摘要
为了攻击最先进的对抗防御方法,提出一种基于高维特征的图像对抗攻击算法——FB-PGD(feature based projected gradient descent)。该算法通过迭代的方式给待攻击图像添加扰动,使待攻击图像的特征与目标图像的特征相似,从而生成对抗样本。实验部分,在多种数据集和防御模型上,与现存的攻击算法对比,证实了FB-PGD算法不仅在以往的防御方法上攻击性能优异,同时在最先进的两个防御方法上,攻击成功率较常见的攻击方法提升超过20%。因此,FB-PGD算法可以成为检验防御方法的新基准。
In order to attack state-of-the-art adversarial defense methods,an image adversarial attack algorithm based on high-dimensional features called FB-PGD(feature based projected gradient descent)is proposed.It increases the similarity between clean image features and target image features by adding perturbation to clean image iteratively,then adversarial examples will be generated.In the experimental section,by comparing with existing adversarial attack algorithms on different defense models,the result shows that this attack algorithm not only has strong attack performance in the previous defense methods but also increases attack success rate more than 20%compared to common adversarial attack algorithms in two state-of-the-art defense methods on a variety of datasets.So,the adversarial attack algorithm can be used as a new benchmark to test defense.
作者
林大权
范睿
张良峰
LIN Daquan;FAN Rui;ZHANG Liangfeng(School of Information Science & Technology, ShanghaiTech University, Shanghai 201210, China;Shanghai Institute of Microsystem and Information Technology, Chinese Academy of Sciences, Shanghai 200050, China;University of Chinese Academy of Sciences, Beijing 100049, China)
出处
《中国科学院大学学报(中英文)》
CSCD
北大核心
2022年第3期421-431,共11页
Journal of University of Chinese Academy of Sciences
基金
国家自然科学基金(61602304)资助。
关键词
对抗样本
鲁棒性
图像分类
深度学习
安全
adversarial examples
robustness
image classification
deep learning
security
