 | SqueezeNet |
---|---|---|---|---|
BIM | 99.50 | 99.60 | 100.00 | 99.60 |
DeepFool | 99.40 | 99.80 | 99.90 | 99.80 |
Grad-CAM Attack(S=1) | 92.30 | 93.30 | 95.90 | 94.70 |
Tab. 3 Untargeted attack success rate under different models after improvement
算法 | AlexNet | VGG-19 | ResNet-50 | SqueezeNet |
---|---|---|---|---|
BIM | 99.50 | 99.60 | 100.00 | 99.60 |
DeepFool | 99.40 | 99.80 | 99.90 | 99.80 |
Grad-CAM Attack(S=1) | 92.30 | 93.30 | 95.90 | 94.70 |
参数 | 值 | 参数 | 值 |
---|---|---|---|
最大失真 | 0.09 | 扰动像素递增值 | 18 |
初始扰动系数 | 0.21 | 变异率 | 0.05 |
扰动递减值 | 0.02 | 交叉率 | 0.96 |
迭代次数 | 150 |
Tab. 4 Parameter settings
参数 | 值 | 参数 | 值 |
---|---|---|---|
最大失真 | 0.09 | 扰动像素递增值 | 18 |
初始扰动系数 | 0.21 | 变异率 | 0.05 |
扰动递减值 | 0.02 | 交叉率 | 0.96 |
迭代次数 | 150 |
算法 | AlexNet | VGG-19 | ResNet-50 | SqueezeNet | 平均成功率 |
---|---|---|---|---|---|
One pixel | 83.00 | 73.80 | 79.00 | 69.60 | 76.35 |
Boundary-attack | 97.40 | 98.80 | 97.90 | 96.80 | 97.73 |
Ada-FGSM | 90.61 | 91.74 | 89.57 | 86.88 | 89.70 |
TREMBA | 93.90 | 95.80 | 92.20 | 93.72 | 93.91 |
PPBA | 89.60 | 90.30 | 84.80 | 72.30 | 84.25 |
动态遗传算法(Grad-CAM) | 93.10 | 94.30 | 91.40 | 92.70 | 92.88 |
Tab. 5 Black-box attack success rate under different models
算法 | AlexNet | VGG-19 | ResNet-50 | SqueezeNet | 平均成功率 |
---|---|---|---|---|---|
One pixel | 83.00 | 73.80 | 79.00 | 69.60 | 76.35 |
Boundary-attack | 97.40 | 98.80 | 97.90 | 96.80 | 97.73 |
Ada-FGSM | 90.61 | 91.74 | 89.57 | 86.88 | 89.70 |
TREMBA | 93.90 | 95.80 | 92.20 | 93.72 | 93.91 |
PPBA | 89.60 | 90.30 | 84.80 | 72.30 | 84.25 |
动态遗传算法(Grad-CAM) | 93.10 | 94.30 | 91.40 | 92.70 | 92.88 |
算法 | AlexNet | VGG-19 | ResNet-50 | SqueezeNet |
---|---|---|---|---|
One pixel | 16.2 | 18.6 | 18.7 | 17.4 |
Boundary-attack | 18.3 | 19.2 | 19.4 | 19.9 |
Ada-FGSM | 19.2 | 19.9 | 20.5 | 19.8 |
TREMBA | 29.6 | 31.3 | 32.2 | 30.4 |
PPBA | 19.7 | 21.4 | 22.6 | 22.1 |
动态遗传算法(Grad-CAM) | 18.9 | 19.2 | 19.3 | 19.0 |
Tab. 6 Average processing time of 50 images
算法 | AlexNet | VGG-19 | ResNet-50 | SqueezeNet |
---|---|---|---|---|
One pixel | 16.2 | 18.6 | 18.7 | 17.4 |
Boundary-attack | 18.3 | 19.2 | 19.4 | 19.9 |
Ada-FGSM | 19.2 | 19.9 | 20.5 | 19.8 |
TREMBA | 29.6 | 31.3 | 32.2 | 30.4 |
PPBA | 19.7 | 21.4 | 22.6 | 22.1 |
动态遗传算法(Grad-CAM) | 18.9 | 19.2 | 19.3 | 19.0 |
组号 | 扰动递减值 | 扰动像素递增值 | 运行时间/s | 成功率/% |
---|---|---|---|---|
1* | 0.02 | 18 | 19.0 | 92.88 |
2 | 0.02 | 15 | 55.2 | 94.20 |
3 | 0.04 | 18 | 16.8 | 89.30 |
4 | 0.03 | 17 | 29.8 | 91.60 |
5 | 0.01 | 19 | 24.4 | 90.80 |
Tab. 7 Performance comparison of different parameters (SqueezeNet)
组号 | 扰动递减值 | 扰动像素递增值 | 运行时间/s | 成功率/% |
---|---|---|---|---|
1* | 0.02 | 18 | 19.0 | 92.88 |
2 | 0.02 | 15 | 55.2 | 94.20 |
3 | 0.04 | 18 | 16.8 | 89.30 |
4 | 0.03 | 17 | 29.8 | 91.60 |
5 | 0.01 | 19 | 24.4 | 90.80 |
1 | 吴飞,廖彬兵,韩亚洪.深度学习的可解释性[J].航空兵器, 2019, 26(1): 39-46. 10.12132/ISSN.1673-5048.2018.0065 |
WU F, LIAO B B, HAN Y H. Interpretability for deep learning[J]. Aero Weapon, 2019, 26(1): 39-46. 10.12132/ISSN.1673-5048.2018.0065 | |
2 | GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL]. (2015-03-20) [2020-10-29]. . |
3 | KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial examples in the physical world[EB/OL]. (2017-02-11) [2020-10-29]. . 10.1201/9781351251389-8 |
4 | CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks [C]// Proceedings of the 2017 IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2017: 39-57. 10.1109/sp.2017.49 |
5 | PAPERNOT N, McDANIEL P, JHA S, et al. The limitations of deep learning in adversarial settings [C]// Proceedings of the 2016 IEEE European Symposium on Security and Privacy. Piscataway: IEEE, 2016: 372-387. 10.1109/eurosp.2016.36 |
6 | SHI Y C, HAN Y H, ZHANG Q X, et al. Adaptive iterative attack towards explainable adversarial robustness[J]. Pattern Recognition, 2020, 105: No.107309. 10.1016/j.patcog.2020.107309 |
7 | DONG X Y, HAN J F, CHEN D D, et al. Robust superpixel-guided attentional adversarial attack [C]// Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2020: 12892-12901. 10.1109/cvpr42600.2020.01291 |
8 | LI J, JI R R, LIU H, et al. Projection & probability-driven black-box attack [C]// Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2020: 359-368. 10.1109/cvpr42600.2020.00044 |
9 | HUANG Z C, ZHANG T. Black-box adversarial attack with transferable model-based embedding[EB/OL]. (2020-01-05) [2020-10-29]. . |
10 | SIMONYAN K, VEDALDI A, ZISSERMAN A. Deep inside convolutional networks: visualising image classification models and saliency maps[EB/OL]. (2014-04-19) [2020-10-29]. . 10.5244/c.28.6 |
11 | SELVARAJU R R, COGSWELL M, DAS A, et al. Grad-CAM: visual explanations from deep networks via gradient-based localization [C]// Proceedings of the 2017 IEEE International Conference on Computer Vision. Piscataway: IEEE, 2017: 618-626. 10.1109/iccv.2017.74 |
12 | SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. (2014-02-19) [2020-10-29]. . |
13 | MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: a simple and accurate method to fool deep neural networks [C]// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2016: 2574-2582. 10.1109/cvpr.2016.282 |
14 | SU J W, VARGAS D V, SAKURAI K. One pixel attack for fooling deep neural networks[J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828-841. 10.1109/tevc.2019.2890858 |
15 | BRENDEL W, RAUBER J, BETHGE M. Decision-based adversarial attacks: reliable attacks against black-box machine learning models[EB/OL]. (2018-02-16) [2020-10-29]. . 10.21105/joss.02607 |
16 | GHORBANI A, ABID A, ZOU J. Interpretation of neural networks is fragile [C]// Proceedings of the 33rd AAAI Conference on Artificial Intelligence. Palo Alto, CA: AAAI Press, 2019: 3681-3688. 10.1609/aaai.v33i01.33013681 |
17 | ZHANG X Y, WANG N F, SHEN H, et al. Interpretable deep learning under fire [C]// Proceedings of the 29th USENIX Security Symposium. Berkeley: USENIX Association, 2020: 1659-1676. |
18 | YE D P, CHEN C X, LIU C R, et al. Detection defense against adversarial attacks with saliency map[EB/OL]. (2020-09-06) [2020-10-29]. . 10.1002/int.22458 |
19 | DABKOWSKI P, GAL Y. Real time image saliency for black box classifiers[EB/OL]. (2017-05-22) [2020-10-29]. . |
20 | FONG R C, VEDALDI A. Interpretable explanations of black boxes by meaningful perturbation [C]// Proceedings of the 2017 IEEE International Conference on Computer Vision. Piscataway: IEEE, 2017: 3449-3457. 10.1109/iccv.2017.371 |
21 | SPRINGENBERG J T, DOSOVITSKIY A, BROX T, et al. Striving for simplicity: the all convolutional net[EB/OL]. (2015-04-13) [2020-10-29]. . 10.1109/cvpr.2015.7298761 |
22 | KINDERMANS P J, SCHÜTT K T, ALBER M, et al. Learning how to explain neural networks: patternNet and patternAttribution[EB/OL]. (2017-10-24) [2020-10-29]. . |
23 | RUDOLPH G. Convergence analysis of canonical genetic algorithms[J]. IEEE Transactions on Neural Networks, 1994, 5(1): 96-101. 10.1109/72.265964 |
24 | KRIZHEVSKY A, HINTON G. Learning multiple layers of features from tiny images[EB/OL]. (2009-04-08). [2020-10-29]. . |
25 | DENG J, DONG W, SOCHER R, et al. ImageNet: a large-scale hierarchical image database [C]// Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2009: 248-255. 10.1109/cvpr.2009.5206848 |
26 | SIMONYAN K, ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[EB/OL]. (2015-04-10) [2020-10-29]. . 10.5244/c.28.6 |
27 | HE K M, ZHANG X Y, REN S Q, et al. Deep residual learning for image recognition [C]// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2016: 770-778. 10.1109/cvpr.2016.90 |
28 | IANDOLA F N, HAN S, MOSKEWICZ M W, et al. SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and< 0.5 MB model size[EB/OL]. (2016-11-04) [2020-10-29]. . |
29 | KRIZHEVSKY A, SUTSKEVER I, HINTON G E. ImageNet classification with deep convolutional neural networks [C]// Proceedings of the 25th International Conference on Neural Information Processing Systems. Red Hook, NY: Curran Associates Inc., 2012: 1097-1105. |
[1] | Zhonghui LIU, Ziyou WANG, Fan MIN. Genetic algorithm for approximate concept generation and its recommendation application [J]. Journal of Computer Applications, 2022, 42(2): 412-418. |
[2] | ZHANG Wenqiang, XING Zheng, YANG Weidong. Hybrid particle swarm optimization with multi-region sampling strategy to solve multi-objective flexible job-shop scheduling problem [J]. Journal of Computer Applications, 2021, 41(8): 2249-2257. |
[3] | ZHANG Meng, GUO Jianquan. Channel structure choice of closed-loop supply chain under uncertain demand and recovery [J]. Journal of Computer Applications, 2021, 41(7): 2100-2107. |
[4] | YANG Zhen, MA Jianxiao, WANG Baojie. Signal timing optimization model of dual-ring phase under condition of setting waiting area [J]. Journal of Computer Applications, 2021, 41(7): 2108-2112. |
[5] | WANG Shuyan, HOU Zeyu, SUN Jiaze. Difference detection method of adversarial samples oriented to deep learning [J]. Journal of Computer Applications, 2021, 41(7): 1849-1856. |
[6] | LI Jin, WANG Feng, YANG Shenyu. Freight routing optimization model and algorithm of battery-swapping electric vehicle [J]. Journal of Computer Applications, 2021, 41(6): 1792-1798. |
[7] | ZHANG Mingming, LU Qingning, LI Wenzhong, SONG Hu. Deep neural network compression algorithm based on combined dynamic pruning [J]. Journal of Computer Applications, 2021, 41(6): 1589-1596. |
[8] | LI Shuyi, HAN Xiaolong. Collaborative scheduling of rail-mounted gantry crane and container truck in hybrid operation mode of rail-water intermodal terminal [J]. Journal of Computer Applications, 2021, 41(5): 1506-1513. |
[9] | ZHOU Meiling, CHEN Huaili. Fuzzy multi-objective charging scheduling algorithm for electric vehicle based on load balance [J]. Journal of Computer Applications, 2021, 41(4): 1192-1198. |
[10] | WANG Binrong, TAN Dailun, ZHENG Bochuan. Solving auto part spraying sequence by transforming to traveling salesman problem and genetic algorithm [J]. Journal of Computer Applications, 2021, 41(3): 881-886. |
[11] | MA Xiaomei, HE Fei. Label printing production scheduling technology based on improved genetic algorithm [J]. Journal of Computer Applications, 2021, 41(3): 860-866. |
[12] | HUANG Shuzhao, TIAN Junwei, QIAO Lu, WANG Qin, SU Yu. Unmanned aerial vehicle path planning based on improved genetic algorithm [J]. Journal of Computer Applications, 2021, 41(2): 390-397. |
[13] | YANG Li, WANG Shihui, ZHU Bo. Point-of-interest recommendation algorithm combing dynamic and static preferences [J]. Journal of Computer Applications, 2021, 41(2): 398-406. |
[14] | Huibo LI, Yunxiao ZHAO, Liang BAI. Dynamic graph representation learning method based on deep neural network and gated recurrent unit [J]. Journal of Computer Applications, 2021, 41(12): 3432-3437. |
[15] | Yang ZHANG, Xiaoning WANG. Text feature selection method based on Word2Vec word embedding and genetic algorithm for biomarker selection in high-dimensional omics [J]. Journal of Computer Applications, 2021, 41(11): 3151-3155. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||