基于随机梯度上升和球面投影的通用对抗攻击方法

doi:10.12068/j.issn.1005-3026.2022.02.003

东北大学学报（自然科学版） ›› 2022, Vol. 43 ›› Issue (2): 168-175.DOI: 10.12068/j.issn.1005-3026.2022.02.003

基于随机梯度上升和球面投影的通用对抗攻击方法

范纯龙^1,2，李彦达²，夏秀峰²，乔建忠¹

(1. 东北大学计算机科学与工程学院，辽宁沈阳110169； 2. 沈阳航空航天大学计算机学院，辽宁沈阳110136)

修回日期:2021-06-04 接受日期:2021-06-04 发布日期:2022-02-28
通讯作者: 范纯龙
作者简介:范纯龙(1973-)，男，辽宁营口人，东北大学博士研究生；夏秀峰(1964-)，男，山东胶南人，沈阳航空航天大学教授；乔建忠(1964-)，男，辽宁沈阳人，东北大学教授，博士生导师.
基金资助:
国家自然科学基金青年基金资助项目(61902260)；国家自然科学基金资助项目(61972266).

A General Adversarial Attack Method Based on Random Gradient Ascent and Spherical Projection

FAN Chun-long^1,2， LI Yan-da²， XIA Xiu-feng²， QIAO Jian-zhong¹

1. School of Computer Science & Engineering， Northeastern University， Shenyang 110169， China； 2. School of Computer， Shenyang Aerospace University， Shenyang 110136， China.

Revised:2021-06-04 Accepted:2021-06-04 Published:2022-02-28
Contact: QIAO Jian-zhong
About author:-
Supported by:
-

摘要/Abstract

摘要： 在面向样本集的通用对抗攻击中，导致多数样本输出错误的通用扰动设计是研究关键.本文以典型卷积神经网络为研究对象，对现有通用扰动生成算法进行总结，提出采用批量随机梯度上升训练策略和球面投影搜索策略相结合的通用扰动生成算法.算法的每次迭代计算，首先从样本集中抽取小批量样本，采用随机梯度上升策略计算出使损失函数值下降的通用对抗扰动，然后将通用扰动投影到半径为ε的高维球面上，从而缩小通用扰动的搜索空间.算法还引入了正则化技术以改善通用扰动的生成质量.实验结果证明该算法与基线算法对比，攻击成功率显著提升，通用扰动的求解效率提高约30倍.

关键词: 卷积神经网络；通用扰动；球面投影；梯度上升；对抗攻击

Abstract: In general adversarial attacks oriented to sample sets， the general perturbation design that causes most sample to output errors is the key to the research. This paper takes the typical convolutional neural networks as the research object， summarizes the existing general perturbation generation algorithms， and proposes a general perturbation generation algorithm that combines batch random gradient ascent and spherical projection search. In each iteration of the algorithm， a small batch of samples are extracted from the sample set， and the general perturbation is calculated by using the random gradient rising strategy which reduces the value of the loss function. The general perturbation is then projected to the high-dimensional spherical surface with a radius of ε， so as to reduce the search space of general disturbances. The algorithm also introduces a regularization technique to improve the generation quality of general disturbances. Experimental results show that compared with the baseline algorithm， the attack success rate is significantly increased， and the solution efficiency of general perturbation is improved by about 30 times.

Key words: convolutional neural network; general perturbation; spherical surface projection; gradient ascent; adversarial attack

中图分类号:

TP391

范纯龙，李彦达，夏秀峰，乔建忠. 基于随机梯度上升和球面投影的通用对抗攻击方法[J]. 东北大学学报（自然科学版）, 2022, 43(2): 168-175.

FAN Chun-long， LI Yan-da， XIA Xiu-feng， QIAO Jian-zhong. A General Adversarial Attack Method Based on Random Gradient Ascent and Spherical Projection[J]. Journal of Northeastern University(Natural Science), 2022, 43(2): 168-175.

参考文献

[1]Deng J，Dong W，Socher R，et al.ImageNet:a large-scale hierarchical image database［C］//Proceedings of 2009 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2009:248-255.
[2]Szegedy C，Zaremba W，Sutskever I，et al.Intriguing properties of neural networks［C/OL］//Proceedings of 2nd International Conference on Learning Representations.2014［2021-05-20］.https://www.researchgate.net/publication/259440613_Intriguing_properties_of_neural_networks.
[3]Chen C，Seff A，Kornhauser A，et al.DeepDriving:learning affordance for direct perception in autonomous driving ［C］//Proceedings of 2nd International Conference on Computer Vision.Piscataway:IEEE，2015:2722-2730.
[4]Jia R，Lian P.Adversarial examples for evaluating reading comprehension systems［C］//Proceedings of the 2017 Conference on Empirical Methods in Natural Language Processing.Stroudsburg，PA:ACL，2017:2021-2031.
[5]Samanta S，Mehta S.Towards crafting text adversarial samples［EB/OL］.［2021-05-25］.http://arxiv.org/abs/1707.02812.
[6]Goodfellow I J，Shlens J，Szegedy C.Explaining and harnessing adversarial examples［C］// Proceedings of 3rd International Conference on Learning Representations.2015［2021-05-20］.https://arxiv.org/pdf/1412.6572.pdf.
[7]Sarkar S，Bansal A，Mahbub U，et al.UPSET and ANGRI:breaking high performance image classifiers［EB/OL］.［2021-05-25］.https://arxiv.org/pdf/1707.01159.pdf.
[8]Chen P Y，Zhang H，Sharma Y，et al.ZOO:zeroth order optimization based black-box attacks to deep neural networks without training substitute models［C］//Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security.New York:ACM，2017:15-26.
[9]Dong Y P，Liao F Z，Pang T Y，et al.Discovering adversarial examples with momentum［EB/OL］.［2021-05-25］.https://arxiv.org/pdf/1710.06081v1.pdf.
[10]Papernot N，McDaniel P，Jha S.The limitations of deep learning in adversarial settings［C］//Proceedings of IEEE European Symposium on Security and Privacy.Saarbrucken，2016:372-387.
[11]Moosavi-Dezfooli S M，Fawzi A，Fawzi O，et al.Universal adversarial perturbations［C］//Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2017:86-94.
[12]Moosavi-Dezfooli S M，Fawzi A，Frossard P.DeepFool:a simple and accurate method to fool deep neural networks ［C］//Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2016:2574-2582.
[13]Carlini N，Wagner D.Towards evaluating the robustness of neural networks［C］//Proceedings of 2017 IEEE Symposium on Security and Privacy.Piscataway:IEEE，2017:39-57.
[14]Zhang C N，Benz P，Imtiaz T，et al.CD-UAP:class discriminative universal adversarial perturbation［C］//Proceedings of the Thirty-Fourth AAAI Conference on Artificial Intelligence.Menlo Park:AAAI，2020:6754-6761.
[15]Oseledets I，Khrulkov V.Art of singular vectors and universal adversarial perturbations［C］//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2018:8562-8570.
[16]Hayes J，Danezis G.Learning universal adversarial perturbations with generative models［C］ //Proceedings of IEEE Security and Privacy Workshops.Piscataway:IEEE，2018:43-49.
[17]Mopuri K R，Ojha U，Garg U，et al.NAG:network for adversary generation［C］//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2018:742-751.
[18]Lin M，Chen Q，Yan S C，et al.Network in network［C］//Proceedings of 2nd International Conference on Learning Representations.［2021-05-15］.https://arxiv.org/pdf/1312.4400.pdf.
[19]Simonyan K，Zisserman A.Very deep convolutional networks for large-scale image recognition［C］//Proceedings of 3rd International Conference on Learning Representations.［2021-05-18］.https://arxiv.org/pdf/1409.1556.pdf.
[20]He K M，Zhang X Y，Ren S Q，et al.Deep residual learning for image recognition［C］//Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2016:770-778.

基于随机梯度上升和球面投影的通用对抗攻击方法

A General Adversarial Attack Method Based on Random Gradient Ascent and Spherical Projection

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	庞彦伟，苏畅，龙涛. 自适应构造与聚合多尺度代价体的双目立体匹配[J]. 东北大学学报（自然科学版）, 2023, 44(4): 457-468.
[2]	丁其川，王力，刘成. 融合长距离信道注意力与病理特征的肺结节分类[J]. 东北大学学报（自然科学版）, 2023, 44(4): 476-485.
[3]	李海燕，熊立昌，郭磊，李海江. 基于U-net边缘生成和超图卷积的两阶段修复算法[J]. 东北大学学报（自然科学版）, 2023, 44(3): 331-339.
[4]	杨丹，刘国如，任梦成，裴宏杨. 多尺度卷积核U-Net模型的视网膜血管分割方法[J]. 东北大学学报（自然科学版）, 2021, 42(1): 7-14.
[5]	韩东红，张宏亮，朱帅伟，齐孝龙. 面向新浪微博的情感社区检测算法[J]. 东北大学学报（自然科学版）, 2021, 42(1): 21-31.
[6]	原培新，陈鼎夫. 双能X射线高动态范围安检图像压缩算法[J]. 东北大学学报（自然科学版）, 2021, 42(1): 96-101.
[7]	魏颖, 徐楚翘, 刁兆富, 李伯群. 基于生成对抗网络的多目标行人跟踪算法[J]. 东北大学学报（自然科学版）, 2020, 41(12): 1673-1680.
[8]	李稷，徐安军. 炼钢车间多天车动态调度仿真方案[J]. 东北大学学报:自然科学版, 2020, 41(12): 1699-1707.
[9]	李占山，吕艾娜. 基于新冗余度的特征选择方法[J]. 东北大学学报:自然科学版, 2020, 41(11): 1550-1556.
[10]	王鑫，王翠荣，王聪，苑迎. 双通道多感知卷积神经网络图像超分辨率重建[J]. 东北大学学报:自然科学版, 2020, 41(11): 1564-1570.
[11]	张春雷，戴丽，刘宇，李鹤. 基于三点法和ICP算法的手术导航系统患者配准[J]. 东北大学学报:自然科学版, 2020, 41(11): 1584-1590.
[12]	陈剑，何涛，闻英友，马林涛. 基于BERT模型的司法文书实体识别方法[J]. 东北大学学报:自然科学版, 2020, 41(10): 1382-1387.
[13]	张田，田勇，王子，王昭东. 基于清晰度评价的自适应阈值图像分割法[J]. 东北大学学报:自然科学版, 2020, 41(9): 1231-1238.
[14]	张丽杰，刘建昌，谭树彬. 复杂建筑火灾中的人员疏散路径多目标规划[J]. 东北大学学报:自然科学版, 2020, 41(6): 761-766.
[15]	赵海，周冰玲，朱宏博，窦圣昶. 基于连续最大流的三维肺实质快速分割算法[J]. 东北大学学报:自然科学版, 2020, 41(4): 470-474.