A General Adversarial Attack Method  Based on Random Gradient Ascent and Spherical Projection

doi:10.12068/j.issn.1005-3026.2022.02.003

Abstract

Abstract: In general adversarial attacks oriented to sample sets， the general perturbation design that causes most sample to output errors is the key to the research. This paper takes the typical convolutional neural networks as the research object， summarizes the existing general perturbation generation algorithms， and proposes a general perturbation generation algorithm that combines batch random gradient ascent and spherical projection search. In each iteration of the algorithm， a small batch of samples are extracted from the sample set， and the general perturbation is calculated by using the random gradient rising strategy which reduces the value of the loss function. The general perturbation is then projected to the high-dimensional spherical surface with a radius of ε， so as to reduce the search space of general disturbances. The algorithm also introduces a regularization technique to improve the generation quality of general disturbances. Experimental results show that compared with the baseline algorithm， the attack success rate is significantly increased， and the solution efficiency of general perturbation is improved by about 30 times.

Key words: convolutional neural network; general perturbation; spherical surface projection; gradient ascent; adversarial attack

CLC Number:

TP391

FAN Chun-long， LI Yan-da， XIA Xiu-feng， QIAO Jian-zhong. A General Adversarial Attack Method Based on Random Gradient Ascent and Spherical Projection[J]. Journal of Northeastern University(Natural Science), 2022, 43(2): 168-175.

References

[1]Deng J，Dong W，Socher R，et al.ImageNet:a large-scale hierarchical image database［C］//Proceedings of 2009 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2009:248-255.
[2]Szegedy C，Zaremba W，Sutskever I，et al.Intriguing properties of neural networks［C/OL］//Proceedings of 2nd International Conference on Learning Representations.2014［2021-05-20］.https://www.researchgate.net/publication/259440613_Intriguing_properties_of_neural_networks.
[3]Chen C，Seff A，Kornhauser A，et al.DeepDriving:learning affordance for direct perception in autonomous driving ［C］//Proceedings of 2nd International Conference on Computer Vision.Piscataway:IEEE，2015:2722-2730.
[4]Jia R，Lian P.Adversarial examples for evaluating reading comprehension systems［C］//Proceedings of the 2017 Conference on Empirical Methods in Natural Language Processing.Stroudsburg，PA:ACL，2017:2021-2031.
[5]Samanta S，Mehta S.Towards crafting text adversarial samples［EB/OL］.［2021-05-25］.http://arxiv.org/abs/1707.02812.
[6]Goodfellow I J，Shlens J，Szegedy C.Explaining and harnessing adversarial examples［C］// Proceedings of 3rd International Conference on Learning Representations.2015［2021-05-20］.https://arxiv.org/pdf/1412.6572.pdf.
[7]Sarkar S，Bansal A，Mahbub U，et al.UPSET and ANGRI:breaking high performance image classifiers［EB/OL］.［2021-05-25］.https://arxiv.org/pdf/1707.01159.pdf.
[8]Chen P Y，Zhang H，Sharma Y，et al.ZOO:zeroth order optimization based black-box attacks to deep neural networks without training substitute models［C］//Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security.New York:ACM，2017:15-26.
[9]Dong Y P，Liao F Z，Pang T Y，et al.Discovering adversarial examples with momentum［EB/OL］.［2021-05-25］.https://arxiv.org/pdf/1710.06081v1.pdf.
[10]Papernot N，McDaniel P，Jha S.The limitations of deep learning in adversarial settings［C］//Proceedings of IEEE European Symposium on Security and Privacy.Saarbrucken，2016:372-387.
[11]Moosavi-Dezfooli S M，Fawzi A，Fawzi O，et al.Universal adversarial perturbations［C］//Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2017:86-94.
[12]Moosavi-Dezfooli S M，Fawzi A，Frossard P.DeepFool:a simple and accurate method to fool deep neural networks ［C］//Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2016:2574-2582.
[13]Carlini N，Wagner D.Towards evaluating the robustness of neural networks［C］//Proceedings of 2017 IEEE Symposium on Security and Privacy.Piscataway:IEEE，2017:39-57.
[14]Zhang C N，Benz P，Imtiaz T，et al.CD-UAP:class discriminative universal adversarial perturbation［C］//Proceedings of the Thirty-Fourth AAAI Conference on Artificial Intelligence.Menlo Park:AAAI，2020:6754-6761.
[15]Oseledets I，Khrulkov V.Art of singular vectors and universal adversarial perturbations［C］//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2018:8562-8570.
[16]Hayes J，Danezis G.Learning universal adversarial perturbations with generative models［C］ //Proceedings of IEEE Security and Privacy Workshops.Piscataway:IEEE，2018:43-49.
[17]Mopuri K R，Ojha U，Garg U，et al.NAG:network for adversary generation［C］//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2018:742-751.
[18]Lin M，Chen Q，Yan S C，et al.Network in network［C］//Proceedings of 2nd International Conference on Learning Representations.［2021-05-15］.https://arxiv.org/pdf/1312.4400.pdf.
[19]Simonyan K，Zisserman A.Very deep convolutional networks for large-scale image recognition［C］//Proceedings of 3rd International Conference on Learning Representations.［2021-05-18］.https://arxiv.org/pdf/1409.1556.pdf.
[20]He K M，Zhang X Y，Ren S Q，et al.Deep residual learning for image recognition［C］//Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE，2016:770-778.

A General Adversarial Attack Method Based on Random Gradient Ascent and Spherical Projection

RichHTML

PDF (PC)

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments

[1]	PANG Yan-wei， SU Chang， LONG Tao. Adaptive Multi-scale Cost Volume Construction and Aggregation for Stereo Matching [J]. Journal of Northeastern University(Natural Science), 2023, 44(4): 457-468.
[2]	DING Qi-chuan， WANG Li， LIU Cheng. Classification of Pulmonary Nodule by Combining Long-Distance Channel Attention and Pathological Feature [J]. Journal of Northeastern University(Natural Science), 2023, 44(4): 476-485.
[3]	LI Hai-yan， XIONG Li-chang， GUO Lei， LI Hai-jiang. Two-Stage Inpainting Algorithm Based on U-net Edge Generation and Hypergraphs Convolution [J]. Journal of Northeastern University(Natural Science), 2023, 44(3): 331-339.
[4]	YANG Dan， LIU Guo-ru， REN Meng-cheng， PEI Hong-yang. Retinal Blood Vessel Segmentation Method Based on Multi-scale Convolution Kernel U-Net Model [J]. Journal of Northeastern University(Natural Science), 2021, 42(1): 7-14.
[5]	HAN Dong-hong， ZHANG Hong-liang， ZHU Shuai-wei， QI Xiao-long. Sentiment Community Detection Algorithm for Sina Weibo [J]. Journal of Northeastern University(Natural Science), 2021, 42(1): 21-31.
[6]	YUAN Pei-xin， CHEN Ding-fu. Compression Algorithm of Dual X-ray Security Inspection Images with High Dynamic Range [J]. Journal of Northeastern University(Natural Science), 2021, 42(1): 96-101.
[7]	WEI Ying, XU Chu-qiao, DIAO Zhao-fu, LI Bo-qun. A Multi-target Pedestrian Tracking Algorithm Based on Generated Adversarial Network [J]. Journal of Northeastern University(Natural Science), 2020, 41(12): 1673-1680.
[8]	LI Ji， XU An-jun. Simulation-based Solution for Multi-crane Dynamic Scheduling in Steelmaking Shop [J]. Journal of Northeastern University Natural Science, 2020, 41(12): 1699-1707.
[9]	LI Zhan-shan， LYU Ai-na. A Feature Selection Method Based on New Redundancy Measurement [J]. Journal of Northeastern University Natural Science, 2020, 41(11): 1550-1556.
[10]	WANG Xin， WANG Cui-rong， WANG Cong， YUAN Ying. Dual-channel Multi-perception Convolutional Network for Image Super-Resolution [J]. Journal of Northeastern University Natural Science, 2020, 41(11): 1564-1570.
[11]	ZHANG Chun-lei， DAI Li， LIU Yu， LI He. Patient Registration for Surgical Navigation System Based on Three-Point Method and ICP Algorithm [J]. Journal of Northeastern University Natural Science, 2020, 41(11): 1584-1590.
[12]	CHEN Jian， HE Tao， WEN Ying-you， MA Lin-tao. Entity Recognition Method for Judicial Documents Based on BERT Model [J]. Journal of Northeastern University Natural Science, 2020, 41(10): 1382-1387.
[13]	ZHANG Tian， TIAN Yong， WANG Zi， WANG Zhao-dong. Adaptive Threshold Image Segmentation Based on Definition Evaluation [J]. Journal of Northeastern University Natural Science, 2020, 41(9): 1231-1238.
[14]	ZHANG Li-jie， LIU Jian-chang， TAN Shu-bin. Multi-objective Planning of Personnel Evacuation Route in Complex Building Fire [J]. Journal of Northeastern University Natural Science, 2020, 41(6): 761-766.
[15]	ZHAO Hai， ZHOU Bing-ling， ZHU Hong-bo， DOU Sheng-chang. Fast Segmentation Algorithm of 3D Lung Parenchyma Based on Continuous Max-Flow [J]. Journal of Northeastern University Natural Science, 2020, 41(4): 470-474.