摘要
深度神经网络极易受到局部可视对抗扰动的攻击.文中以生成对抗网络为基础,提出局部可视对抗扰动生成方法.首先,指定被攻击的分类网络作为判别器,并在训练过程中固定参数不变.再构建生成器模型,通过优化欺骗损失、多样性损失和距离损失,使生成器产生局部可视对抗扰动,并叠加在不同输入样本的任意位置上攻击分类网络.最后,提出类别比较法,分析局部可视对抗扰动的有效性.在公开的图像分类数据集上实验表明,文中方法攻击效果较好.
Deep neural network is susceptible to the disturbance of adversarial attacks.Based on the generative adversarial networks,a novel model of GAN for generating localized and visible adversarial perturbation(G 2LVAP)is proposed.Firstly,the attacked classification network is designated as a discriminator,and its parameters are fixed during the training process.The generator model is constructed to generate localized and visible adversarial perturbations by optimizing fooling loss,diversity loss and distance loss.The generated perturbations can be placed anywhere in different input examples to attack the classification network.Finally,a class comparison method is proposed to analyze the effectiveness of localized and visible adversarial perturbations.Experiments on public image classification datasets indicate that G 2LVAP produces a satisfactory attack effect.
作者
周星宇
潘志松
胡谷雨
段晔鑫
ZHOU Xingyu;PAN Zhisong;HU Guyu;DUAN Yexin(Communication Engineering College,Army Engineering University of PLA,Nanjing,210007;Command and Control Engineering College,Army Engineering University of PLA,Nanjing,210007;Zhenjiang Campus,Army Military Transportation University,Zhenjiang 212003)
出处
《模式识别与人工智能》
EI
CSCD
北大核心
2020年第1期11-20,共10页
Pattern Recognition and Artificial Intelligence
基金
国家重点研发计划项目(No.2017YFB0802800)
国家自然科学基金项目(No.61473149)资助~~
关键词
对抗扰动
局部的
可视的
生成对抗网络(GAN)
Adversarial Perturbation
Localized
Visible
Generative Adversarial Network(GAN)
