Universal perturbation generation method of neural network based on differential evolution

doi:10.11772/j.issn.1001-9081.2022111733

Journal of Computer Applications ›› 2023, Vol. 43 ›› Issue (11): 3436-3442.DOI: 10.11772/j.issn.1001-9081.2022111733

Special Issue: 人工智能

• Artificial intelligence • Previous Articles Next Articles

Universal perturbation generation method of neural network based on differential evolution

Qianshun GAO(), Chunlong FAN, Yanda LI, Yiping TENG

School of Computer Science，Shenyang Aerospace University，Shenyang Liaoning 110136，China

Received:2022-11-22 Revised:2023-03-17 Accepted:2023-03-31 Online:2023-05-08 Published:2023-11-10
Contact: Chunlong FAN
About author:GAO Qianshun， born in 1997， M. S. candidate. His research interests include deep learning， adversarial attack.
FAN Chunlong， born in 1973， Ph. D.， professor. His research interests include neural network interpretability， complex network analysis， intelligent system verification.
LI Yanda， born in 1999， M. S. candidate. His research interests include deep learning， adversarial attack.
TENG Yiping， born in 1989， Ph. D.， associate professor. His research interests include privacy protection， deep learning.
Supported by:
National Natural Science Foundation of China(61902260);Scientific Research Project of Educational Department of Liaoning Province(JYT2020026)

基于差分进化的神经网络通用扰动生成方法

高乾顺(), 范纯龙, 李炎达, 滕一平

沈阳航空航天大学计算机学院，沈阳 110136

通讯作者: 范纯龙
作者简介:高乾顺（1997—），男，山东临沂人，硕士研究生，主要研究方向：深度学习、对抗攻击 FanCHL@sau.edu.cn
范纯龙（1973—），男，辽宁沈阳人，教授，博士，CCF会员，主要研究方向：神经网络可解释性、复杂网络分析、智能系统验证
李炎达（1999—），男，辽宁沈阳人，硕士研究生，主要研究方向：深度学习、对抗攻击
滕一平（1989—），男，辽宁沈阳人，副教授，博士，CCF会员，主要研究方向：隐私保护、深度学习。
基金资助:
国家自然科学基金资助项目(61902260);辽宁省教育厅科学研究项目(JYT2020026)

Abstract

Abstract:

Aiming at the problem that the universal perturbation search in HGAA （Hyperspherical General Adversarial Attacks） algorithm is always limited to the spatial spherical surface， and it does not have the ability to search the space inside the sphere， a differential evolution algorithm based on hypersphere was proposed. In the algorithm， the search space was expanded to the interior of the sphere， and Differential Evolution （DE） algorithm was used to search the optimal sphere， so as to generate universal perturbations with higher fooling rate and lower modulus length on this sphere. Besides， the influence of key parameters such as the number of populations on the algorithm was analyzed， and the performance of the universal perturbations generated by the algorithm on different neural network models was tested. The algorithm was verified on CIFAR10 and SVHN image classification datasets， and the fooling rate of the algorithm was increased by up to 11.8 percentage points compared with that of HGAA algorithm. Experimental results show that this algorithm extends the universal perturbation search space of the HGAA algorithm， reduces the modulus length of universal perturbation， and improves the fooling rate of universal perturbations.

Key words: adversarial attack, universal perturbation, neural network, hypersphere attack, Differential Evolution (DE)algorithm

摘要：

针对超球面通用攻击（HGAA）算法中通用扰动搜索始终限定在空间球面上，不具有球内空间搜索能力的问题，提出一种基于超球面的差分进化算法。该算法将搜索空间扩大到球面内部，并通过差分进化（DE）算法搜索最优球面，从而生成愚弄率更高、模长更低的通用扰动。此外，分析了种群数量等关键参数对该算法的影响，并且测试了该算法生成的通用扰动在不同神经网络模型上的性能。在CIFAR10和SVHN图像分类数据集上进行验证，该算法与HGAA算法相比愚弄率最多提高了11.8个百分点。实验结果表明，该算法扩展了HGAA算法的通用扰动搜索空间，降低了通用扰动的模长，提高了通用扰动的愚弄率。

关键词: 对抗攻击, 通用扰动, 神经网络, 超球面攻击, 差分进化算法

CLC Number:

TP391

Qianshun GAO, Chunlong FAN, Yanda LI, Yiping TENG. Universal perturbation generation method of neural network based on differential evolution[J]. Journal of Computer Applications, 2023, 43(11): 3436-3442.

高乾顺, 范纯龙, 李炎达, 滕一平. 基于差分进化的神经网络通用扰动生成方法[J]. 《计算机应用》唯一官方网站, 2023, 43(11): 3436-3442.

Figures/Tables 10

Tab. 1 FR and L2 of comparison algorithms under different modulus lengths and different network models on different datasets

数据集	模型	数据子集	UAP		$U A P o u r s$		HGAA		本文算法
数据集	模型	数据子集	$F R$	$L 2$	$F R$	$L 2$	$F R$	$L 2$	$F R$	$L 2$
CIFAR10	ResNet18	Train	0.557	2	0.599	1.981	0.780	2	0.850	1.981
	ResNet18	Val	0.542	2	0.532	1.990	0.770	2	0.823	1.990
	VGG11	Train	0.717	2	0.723	1.990	0.892	2	0.898	1.990
	VGG11	Val	0.670	2	0.771	1.987	0.869	2	0.872	1.987
	NiN	Train	0.557	2	0.523	1.982	0.706	2	0.720	1.982
	NiN	Val	0.478	2	0.454	1.951	0.702	2	0.721	1.951
SVHN	ResNet18	Train	0.772	2	0.774	1.986	0.756	2	0.840	1. 986
	ResNet18	Val	0.773	2	0.761	1.979	0.828	2	0.847	1. 979
	VGG11	Train	0.788	2	0.772	1.872	0.750	2	0.812	1. 872
	VGG11	Val	0.792	2	0.805	1.898	0.792	2	0.858	1. 898
	NiN	Train	0.707	2	0.703	1.981	0.718	2	0.836	1. 981
	NiN	Val	0.702	2	0.712	1.934	0.782	2	0.847	1. 934

Tab. 1 FR and L2 of comparison algorithms under different modulus lengths and different network models on different datasets

数据集	模型	数据子集	UAP		$U A P o u r s$		HGAA		本文算法
数据集	模型	数据子集	$F R$	$L 2$	$F R$	$L 2$	$F R$	$L 2$	$F R$	$L 2$
CIFAR10	ResNet18	Train	0.557	2	0.599	1.981	0.780	2	0.850	1.981
	ResNet18	Val	0.542	2	0.532	1.990	0.770	2	0.823	1.990
	VGG11	Train	0.717	2	0.723	1.990	0.892	2	0.898	1.990
	VGG11	Val	0.670	2	0.771	1.987	0.869	2	0.872	1.987
	NiN	Train	0.557	2	0.523	1.982	0.706	2	0.720	1.982
	NiN	Val	0.478	2	0.454	1.951	0.702	2	0.721	1.951
SVHN	ResNet18	Train	0.772	2	0.774	1.986	0.756	2	0.840	1. 986
	ResNet18	Val	0.773	2	0.761	1.979	0.828	2	0.847	1. 979
	VGG11	Train	0.788	2	0.772	1.872	0.750	2	0.812	1. 872
	VGG11	Val	0.792	2	0.805	1.898	0.792	2	0.858	1. 898
	NiN	Train	0.707	2	0.703	1.981	0.718	2	0.836	1. 981
	NiN	Val	0.702	2	0.712	1.934	0.782	2	0.847	1. 934

Tab. 2 Comparison of query times and FR of each algorithm under different network models on different datasets

数据集	模型	UAP		HGAA		本文算法
数据集	模型	$F R$	$Q u e r y$	$F R$	$Q u e r y /$ 10²	$F R$	$L 2$	$Q u e r y /$ 10³
CIFAR10	ResNet18	0.575	88 804	0.779	5	0.814	1.980	15
	VGG11	0.667	79 296	0.866	5	0.864	1.959	15
	NiN	0.469	97 298	0.709	5	0.691	1.963	15
SVHN	ResNet18	0.790	81 398	0.839	5	0.836	1.926	15
	VGG11	0.796	77 079	0.786	5	0.803	1.946	15
	NiN	0.738	78 500	0.737	5	0.788	1.855	15

Tab. 2 Comparison of query times and FR of each algorithm under different network models on different datasets

数据集	模型	UAP		HGAA		本文算法
数据集	模型	$F R$	$Q u e r y$	$F R$	$Q u e r y /$ 10²	$F R$	$L 2$	$Q u e r y /$ 10³
CIFAR10	ResNet18	0.575	88 804	0.779	5	0.814	1.980	15
	VGG11	0.667	79 296	0.866	5	0.864	1.959	15
	NiN	0.469	97 298	0.709	5	0.691	1.963	15
SVHN	ResNet18	0.790	81 398	0.839	5	0.836	1.926	15
	VGG11	0.796	77 079	0.786	5	0.803	1.946	15
	NiN	0.738	78 500	0.737	5	0.788	1.855	15

Fig. 1 Universal perturbations generated by different network models

Fig. 2 Original samples and adversarial samples after adding perturbations and their predictiong labels of CIFAR10 dataset

Fig. 3 Adversarial samples generated by different algorithms on CIFAR10 dataset

Tab. 3 FR of cross-model attacks with universal perturbations obtained by proposed algorithm

数据集	模型	ResNet18	VGG11	NiN
CIFAR10	ResNet18	0.815	0.603	0.418
	VGG11	0.700	0.866	0.564
	NiN	0.496	0.547	0.723
SVHN	ResNet18	0.833	0.730	0.665
	VGG11	0.788	0.795	0.694
	NiN	0.735	0.706	0.793

Tab. 4 Influence of parameter M on algorithm

M	FR	$L 2$	Query/10⁴
5	0.817	1.954	5
10	0.813	1.964	10
15	0.819	1.990	15
20	0.821	1.990	20
25	0.815	1.948	25
30	0.812	1.970	30
35	0.820	1.980	35
40	0.819	1.962	40

Tab. 4 Influence of parameter M on algorithm

M	FR	$L 2$	Query/10⁴
5	0.817	1.954	5
10	0.813	1.964	10
15	0.819	1.990	15
20	0.821	1.990	20
25	0.815	1.948	25
30	0.812	1.970	30
35	0.820	1.980	35
40	0.819	1.962	40

Tab. 5 Influence of parameter lb on algorithm

lb	FR	$L 2$	lb	FR	$L 2$
1.60	0.816	1.968	1.80	0.818	1.972
1.65	0.815	1.987	1.85	0.816	1.974
1.70	0.824	1.984	1.90	0.816	1.978
1.75	0.817	1.984	1.95	0.823	1.987

Tab. 5 Influence of parameter lb on algorithm

lb	FR	$L 2$	lb	FR	$L 2$
1.60	0.816	1.968	1.80	0.818	1.972
1.65	0.815	1.987	1.85	0.816	1.974
1.70	0.824	1.984	1.90	0.816	1.978
1.75	0.817	1.984	1.95	0.823	1.987

Tab. 6 Influence of parameter T on algorithm

T	FR	$L 2$	Query/10⁴
3	0.818	1.970	3
4	0.812	1.947	4
5	0.817	1.986	5
6	0.816	1.986	6
7	0.817	1.986	7
8	0.813	1.930	8
9	0.815	1.961	9
10	0.815	1.982	10

Tab. 6 Influence of parameter T on algorithm

T	FR	$L 2$	Query/10⁴
3	0.818	1.970	3
4	0.812	1.947	4
5	0.817	1.986	5
6	0.816	1.986	6
7	0.817	1.986	7
8	0.813	1.930	8
9	0.815	1.961	9
10	0.815	1.982	10

Fig. 4 Influence of number of training samples on FR

References 34

1	LeCUN Y， BENGIO Y， HINTON G. Deep learning［J］. Nature， 2015， 521（7553）： 436-444. 10.1038/nature14539
2	KRIZHEVSKY A， SUTSKEVER I， HINTON G E. ImageNet classification with deep convolutional neural networks［J］. Communications of the ACM， 2017， 60（6）： 84-90. 10.1145/3065386
3	SZEGEDY C， ZAREMBA W， SUTSKEVER I， et al. Intriguing properties of neural networks［EB/OL］. ［2022-09-10］..
4	BIGGIO B， CORONA I， MAIORCA D， et al. Evasion attacks against machine learning at test time［C］// Proceedings of the 2013 Joint European Conference on Machine Learning and Knowledge Discovery in Databases， LNCS 8190. Berlin： Springer， 2013： 387-402.
5	BIGGIO B， FUMERA G， ROLI F. Pattern recognition systems under attack： design issues and research challenges［J］. International Journal of Pattern Recognition and Artificial Intelligence， 2014， 28（7）： No.1460002. 10.1142/s0218001414600027
6	HUANG L， JOSEPH A D， NELSON B， et al. Adversarial machine learning［C］// Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence. New York： ACM， 2011： 43-58. 10.1145/2046684.2046692
7	GOODFELLOW I J， SHLENS J， SZEGEDY C. Explaining and harnessing adversarial examples［EB/OL］. ［2022-09-10］..
8	BENGIO Y. Learning deep architectures for AI［J］. Foundations and Trends in Machine Learning， 2009， 2（1）： 1-127. 10.1561/2200000006
9	KURAKIN A， GOODFELLOW I J， BENGIO S. Adversarial machine learning at scale［EB/OL］. ［2022-09-10］.. 10.1201/9781351251389-8
10	MOOSAVI-DEZFOOLI S M， FAWZI A， FROSSARD P. DeepFool： a simple and accurate method to fool deep neural networks［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2016： 2574-2582. 10.1109/cvpr.2016.282
11	SZEGEDY C， ZAREMBA W， SUTSKEVER I， et al. Intriguing properties of neural networks［EB/OL］. ［2022-09-10］..
12	DONG Y， LIAO F， PANG T， et al. Boosting adversarial attacks with momentum［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 9185-9193. 10.1109/cvpr.2018.00957
13	HUANG Q， KATSMAN I， GU Z， et al. Enhancing adversarial example transferability with an intermediate level attack［C］// Proceedings of the 2019 IEEE/CVF International Conference on Computer Vision. Piscataway： IEEE， 2019： 4732-4741. 10.1109/iccv.2019.00483
14	PAPERNOT N， McDANIEL P， GOODFELLOW I， et al. Practical black-box attacks against machine learning［C］// Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security. New York： ACM， 2017： 506-519. 10.1145/3052973.3053009
15	SARKAR S， BANSAL A， MAHBUB U， et al. UPSET and ANGRI： breaking high performance image classifiers［EB/OL］. ［2022-09-10］. .
16	CISSE M， ADI Y， NEVEROVA N， et al. Houdini： fooling deep structured prediction models［C］// Proceedings of the 31st International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2017： 6980-6990.
17	CHEN P Y， ZHANG H， SHARMA Y， et al. ZOO： zeroth order optimization based black-box attacks to deep neural networks without training substitute models［C］// Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. New York： ACM， 2017： 15-26. 10.1145/3128572.3140448
18	SU J， VARGAS D V， SAKURAI K. One pixel attack for fooling deep neural networks［J］. IEEE Transactions on Evolutionary Computation， 2019， 23（5）： 828-841. 10.1109/tevc.2019.2890858
19	ILYAS A， ENGSTROM L， ATHALYE A， et al. Black-box adversarial attacks with limited queries and information［C］// Proceedings of the 35th International Conference on Machine Learning. New York： JMLR.org， 2018： 2137-2146.
20	LI P， YI J， ZHANG L. Query-efficient black-box attack by active learning［C］// Proceedings of the 2018 IEEE International Conference on Data Mining. Piscataway： IEEE， 2018： 1200-1205. 10.1109/icdm.2018.00159
21	DONG Y， LIAO F， PANG T， et al. Discovering adversarial examples with momentum［EB/OL］. ［2022-09-10］..
22	MOOSAVI-DEZFOOLI S M， FAWZI A， FAWZI O， et al. Universal adversarial perturbations［C］// Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2017： 86-94. 10.1109/cvpr.2017.17
23	CARLINI N， WAGNER D. Towards evaluating the robustness of neural networks［C］// Proceedings of the 2017 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2017： 39-57. 10.1109/sp.2017.49
24	SHI Y， HAN Y， ZHANG Q， et al. Adaptive iterative attack towards explainable adversarial robustness［J］. Pattern Recognition， 2020， 105： No.107309. 10.1016/j.patcog.2020.107309
25	ZHANG C， BENZ P， IMTIAZ T， et al. CD-UAP： class discriminative universal adversarial perturbation［C］// Proceedings of the 34th AAAI Conference on Artificial Intelligence. Palo Alto， CA： AAAI Press， 2020： 6754-6761. 10.1609/aaai.v34i04.6154
26	MOPURI K R， GARG U， BABU R V. Fast feature fool： a data independent approach to universal adversarial perturbations［C］// Proceedings of the 2017 British Machine Vision Conference. Durham： BMVA Press， 2017： No.30. 10.5244/c.31.30
27	MOPURI K R， GANESHAN A， BABU R V. Generalizable data-free objective for crafting universal adversarial perturbations［J］. IEEE Transactions on Pattern Analysis and Machine Intelligence， 2019， 41（10）： 2452-2465. 10.1109/tpami.2018.2861800
28	MOPURI K R， UPPALA P K， BABU R V. Ask， acquire， and attack： data-free UAP generation using class impressions［C］// Proceedings of the 2018 European Conference on Computer Vision， LNCS 11213. Cham： Springer， 2018： 20-35.
29	WANG Z， HUANG X， YANG J， et al. Universal adversarial perturbation generated by attacking layer-wise relevance propagation［C］// Proceedings of the IEEE 10th International Conference on Intelligent Systems. Piscataway： IEEE， 2020： 431-436. 10.1109/is48319.2020.9199956
30	HUAN Z， WANG Y， ZHANG X， et al. Data-free adversarial perturbations for practical black-box attack［C］// Proceedings of the 2020 Pacific-Asia Conference on Knowledge Discovery and Data Mining， LNCS 12085. Cham： Springer， 2020： 127-138.
31	OSELEDETS I， KHRULKOV V. Art of singular vectors and universal adversarial perturbations［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 8562-8570. 10.1109/cvpr.2018.00893
32	WU J， ZHOU M， LIU S， et al. Decision-based universal adversarial attack［EB/OL］. ［2022-09-10］..
33	范纯龙，李彦达，夏秀峰，等.基于随机梯度上升和球面投影的通用对抗攻击方法［J］.东北大学学报（自然科学版），2022，43（2）： 168-175.
	FAN C L， LI Y D， XIA X F， et al. A general adversarial attack method based on random gradient ascent and spherical projection［J］. Journal of Northeast University （Natural Science）， 2022， 43（2）： 168-175.
34	STORN R， PRICE K. Differential evolution — a simple and efficient heuristic for global optimization over continuous spaces［J］. Journal of Global Optimization， 1997， 11（4）：341-359. 10.1023/a:1008202821328

[1]	Xingyao YANG, Yu CHEN, Jiong YU, Zulian ZHANG, Jiaying CHEN, Dongxiao WANG. Recommendation model combining self-features and contrastive learning [J]. Journal of Computer Applications, 2024, 44(9): 2704-2710.
[2]	Na WANG, Lin JIANG, Yuancheng LI, Yun ZHU. Optimization of tensor virtual machine operator fusion based on graph rewriting and fusion exploration [J]. Journal of Computer Applications, 2024, 44(9): 2802-2809.
[3]	Yun LI, Fuyou WANG, Peiguang JING, Su WANG, Ao XIAO. Uncertainty-based frame associated short video event detection method [J]. Journal of Computer Applications, 2024, 44(9): 2903-2910.
[4]	Tingjie TANG, Jiajin HUANG, Jin QIN. Session-based recommendation with graph auxiliary learning [J]. Journal of Computer Applications, 2024, 44(9): 2711-2718.
[5]	Rui ZHANG, Pengyun ZHANG, Meirong GAO. Self-optimized dual-modal multi-channel non-deep vestibular schwannoma recognition model [J]. Journal of Computer Applications, 2024, 44(9): 2975-2982.
[6]	Jinjin LI, Guoming SANG, Yijia ZHANG. Multi-domain fake news detection model enhanced by APK-CNN and Transformer [J]. Journal of Computer Applications, 2024, 44(9): 2674-2682.
[7]	Guanglei YAO, Juxia XIONG, Guowu YANG. Flower pollination algorithm based on neural network optimization [J]. Journal of Computer Applications, 2024, 44(9): 2829-2837.
[8]	Ying HUANG, Jiayu YANG, Jiahao JIN, Bangrui WAN. Siamese mixed information fusion algorithm for RGBT tracking [J]. Journal of Computer Applications, 2024, 44(9): 2878-2885.
[9]	Yu DU, Yan ZHU. Constructing pre-trained dynamic graph neural network to predict disappearance of academic cooperation behavior [J]. Journal of Computer Applications, 2024, 44(9): 2726-2731.
[10]	Jing QIN, Zhiguang QIN, Fali LI, Yueheng PENG. Diagnosis of major depressive disorder based on probabilistic sparse self-attention neural network [J]. Journal of Computer Applications, 2024, 44(9): 2970-2974.
[11]	Hang YANG, Wanggen LI, Gensheng ZHANG, Zhige WANG, Xin KAI. Multi-layer information interactive fusion algorithm based on graph neural network for session-based recommendation [J]. Journal of Computer Applications, 2024, 44(9): 2719-2725.
[12]	Chunxue ZHANG, Liqing QIU, Cheng’ai SUN, Caixia JING. Purchase behavior prediction model based on two-stage dynamic interest recognition [J]. Journal of Computer Applications, 2024, 44(8): 2365-2371.
[13]	Tong CHEN, Fengyu YANG, Yu XIONG, Hong YAN, Fuxing QIU. Construction method of voiceprint library based on multi-scale frequency-channel attention fusion [J]. Journal of Computer Applications, 2024, 44(8): 2407-2413.
[14]	Rui SHI, Yong LI, Yanhan ZHU. Adversarial sample attack algorithm of modulation signal based on equalization of feature gradient [J]. Journal of Computer Applications, 2024, 44(8): 2521-2527.
[15]	Fan YANG, Yao ZOU, Mingzhi ZHU, Zhenwei MA, Dawei CHENG, Changjun JIANG. Credit card fraud detection model based on graph attention Transformation neural network [J]. Journal of Computer Applications, 2024, 44(8): 2634-2642.

Universal perturbation generation method of neural network based on differential evolution

基于差分进化的神经网络通用扰动生成方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 34

Related Articles 15

Recommended Articles

Metrics