Adversarial example generation method based on image flipping transform

doi:10.11772/j.issn.1001-9081.2021060993

Journal of Computer Applications ›› 2022, Vol. 42 ›› Issue (8): 2319-2325.DOI: 10.11772/j.issn.1001-9081.2021060993

Special Issue: 人工智能

• Artificial intelligence • Previous Articles Next Articles

Adversarial example generation method based on image flipping transform

Bo YANG¹, Hengwei ZHANG¹(), Zheming LI¹^,², Kaiyong XU¹

^1.Information Engineering University，Zhengzhou Henan 450001，China
^2.PLA Army General Staff，Beijing 100000，China

Received:2021-06-10 Revised:2021-10-12 Accepted:2021-10-29 Online:2022-01-25 Published:2022-08-10
Contact: Hengwei ZHANG
About author:YANG Bo， born in 1993， M. S. candidate. His research interests include deep learning， intelligent system security.
ZHANG Hengwei， born in 1978， Ph. D.， associate professor. His research interests include network security game theory， intelligent system security.
LI Zheming， born in 1994， M. S. candidate， assistant engineer. His research interests include deep learning， network and information security.
XU Kaiyong， born in 1963， research fellow. His research interests include network and information security， trusted computing.
Supported by:
National Key Research and Development Program of China(2017YFB0801900)

基于图像翻转变换的对抗样本生成方法

杨博¹, 张恒巍¹(), 李哲铭¹^,², 徐开勇¹

^1.中国人民解放军战略支援部队信息工程大学，郑州 450001
^2.中国人民解放军陆军参谋部，北京 100000

通讯作者: 张恒巍
作者简介:杨博（1993—），男，湖北咸宁人，硕士研究生，主要研究方向：深度学习、智能系统安全；
张恒巍（1978—），男，河南洛阳人，副教授，博士，主要研究方向：网络安全博弈、智能系统安全；
李哲铭（1994—），男，河北唐山人，助理工程师，硕士研究生，主要研究方向：深度学习、网络与信息安全；
徐开勇（1963—），男，河南信阳人，研究员，主要研究方向：网络与信息安全、可信计算。
基金资助:
国家重点研发计划项目(2017YFB0801900)

Abstract

Abstract:

In the face of adversarial example attack， deep neural networks are vulnerable. These adversarial examples result in the misclassification of deep neural networks by adding human-imperceptible perturbations on the original images， which brings a security threat to deep neural networks. Therefore， before the deployment of deep neural networks， the adversarial attack is an important method to evaluate the robustness of models. However， under the black-box setting， the attack success rates of adversarial examples need to be improved， that is， the transferability of adversarial examples need to be increased. To address this issue， an adversarial example method based on image flipping transform， namely FT-MI-FGSM （Flipping Transformation Momentum Iterative Fast Gradient Sign Method）， was proposed. Firstly， from the perspective of data augmentation， in each iteration of the adversarial example generation process， the original input image was flipped randomly. Then， the gradient of the transformed images was calculated. Finally， the adversarial examples were generated based on this gradient， so as to alleviate the overfitting in the process of adversarial example generation and to improve the transferability of adversarial examples. In addition， the method of attacking ensemble models was used to further enhance the transferability of adversarial examples. Extensive experiments on ImageNet dataset demonstrated the effectiveness of the proposed algorithm. Compared with I-FGSM （Iterative Fast Gradient Sign Method） and MI-FGSM （Momentum I-FGSM）， the average black-box attack success rate of FT-MI-FGSM on the adversarially training networks is improved by 26.0 and 8.4 percentage points under the attacking ensemble model setting， respectively.

Key words: image flipping transform, adversarial example, black-box attack, deep neural network, transferability

摘要：

面对对抗样本的攻击，深度神经网络是脆弱的。对抗样本是在原始输入图像上添加人眼几乎不可见的噪声生成的，从而使深度神经网络误分类并带来安全威胁。因此在深度神经网络部署前，对抗性攻击是评估模型鲁棒性的重要方法。然而，在黑盒情况下，对抗样本的攻击成功率还有待提高，即对抗样本的可迁移性有待提升。针对上述情况，提出基于图像翻转变换的对抗样本生成方法——FT-MI-FGSM（Flipping Transformation Momentum Iterative Fast Gradient Sign Method）。首先，从数据增强的角度出发，在对抗样本生成过程的每次迭代中，对原始输入图像随机翻转变换；然后，计算变换后图像的梯度；最后，根据梯度生成对抗样本以减轻对抗样本生成过程中的过拟合，并提升对抗样本的可迁移性。此外，通过使用攻击集成模型的方法，进一步提高对抗样本的可迁移性。在ImageNet数据集上验证了所提方法的有效性。相较于I-FGSM（Iterative Fast Gradient Sign Method）和MI-FGSM（Momentum I-FGSM），在攻击集成模型设置下，FT-MI-FGSM在对抗训练网络上的平均黑盒攻击成功率分别提升了26.0和8.4个百分点。

关键词: 图像翻转变换, 对抗样本, 黑盒攻击, 深度神经网络, 可迁移性

CLC Number:

TP391

Bo YANG, Hengwei ZHANG, Zheming LI, Kaiyong XU. Adversarial example generation method based on image flipping transform[J]. Journal of Computer Applications, 2022, 42(8): 2319-2325.

杨博, 张恒巍, 李哲铭, 徐开勇. 基于图像翻转变换的对抗样本生成方法[J]. 《计算机应用》唯一官方网站, 2022, 42(8): 2319-2325.

Figures/Tables 10

References 28

1	KRIZHEVSKY A， SUTSKEVER I， HINTON G E. ImageNet classification with deep convolutional neural networks ［C］// Proceedings of the 25th International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2012： 1097-1105.
2	SIMONYAN K， ZISSERMAN A. Very deep convolutional networks for large-scale image recognition［EB/OL］. （2015-04-10）［2021-02-10］. .
3	SZEGEDY C， LIU W， JIA Y Q， et al. Going deeper with convolutions ［C］// Proceedings of the 2015 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2015： 1-9. 10.1109/cvpr.2015.7298594
4	HE K M， ZHANG X Y， REN S Q， et al. Deep residual learning for image recognition ［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2016： 770-778. 10.1109/cvpr.2016.90
5	SZEGEDY C， ZAREMBA W， SUTSKEVER I， et al. Intriguing properties of neural networks［EB/OL］. （2014-02-19）［2021-02-10］. .
6	GOODFELLOW I J， SHLENS J， SZEGEDY C. Explaining and harnessing adversarial examples［EB/OL］. （2015-03-20）［2021-02-10］. .
7	刘雨佳. 针对神经网络的图像对抗样本生成及应用研究［D］.合肥：中国科学技术大学，2019：19-20.
	LIU Y J. Generation and application of image adversarial examples for neural networks ［D］. Hefei： University of Science and Technology of China， 2019： 19-20.
8	LIU Y P， CHEN X Y， LIU C， et al. Delving into transferable adversarial examples and black-box attacks［EB/OL］. （2017-02-07）［2021-02-11］. .
9	KURAKIN A， GOODFELLOW I J， BENGIO S. Adversarial examples in the physical world［EB/OL］. （2017-02-11）［2021-02-11］. . 10.1201/9781351251389-8
10	DONG Y P， LIAO F Z， PANG T Y， et al. Boosting adversarial attacks with momentum ［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 9185-9193. 10.1109/cvpr.2018.00957
11	KINGMA D P， BA J L. Adam： a method for stochastic optimization［EB/OL］. （2017-01-30）［2021-02-11］. .
12	SUTSKEVER I， MARTENS J， DAHL G， et al. On the importance of initialization and momentum in deep learning ［C］// Proceedings of the 30th International Conference Machine Learning. New York： JMLR.org， 2013： 1139-1147.
13	HINTON G， SRIVASTAVA N， SWERSKY K. RMSProp： divide the gradient by a running average of its recent magnitude. ［EB/OL］. ［2021-02-11］. .
14	RUSSAKOVSKY O， DENG J， SU H， et al. ImageNet large scale visual recognition challenge［J］. International Journal of Computer Vision， 2015， 115（3）： 211-252. 10.1007/s11263-015-0816-y
15	BIGGIO B， CORONA I， MAIORCA D， et al. Evasion attacks against machine learning at test time ［C］// Proceedings of the 2013 Joint European Conference on Machine Learning and Knowledge Discovery in Databases， LNCS 8190. Berlin： Springer， 2013： 387-402.
16	EYKHOLT K， EVTIMOV I， FERNANDES E， et al. Robust physical-world attacks on deep learning visual classification ［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 1625-1634. 10.1109/cvpr.2018.00175
17	LECUN Y， CORTES C. MNIST handwritten digit database ［DB/OL］. （2010-02-16）［2021-02-14］. .
18	MADRY A， MAKELOV A， SCHMIDT L， et al. Towards deep learning models resistant to adversarial attacks［EB/OL］. （2019-09-04）［2021-02-13］. .
19	LIAO F Z， LIANG M， DONG Y P， et al. Defense against adversarial attacks using high-level representation guided denoiser ［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 1778-1787. 10.1109/cvpr.2018.00191
20	GUO C， RANA M， CISSÉ M， et al. Countering adversarial images using input transformations［EB/OL］. （2018-01-25）［2021-02-13］. .
21	SAMANGOUEI P， KABKAB M， CHELLAPPA R. Defense-GAN： protecting classifiers against adversarial attacks using generative models［EB/OL］. （2018-05-18）［2021-02-13］. .
22	KURAKIN A， GOODFELLOW I J， BENGIO S. Adversarial machine learning at scale［EB/OL］. （2017-02-11）［2021-02-14］. . 10.1201/9781351251389-8
23	TRAMÈR F， KURAKIN A， PAPERNOT N， et al. Ensemble adversarial training： attacks and defenses［EB/OL］. （2020-04-26）［2021-02-14］. .
24	SZEGEDY C， VANHOUCKE V， IOFFE S， et al. Rethinking the inception architecture for computer vision ［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2016： 2818-2826. 10.1109/cvpr.2016.308
25	SZEGEDY C， IOFFE S， VANHOUCKE V， et al. Inception-v4， Inception-ResNet and the impact of residual connections on learning ［C］// Proceedings of the 31st AAAI Conference on Artificial Intelligence. Palo Alto， CA： AAAI Press， 2017： 4278-4284. 10.1609/aaai.v31i1.11231
26	HE K M， ZHANG X Y， REN S Q， et al. Identity mappings in deep residual networks ［C］// Proceedings of the 2016 European Conference on Computer Vision， LNCS 9908. Cham： Springer， 2016： 630-645.
27	KRIZHEVSKY A. Learning multiple layers of features from tiny images ［EB/OL］. （2009-03-12）［2021-02-14］. .
28	XIAO Y T， PUN C M. Improving adversarial attacks on deep neural networks via constricted gradient-based perturbations［J］. Information Sciences， 2021， 571： 104-132. 10.1016/j.ins.2021.04.033

网络模型	攻击方法	正常训练网络				对抗训练网络
网络模型	攻击方法	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3_ens3	Inc-v3_ens4	IncRes-v2_ens
Inc-v3	I-FGSM	99.9^*	22.6	20.2	18.1	7.2	7.6	4.1
	MI-FGSM	99.9^*	48.1	47.1	39.9	15.2	14.2	7.2
	FT-MI-FGSM	100.0^*	65.2	61.2	53.7	20.3	18.9	9.7
Inc-v4	I-FGSM	37.9	99.9^*	26.2	21.9	8.7	8.0	5.0
	MI-FGSM	63.9	99.9^*	53.7	47.7	19.7	16.9	9.4
	FT-MI-FGSM	74.4	99.9^*	65.5	56.6	23.3	19.7	10.6
IncRes-v2	I-FGSM	37.2	31.8	99.6^*	25.9	8.9	7.5	4.9
	MI-FGSM	68.6	61.9	99.6^*	52.1	25.1	20.2	14.4
	FT-MI-FGSM	78.4	72.2	99.1^*	63.2	32.9	26.6	18.4
Res-101	I-FGSM	27.7	23.3	21.3	98.2^*	9.3	7.9	5.6
	MI-FGSM	52.4	48.2	45.6	98.2^*	22.3	18.6	11.8
	FT-MI-FGSM	67.0	62.7	59.2	98.0^*	30.3	25.7	16.3

网络模型	攻击方法	正常训练网络				对抗训练网络
网络模型	攻击方法	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3_ens3	Inc-v3_ens4	IncRes-v2_ens
Inc-v3	I-FGSM	99.9^*	22.6	20.2	18.1	7.2	7.6	4.1
	MI-FGSM	99.9^*	48.1	47.1	39.9	15.2	14.2	7.2
	FT-MI-FGSM	100.0^*	65.2	61.2	53.7	20.3	18.9	9.7
Inc-v4	I-FGSM	37.9	99.9^*	26.2	21.9	8.7	8.0	5.0
	MI-FGSM	63.9	99.9^*	53.7	47.7	19.7	16.9	9.4
	FT-MI-FGSM	74.4	99.9^*	65.5	56.6	23.3	19.7	10.6
IncRes-v2	I-FGSM	37.2	31.8	99.6^*	25.9	8.9	7.5	4.9
	MI-FGSM	68.6	61.9	99.6^*	52.1	25.1	20.2	14.4
	FT-MI-FGSM	78.4	72.2	99.1^*	63.2	32.9	26.6	18.4
Res-101	I-FGSM	27.7	23.3	21.3	98.2^*	9.3	7.9	5.6
	MI-FGSM	52.4	48.2	45.6	98.2^*	22.3	18.6	11.8
	FT-MI-FGSM	67.0	62.7	59.2	98.0^*	30.3	25.7	16.3

攻击方法	白盒攻击				黑盒攻击			平均
攻击方法	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3_ens3	Inc-v3_ens4	IncRes-v2_ens	平均
I-FGSM	99.7	96.2	91.8	86.6	18.8	15.9	9.4	59.8
MI-FGSM	99.8	97.6	95.0	91.1	38.5	36.0	22.5	68.6
FT-MI-FGSM	98.9	97.6	94.7	91.2	48.2	45.6	28.2	72.1

攻击方法	白盒攻击				黑盒攻击			平均
攻击方法	Inc-v3	Inc-v4	IncRes-v2	Res-101	Inc-v3_ens3	Inc-v3_ens4	IncRes-v2_ens	平均
I-FGSM	99.7	96.2	91.8	86.6	18.8	15.9	9.4	59.8
MI-FGSM	99.8	97.6	95.0	91.1	38.5	36.0	22.5	68.6
FT-MI-FGSM	98.9	97.6	94.7	91.2	48.2	45.6	28.2	72.1

数据集	生成对抗样本模型	检验对抗样本模型	I-FGSM	MI-FGSM	FT-MI-FGSM
MNIST	MLPNet	LeNet	2.15	2.91	3.24
MNIST	LeNet	MLPNet	4.21	4.75	5.46
CIFAR10	ResNet50	VGG16	12.70	12.80	14.20
CIFAR10	VGG16	ResNet50	40.50	40.70	42.30

Adversarial example generation method based on image flipping transform

基于图像翻转变换的对抗样本生成方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 28

Related Articles 15

Recommended Articles

Metrics

[1]	Rui SHI, Yong LI, Yanhan ZHU. Adversarial sample attack algorithm of modulation signal based on equalization of feature gradient [J]. Journal of Computer Applications, 2024, 44(8): 2521-2527.
[2]	Mei WANG, Xuesong SU, Jia LIU, Ruonan YIN, Shan HUANG. Time series classification method based on multi-scale cross-attention fusion in time-frequency domain [J]. Journal of Computer Applications, 2024, 44(6): 1842-1847.
[3]	Jinfu WU, Yi LIU. Fast adversarial training method based on random noise and adaptive step size [J]. Journal of Computer Applications, 2024, 44(6): 1807-1815.
[4]	Bin XIAO, Mo YANG, Min WANG, Guangyuan QIN, Huan LI. Domain generalization method of phase-frequency fusion from independent perspective [J]. Journal of Computer Applications, 2024, 44(4): 1002-1009.
[5]	Yu ZHANG, Yan CHANG, Shibin ZHANG. Adversarial example detection algorithm based on quantum local intrinsic dimensionality [J]. Journal of Computer Applications, 2024, 44(2): 490-495.
[6]	Mengmei YAN, Dongping YANG. Review of mean field theory for deep neural network [J]. Journal of Computer Applications, 2024, 44(2): 331-343.
[7]	Yifei SONG, Yi LIU. Fast adversarial training method based on data augmentation and label noise [J]. Journal of Computer Applications, 2024, 44(12): 3798-3807.
[8]	Wenze CHAI, Jing FAN, Shukui SUN, Yiming LIANG, Jingfeng LIU. Overview of deep metric learning [J]. Journal of Computer Applications, 2024, 44(10): 2995-3010.
[9]	Tong CHEN, Jiwei WEI, Shiyuan HE, Jingkuan SONG, Yang YANG. Adversarial training method with adaptive attack strength [J]. Journal of Computer Applications, 2024, 44(1): 94-100.
[10]	Yunfei SHEN, Fei SHEN, Fang LI, Jun ZHANG. Deep neural network model acceleration method based on tensor virtual machine [J]. Journal of Computer Applications, 2023, 43(9): 2836-2844.
[11]	Xujian ZHAO, Hanglin LI. Deep neural network compression algorithm based on hybrid mechanism [J]. Journal of Computer Applications, 2023, 43(9): 2686-2691.
[12]	Xiaolin LI, Songjia YANG. Hybrid beamforming for multi-user mmWave relay networks using deep learning [J]. Journal of Computer Applications, 2023, 43(8): 2511-2516.
[13]	Gan LI, Mingdi NIU, Lu CHEN, Jing YANG, Tao YAN, Bin CHEN. Robotic grasp detection in low-light environment by incorporating visual feature enhancement mechanism [J]. Journal of Computer Applications, 2023, 43(8): 2564-2571.
[14]	Haiyu YANG, Wenpu GUO, Kai KANG. Signal modulation recognition method based on convolutional long short-term deep neural network [J]. Journal of Computer Applications, 2023, 43(4): 1318-1322.
[15]	Yuhang LI, Yuli YANG, Yao MA, Dan YU, Yongle CHEN. Text adversarial example generation method based on BERT model [J]. Journal of Computer Applications, 2023, 43(10): 3093-3098.