高级检索
于振华, 康建寅, 叶鸥. 拓扑自适应粒子群优化的黑盒对抗攻击[J]. 计算机辅助设计与图形学学报, 2023, 35(8): 1239-1248. DOI: 10.3724/SP.J.1089.2023.19577
引用本文: 于振华, 康建寅, 叶鸥. 拓扑自适应粒子群优化的黑盒对抗攻击[J]. 计算机辅助设计与图形学学报, 2023, 35(8): 1239-1248. DOI: 10.3724/SP.J.1089.2023.19577
Yu Zhenhua, Kang Jianyin, Ye Ou. Black-Box Adversarial Attack via Topological Adaptive Particle Swarm Optimization[J]. Journal of Computer-Aided Design & Computer Graphics, 2023, 35(8): 1239-1248. DOI: 10.3724/SP.J.1089.2023.19577
Citation: Yu Zhenhua, Kang Jianyin, Ye Ou. Black-Box Adversarial Attack via Topological Adaptive Particle Swarm Optimization[J]. Journal of Computer-Aided Design & Computer Graphics, 2023, 35(8): 1239-1248. DOI: 10.3724/SP.J.1089.2023.19577

拓扑自适应粒子群优化的黑盒对抗攻击

Black-Box Adversarial Attack via Topological Adaptive Particle Swarm Optimization

  • 摘要: 深度学习模型在对抗攻击面前非常脆弱,即使对数据添加一个小的、感知上无法区分的扰动,也很容易降低其分类性能.针对现有黑盒对抗攻击方法存在效率低和成功率不高的问题,提出基于拓扑自适应粒子群优化的黑盒对抗攻击方法.首先根据原始图像随机生成初始对抗样本种群;然后根据邻域信息计算各样本的扰动并在搜索空间内迭代,计算动态惩罚项系数以控制样本的适应度值,当迭代多次种群适应度值未提高时,各样本进行邻域重分布,根据进化轨迹调整状态;最后修剪多余扰动获得最终的对抗样本.以InceptionV3等分类模型为攻击对象,使用MNIST,CIFAR-10和ImageNet数据集,在相同的样本数量和模型访问限制条件下,进行无目标对抗攻击和目标对抗攻击实验.结果表明,与现有方法相比,所提攻击方法具有较少的模型访问次数和较高的攻击成功率,对InceptionV3模型的平均访问次数为2 502,攻击成功率为94.30%.

     

    Abstract: Deep learning models are vulnerable to adversarial attack, and adding a small, perceptually indistinguishable perturbation to data can easily degrade its classification performance. Aiming at the problems of low efficiency and low success rate of existing black-box adversarial attacks, a black-box adversarial attack via topological adaptive particle swarm optimization is proposed. Firstly, a population containing initial adversarial samples is randomly generated according to the original image. Secondly, the perturbation of each sample is calculated according to the neighborhood information and iterate through the search space, and the dynamic penalty term coefficient is calculated to control the fitness. After multiple iterations, when the fitness of population does not improve, each sample performs neighborhood redistribution operation, and the sample state is adjusted according to the evolution trajectory. Finally, the redundant disturbance is pruned to obtain the final adversarial sample. Taking classification models such as InceptionV3 as the attack object,using MNIST, CIFAR-10 and ImageNet datasets, under the same number of samples and model access constraints, untargeted adversarial attack and target adversarial attack experiments are carried out. Compared with existing methods, the proposed attack has fewer visits to model and higher attack success rate, the average number of visits to the InceptionV3 model is 2 502, and the attack success rate is 94.30%.

     

/

返回文章
返回